Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7qBBKk0P4l.exe

Overview

General Information

Sample name:7qBBKk0P4l.exe
renamed because original name is a hash value
Original sample name:3397920e23cf8435201e9e90796b2a8c9ec340e4733cbc8064999e462dc53470.exe
Analysis ID:1488122
MD5:94e7772b2b1bda89b23a2fba0e57742e
SHA1:2af48b80b7354b4a15eff49af3f3d70d3e5789a4
SHA256:3397920e23cf8435201e9e90796b2a8c9ec340e4733cbc8064999e462dc53470
Tags:exe
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to resolve many domain names, but no domain seems valid
Connects to many different domains
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Executes massive DNS lookups (> 100)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 7qBBKk0P4l.exe (PID: 1824 cmdline: "C:\Users\user\Desktop\7qBBKk0P4l.exe" MD5: 94E7772B2B1BDA89B23A2FBA0E57742E)
    • psjpq2i82ktsjq0yguk.exe (PID: 6892 cmdline: "C:\hjflhukc\psjpq2i82ktsjq0yguk.exe" MD5: 94E7772B2B1BDA89B23A2FBA0E57742E)
      • yanidfx.exe (PID: 4136 cmdline: "C:\hjflhukc\yanidfx.exe" MD5: 94E7772B2B1BDA89B23A2FBA0E57742E)
  • yanidfx.exe (PID: 2768 cmdline: C:\hjflhukc\yanidfx.exe MD5: 94E7772B2B1BDA89B23A2FBA0E57742E)
    • xxxniijvj.exe (PID: 3552 cmdline: tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe" MD5: 94E7772B2B1BDA89B23A2FBA0E57742E)
      • yanidfx.exe (PID: 3392 cmdline: "c:\hjflhukc\yanidfx.exe" MD5: 94E7772B2B1BDA89B23A2FBA0E57742E)
        • xxxniijvj.exe (PID: 764 cmdline: tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe" MD5: 94E7772B2B1BDA89B23A2FBA0E57742E)
  • svchost.exe (PID: 3964 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 3964, ProcessName: svchost.exe

Snort Signatures

Suricata Signatures

Timestamp:2024-08-05T16:29:15.427900+0200
SID:2815568
Source Port:49705
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:29:21.526506+0200
SID:2815568
Source Port:49711
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:29:28.585913+0200
SID:2815568
Source Port:49716
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:29:11.586178+0200
SID:2811542
Source Port:53
Destination Port:56919
Protocol:UDP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:29:12.540506+0200
SID:2815568
Source Port:49704
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:29:15.432885+0200
SID:2037771
Source Port:80
Destination Port:49705
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:29:17.836857+0200
SID:2037771
Source Port:80
Destination Port:49706
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:29:31.727756+0200
SID:2037771
Source Port:80
Destination Port:49719
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:31:09.914916+0200
SID:2815568
Source Port:60229
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:30:40.325809+0200
SID:2815568
Source Port:60228
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:29:18.843079+0200
SID:2018316
Source Port:53
Destination Port:54266
Protocol:UDP
Classtype:A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 7qBBKk0P4l.exeAvira: detected
Antivirus detection for dropped file
Source: C:\hjflhukc\xxxniijvj.exeAvira: detection malicious, Label: HEUR/AGEN.1318579
Source: C:\hjflhukc\yanidfx.exeAvira: detection malicious, Label: HEUR/AGEN.1318579
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeAvira: detection malicious, Label: HEUR/AGEN.1318579
Multi AV Scanner detection for dropped file
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeReversingLabs: Detection: 92%
Source: C:\hjflhukc\xxxniijvj.exeReversingLabs: Detection: 92%
Source: C:\hjflhukc\yanidfx.exeReversingLabs: Detection: 92%
Multi AV Scanner detection for submitted file
Source: 7qBBKk0P4l.exeReversingLabs: Detection: 92%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\hjflhukc\xxxniijvj.exeJoe Sandbox ML: detected
Source: C:\hjflhukc\yanidfx.exeJoe Sandbox ML: detected
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: 7qBBKk0P4l.exeJoe Sandbox ML: detected
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_0092BECE GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,2_2_0092BECE
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_0093AE3B CryptAcquireContextA,2_2_0093AE3B
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006EBECE GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,3_2_006EBECE
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006FAE3B CryptAcquireContextA,3_2_006FAE3B
Source: 7qBBKk0P4l.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000C5C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,1_2_000C5C39
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_00925C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00925C39
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006E5C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,3_2_006E5C39
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000E5C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,4_2_000E5C39
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E25C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,11_2_00E25C39

Networking

barindex
Tries to resolve many domain names, but no domain seems valid
Source: unknownDNS traffic detected: query: smokesystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadylaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womanreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanfancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadybranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womannorth.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadysystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemansystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencequarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencereceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberfancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokegeneral.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokequarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experienceconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summersystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partysystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partybranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencefriend.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightnorth.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightinclude.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightgeneral.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experienceneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadytrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshsystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fighttrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokebelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencebelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencebranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughtreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womanquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokenorth.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdsystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokehonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughtquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followsystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womantrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: watertrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokeneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadybelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencesystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knowntrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyfancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokereceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyinclude.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summertrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partytrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughtbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fighthonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: begintrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokeclear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughtneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smoketrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemantrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partynorth.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womanneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womangeneral.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokeinclude.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followfancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followtrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womaninclude.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womanbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyclear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencetrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughttrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownsystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womanclear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughthonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightclear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginsystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencelaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencehonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshtrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencefancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberfriend.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanfriend.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womansystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokebranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyneither.net replaycode: Name error (3)
Source: unknownNetwork traffic detected: DNS query count 170
Source: global trafficDNS traffic detected: number of DNS queries: 170
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partygeneral.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: memberreceive.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtbranch.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanbelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partybelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membertrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: crowdtrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtsystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: watersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanhonor.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: freshfancy.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: alreadyfriend.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: followfriend.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partygeneral.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: memberreceive.net
Source: Joe Sandbox ViewIP Address: 188.225.40.227 188.225.40.227
Source: Joe Sandbox ViewIP Address: 34.246.200.160 34.246.200.160
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000D8695 socket,setsockopt,gethostbyname,inet_ntoa,inet_addr,htons,connect,send,recv,closesocket,1_2_000D8695
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partygeneral.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: memberreceive.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtbranch.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanbelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partybelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membertrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: crowdtrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtsystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: watersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanhonor.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: freshfancy.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: alreadyfriend.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: followfriend.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partygeneral.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: memberreceive.net
Source: global trafficDNS traffic detected: DNS query: womanclear.net
Source: global trafficDNS traffic detected: DNS query: smokeclear.net
Source: global trafficDNS traffic detected: DNS query: womangeneral.net
Source: global trafficDNS traffic detected: DNS query: smokegeneral.net
Source: global trafficDNS traffic detected: DNS query: womaninclude.net
Source: global trafficDNS traffic detected: DNS query: smokeinclude.net
Source: global trafficDNS traffic detected: DNS query: womannorth.net
Source: global trafficDNS traffic detected: DNS query: smokenorth.net
Source: global trafficDNS traffic detected: DNS query: partyclear.net
Source: global trafficDNS traffic detected: DNS query: fightclear.net
Source: global trafficDNS traffic detected: DNS query: partygeneral.net
Source: global trafficDNS traffic detected: DNS query: fightgeneral.net
Source: global trafficDNS traffic detected: DNS query: partyinclude.net
Source: global trafficDNS traffic detected: DNS query: fightinclude.net
Source: global trafficDNS traffic detected: DNS query: partynorth.net
Source: global trafficDNS traffic detected: DNS query: fightnorth.net
Source: global trafficDNS traffic detected: DNS query: freshbranch.net
Source: global trafficDNS traffic detected: DNS query: experiencebranch.net
Source: global trafficDNS traffic detected: DNS query: freshbelieve.net
Source: global trafficDNS traffic detected: DNS query: experiencebelieve.net
Source: global trafficDNS traffic detected: DNS query: freshreceive.net
Source: global trafficDNS traffic detected: DNS query: experiencereceive.net
Source: global trafficDNS traffic detected: DNS query: freshquarter.net
Source: global trafficDNS traffic detected: DNS query: experiencequarter.net
Source: global trafficDNS traffic detected: DNS query: gentlemanbranch.net
Source: global trafficDNS traffic detected: DNS query: alreadybranch.net
Source: global trafficDNS traffic detected: DNS query: gentlemanbelieve.net
Source: global trafficDNS traffic detected: DNS query: alreadybelieve.net
Source: global trafficDNS traffic detected: DNS query: gentlemanreceive.net
Source: global trafficDNS traffic detected: DNS query: alreadyreceive.net
Source: global trafficDNS traffic detected: DNS query: gentlemanquarter.net
Source: global trafficDNS traffic detected: DNS query: alreadyquarter.net
Source: global trafficDNS traffic detected: DNS query: followbranch.net
Source: global trafficDNS traffic detected: DNS query: memberbranch.net
Source: global trafficDNS traffic detected: DNS query: followbelieve.net
Source: global trafficDNS traffic detected: DNS query: memberbelieve.net
Source: global trafficDNS traffic detected: DNS query: followreceive.net
Source: global trafficDNS traffic detected: DNS query: memberreceive.net
Source: global trafficDNS traffic detected: DNS query: followquarter.net
Source: global trafficDNS traffic detected: DNS query: memberquarter.net
Source: global trafficDNS traffic detected: DNS query: beginbranch.net
Source: global trafficDNS traffic detected: DNS query: knownbranch.net
Source: global trafficDNS traffic detected: DNS query: beginbelieve.net
Source: global trafficDNS traffic detected: DNS query: knownbelieve.net
Source: global trafficDNS traffic detected: DNS query: beginreceive.net
Source: global trafficDNS traffic detected: DNS query: knownreceive.net
Source: global trafficDNS traffic detected: DNS query: beginquarter.net
Source: global trafficDNS traffic detected: DNS query: knownquarter.net
Source: global trafficDNS traffic detected: DNS query: summerbranch.net
Source: global trafficDNS traffic detected: DNS query: crowdbranch.net
Source: global trafficDNS traffic detected: DNS query: summerbelieve.net
Source: global trafficDNS traffic detected: DNS query: crowdbelieve.net
Source: global trafficDNS traffic detected: DNS query: summerreceive.net
Source: global trafficDNS traffic detected: DNS query: crowdreceive.net
Source: global trafficDNS traffic detected: DNS query: summerquarter.net
Source: global trafficDNS traffic detected: DNS query: crowdquarter.net
Source: global trafficDNS traffic detected: DNS query: thoughtbranch.net
Source: global trafficDNS traffic detected: DNS query: waterbranch.net
Source: global trafficDNS traffic detected: DNS query: thoughtbelieve.net
Source: global trafficDNS traffic detected: DNS query: waterbelieve.net
Source: global trafficDNS traffic detected: DNS query: thoughtreceive.net
Source: global trafficDNS traffic detected: DNS query: waterreceive.net
Source: global trafficDNS traffic detected: DNS query: thoughtquarter.net
Source: global trafficDNS traffic detected: DNS query: waterquarter.net
Source: global trafficDNS traffic detected: DNS query: womanbranch.net
Source: global trafficDNS traffic detected: DNS query: smokebranch.net
Source: global trafficDNS traffic detected: DNS query: womanbelieve.net
Source: global trafficDNS traffic detected: DNS query: smokebelieve.net
Source: global trafficDNS traffic detected: DNS query: womanreceive.net
Source: global trafficDNS traffic detected: DNS query: smokereceive.net
Source: global trafficDNS traffic detected: DNS query: womanquarter.net
Source: global trafficDNS traffic detected: DNS query: smokequarter.net
Source: global trafficDNS traffic detected: DNS query: partybranch.net
Source: global trafficDNS traffic detected: DNS query: fightbranch.net
Source: global trafficDNS traffic detected: DNS query: partybelieve.net
Source: global trafficDNS traffic detected: DNS query: fightbelieve.net
Source: global trafficDNS traffic detected: DNS query: partyreceive.net
Source: global trafficDNS traffic detected: DNS query: fightreceive.net
Source: global trafficDNS traffic detected: DNS query: partyquarter.net
Source: global trafficDNS traffic detected: DNS query: fightquarter.net
Source: global trafficDNS traffic detected: DNS query: freshhonor.net
Source: global trafficDNS traffic detected: DNS query: experiencehonor.net
Source: global trafficDNS traffic detected: DNS query: freshneither.net
Source: global trafficDNS traffic detected: DNS query: experienceneither.net
Source: global trafficDNS traffic detected: DNS query: freshsystem.net
Source: global trafficDNS traffic detected: DNS query: experiencesystem.net
Source: global trafficDNS traffic detected: DNS query: freshtrust.net
Source: global trafficDNS traffic detected: DNS query: experiencetrust.net
Source: global trafficDNS traffic detected: DNS query: gentlemanhonor.net
Source: global trafficDNS traffic detected: DNS query: alreadyhonor.net
Source: global trafficDNS traffic detected: DNS query: gentlemanneither.net
Source: global trafficDNS traffic detected: DNS query: alreadyneither.net
Source: global trafficDNS traffic detected: DNS query: gentlemansystem.net
Source: global trafficDNS traffic detected: DNS query: alreadysystem.net
Source: global trafficDNS traffic detected: DNS query: gentlemantrust.net
Source: global trafficDNS traffic detected: DNS query: alreadytrust.net
Source: global trafficDNS traffic detected: DNS query: followhonor.net
Source: global trafficDNS traffic detected: DNS query: memberhonor.net
Source: global trafficDNS traffic detected: DNS query: followneither.net
Source: global trafficDNS traffic detected: DNS query: memberneither.net
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Mon, 05 Aug 2024 14:29:19 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Aug 2024 14:29:28 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 14:29:34 GMTServer: Apache/2.4.61 (Unix)Content-Length: 196Content-Type: text/html; charset=iso-8859-1Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: yanidfx.exe, 00000003.00000002.2246797634.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fasthosts.co.uk/
Source: yanidfx.exe, 00000003.00000002.2246965678.000000000166D000.00000004.00000010.00020000.00000000.sdmp, yanidfx.exe, 00000003.00000002.2246797634.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://followfriend.net/index.php
Source: yanidfx.exe, 00000003.00000002.2246965678.000000000166D000.00000004.00000010.00020000.00000000.sdmp, yanidfx.exe, 00000003.00000002.2246797634.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par
Source: yanidfx.exe, 00000003.00000002.2246797634.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.fasthosts.co.uk/domain-names/search/?domain=$
Source: yanidfx.exe, 00000003.00000002.2246797634.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_
Source: yanidfx.exe, 00000003.00000002.2246797634.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-199510482-1
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeFile created: C:\Windows\hjflhukc\Jump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeFile created: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeFile created: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\hjflhukc\yanidfx.exeFile created: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\hjflhukc\xxxniijvj.exeFile created: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\hjflhukc\yanidfx.exeFile created: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\hjflhukc\yanidfx.exeFile created: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\hjflhukc\xxxniijvj.exeFile created: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeFile deleted: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000C88A81_2_000C88A8
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000D111E1_2_000D111E
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000DFF201_2_000DFF20
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000DA8051_2_000DA805
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000E30251_2_000E3025
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000ED8311_2_000ED831
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000C60AD1_2_000C60AD
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000E84D71_2_000E84D7
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000E24D31_2_000E24D3
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000D0CE61_2_000D0CE6
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000D70E61_2_000D70E6
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000C99031_2_000C9903
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000D01131_2_000D0113
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000CA9281_2_000CA928
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000C69A81_2_000C69A8
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000C11B71_2_000C11B7
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000E7DC01_2_000E7DC0
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000D16361_2_000D1636
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000D86951_2_000D8695
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000C46CF1_2_000C46CF
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000E5F1E1_2_000E5F1E
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000D571F1_2_000D571F
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000D9F241_2_000D9F24
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000C774C1_2_000C774C
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000D5FBA1_2_000D5FBA
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000CCFBB1_2_000CCFBB
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000EDFCC1_2_000EDFCC
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000DB3DB1_2_000DB3DB
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_009288A82_2_009288A8
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_009484D72_2_009484D7
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_0093B3DB2_2_0093B3DB
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_0093FF2A2_2_0093FF2A
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_009260AD2_2_009260AD
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_009424D32_2_009424D3
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_00930CE62_2_00930CE6
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_009370E62_2_009370E6
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_0093A8052_2_0093A805
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_0094D8312_2_0094D831
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_009430252_2_00943025
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_009211B72_2_009211B7
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_009269A82_2_009269A8
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_00947DC02_2_00947DC0
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_009301132_2_00930113
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_0093111E2_2_0093111E
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_009299032_2_00929903
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_0092A9282_2_0092A928
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_009386952_2_00938695
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_009246CF2_2_009246CF
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_009316362_2_00931636
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_00935FBA2_2_00935FBA
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_0092CFBB2_2_0092CFBB
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_0094DFCC2_2_0094DFCC
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_00945F1E2_2_00945F1E
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_0093571F2_2_0093571F
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_00939F242_2_00939F24
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_0092774C2_2_0092774C
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007024D33_2_007024D3
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007084D73_2_007084D7
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006E88A83_2_006E88A8
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006F86953_2_006F8695
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006FFF2A3_2_006FFF2A
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006F571F3_2_006F571F
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006FB3DB3_2_006FB3DB
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_0070D8313_2_0070D831
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007030253_2_00703025
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006FA8053_2_006FA805
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006F0CE63_2_006F0CE6
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006F70E63_2_006F70E6
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006E60AD3_2_006E60AD
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006EA9283_2_006EA928
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006E99033_2_006E9903
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006F111E3_2_006F111E
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006F01133_2_006F0113
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_00707DC03_2_00707DC0
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006E69A83_2_006E69A8
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006E11B73_2_006E11B7
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006F16363_2_006F1636
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006E46CF3_2_006E46CF
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006E774C3_2_006E774C
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006F9F243_2_006F9F24
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_00705F1E3_2_00705F1E
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_0070DFCC3_2_0070DFCC
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006ECFBB3_2_006ECFBB
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006F5FBA3_2_006F5FBA
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000E88A84_2_000E88A8
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000F571F4_2_000F571F
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000FFF2A4_2_000FFF2A
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000FA8054_2_000FA805
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_0010D8314_2_0010D831
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_001030254_2_00103025
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000E60AD4_2_000E60AD
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_001024D34_2_001024D3
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_001084D74_2_001084D7
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000F0CE64_2_000F0CE6
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000F70E64_2_000F70E6
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000E99034_2_000E9903
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000F111E4_2_000F111E
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000F01134_2_000F0113
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000EA9284_2_000EA928
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000E69A84_2_000E69A8
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000E11B74_2_000E11B7
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00107DC04_2_00107DC0
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000F16364_2_000F1636
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000F86954_2_000F8695
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000E46CF4_2_000E46CF
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00105F1E4_2_00105F1E
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000F9F244_2_000F9F24
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000E774C4_2_000E774C
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000F5FBA4_2_000F5FBA
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000ECFBB4_2_000ECFBB
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000FB3DB4_2_000FB3DB
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_0010DFCC4_2_0010DFCC
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E288A811_2_00E288A8
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E3FF2511_2_00E3FF25
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E3571F11_2_00E3571F
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E30CE611_2_00E30CE6
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E370E611_2_00E370E6
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E484D711_2_00E484D7
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E424D311_2_00E424D3
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E260AD11_2_00E260AD
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E4302511_2_00E43025
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E4D83111_2_00E4D831
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E3A80511_2_00E3A805
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E47DC011_2_00E47DC0
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E269A811_2_00E269A8
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E211B711_2_00E211B7
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E2A92811_2_00E2A928
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E2990311_2_00E29903
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E3011311_2_00E30113
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E3111E11_2_00E3111E
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E246CF11_2_00E246CF
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E3869511_2_00E38695
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E3163611_2_00E31636
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E4DFCC11_2_00E4DFCC
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E3B3DB11_2_00E3B3DB
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E35FBA11_2_00E35FBA
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E2CFBB11_2_00E2CFBB
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E2774C11_2_00E2774C
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E39F2411_2_00E39F24
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E45F1E11_2_00E45F1E
Source: 7qBBKk0P4l.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 7qBBKk0P4l.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: psjpq2i82ktsjq0yguk.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yanidfx.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xxxniijvj.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal88.troj.evad.winEXE@13/5@207/12
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,1_2_000E35AD
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,2_2_009435AD
Source: C:\hjflhukc\yanidfx.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,3_2_007035AD
Source: C:\hjflhukc\xxxniijvj.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_001035AD
Source: C:\hjflhukc\xxxniijvj.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,11_2_00E435AD
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000D0806 CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,1_2_000D0806
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000E74E8 StartServiceCtrlDispatcherA,1_2_000E74E8
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000E74E8 StartServiceCtrlDispatcherA,1_2_000E74E8
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_009474E8 StartServiceCtrlDispatcherA,2_2_009474E8
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007074E8 StartServiceCtrlDispatcherA,3_2_007074E8
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_001074E8 StartServiceCtrlDispatcherA,4_2_001074E8
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E474E8 StartServiceCtrlDispatcherA,11_2_00E474E8
Source: C:\hjflhukc\xxxniijvj.exeMutant created: NULL
Source: 7qBBKk0P4l.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 7qBBKk0P4l.exeReversingLabs: Detection: 92%
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeFile read: C:\Users\user\Desktop\7qBBKk0P4l.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\7qBBKk0P4l.exe "C:\Users\user\Desktop\7qBBKk0P4l.exe"
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeProcess created: C:\hjflhukc\psjpq2i82ktsjq0yguk.exe "C:\hjflhukc\psjpq2i82ktsjq0yguk.exe"
Source: unknownProcess created: C:\hjflhukc\yanidfx.exe C:\hjflhukc\yanidfx.exe
Source: C:\hjflhukc\yanidfx.exeProcess created: C:\hjflhukc\xxxniijvj.exe tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeProcess created: C:\hjflhukc\yanidfx.exe "C:\hjflhukc\yanidfx.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\hjflhukc\xxxniijvj.exeProcess created: C:\hjflhukc\yanidfx.exe "c:\hjflhukc\yanidfx.exe"
Source: C:\hjflhukc\yanidfx.exeProcess created: C:\hjflhukc\xxxniijvj.exe tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeProcess created: C:\hjflhukc\psjpq2i82ktsjq0yguk.exe "C:\hjflhukc\psjpq2i82ktsjq0yguk.exe"Jump to behavior
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeProcess created: C:\hjflhukc\yanidfx.exe "C:\hjflhukc\yanidfx.exe"Jump to behavior
Source: C:\hjflhukc\yanidfx.exeProcess created: C:\hjflhukc\xxxniijvj.exe tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"Jump to behavior
Source: C:\hjflhukc\xxxniijvj.exeProcess created: C:\hjflhukc\yanidfx.exe "c:\hjflhukc\yanidfx.exe"Jump to behavior
Source: C:\hjflhukc\yanidfx.exeProcess created: C:\hjflhukc\xxxniijvj.exe tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"Jump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: wintypes.dllJump to behavior
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeSection loaded: apphelp.dllJump to behavior
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeSection loaded: sspicli.dllJump to behavior
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeSection loaded: userenv.dllJump to behavior
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeSection loaded: profapi.dllJump to behavior
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: apphelp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: sspicli.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: profapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: mswsock.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: napinsp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: wshbth.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: winrnr.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\hjflhukc\xxxniijvj.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: sspicli.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: profapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: mswsock.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: napinsp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: wshbth.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: winrnr.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000E84D7 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,1_2_000E84D7
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000D2C94 push edi; iretd 1_2_000D2C95
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_00932C94 push edi; iretd 2_2_00932C95
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006F2C94 push edi; iretd 3_2_006F2C95
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000F2C94 push edi; iretd 4_2_000F2C95
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E32C94 push edi; iretd 11_2_00E32C95
Source: 7qBBKk0P4l.exeStatic PE information: section name: .text entropy: 6.839663016682375
Source: psjpq2i82ktsjq0yguk.exe.1.drStatic PE information: section name: .text entropy: 6.839663016682375
Source: yanidfx.exe.2.drStatic PE information: section name: .text entropy: 6.839663016682375
Source: xxxniijvj.exe.3.drStatic PE information: section name: .text entropy: 6.839663016682375
Source: C:\hjflhukc\yanidfx.exeFile created: C:\hjflhukc\xxxniijvj.exeJump to dropped file
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeFile created: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeJump to dropped file
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeFile created: C:\hjflhukc\yanidfx.exeJump to dropped file
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000E74E8 StartServiceCtrlDispatcherA,1_2_000E74E8
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000D3285 sldt cx1_2_000D3285
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,1_2_000D9F24
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,2_2_00939F24
Source: C:\hjflhukc\yanidfx.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,3_2_006F9F24
Source: C:\hjflhukc\xxxniijvj.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,4_2_000F9F24
Source: C:\hjflhukc\xxxniijvj.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,11_2_00E39F24
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,2_2_009484D7
Source: C:\hjflhukc\yanidfx.exeCode function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,3_2_007084D7
Source: C:\hjflhukc\xxxniijvj.exeWindow / User API: threadDelayed 615Jump to behavior
Source: C:\hjflhukc\xxxniijvj.exeWindow / User API: threadDelayed 1260Jump to behavior
Source: C:\hjflhukc\yanidfx.exeWindow / User API: threadDelayed 370Jump to behavior
Source: C:\hjflhukc\xxxniijvj.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-9413
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_1-9411
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-8821
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_1-9041
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-8277
Source: C:\hjflhukc\xxxniijvj.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-8321
Source: C:\hjflhukc\yanidfx.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-8890
Source: C:\hjflhukc\yanidfx.exe TID: 5692Thread sleep time: -31108s >= -30000sJump to behavior
Source: C:\hjflhukc\xxxniijvj.exe TID: 4412Thread sleep count: 615 > 30Jump to behavior
Source: C:\hjflhukc\xxxniijvj.exe TID: 4412Thread sleep time: -615000s >= -30000sJump to behavior
Source: C:\hjflhukc\xxxniijvj.exe TID: 4412Thread sleep count: 1260 > 30Jump to behavior
Source: C:\hjflhukc\xxxniijvj.exe TID: 4412Thread sleep time: -1260000s >= -30000sJump to behavior
Source: C:\hjflhukc\yanidfx.exe TID: 1032Thread sleep count: 370 > 30Jump to behavior
Source: C:\hjflhukc\yanidfx.exe TID: 1032Thread sleep time: -18500000s >= -30000sJump to behavior
Source: C:\hjflhukc\yanidfx.exe TID: 1032Thread sleep time: -50000s >= -30000sJump to behavior
Source: C:\hjflhukc\xxxniijvj.exe TID: 2668Thread sleep count: 47 > 30Jump to behavior
Source: C:\hjflhukc\xxxniijvj.exe TID: 2668Thread sleep time: -47000s >= -30000sJump to behavior
Source: C:\hjflhukc\yanidfx.exeLast function: Thread delayed
Source: C:\hjflhukc\yanidfx.exeLast function: Thread delayed
Source: C:\hjflhukc\xxxniijvj.exeLast function: Thread delayed
Source: C:\hjflhukc\xxxniijvj.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000C5C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,1_2_000C5C39
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeCode function: 2_2_00925C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00925C39
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_006E5C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,3_2_006E5C39
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_000E5C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,4_2_000E5C39
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00E25C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,11_2_00E25C39
Source: C:\hjflhukc\yanidfx.exeThread delayed: delay time: 50000Jump to behavior
Source: C:\hjflhukc\yanidfx.exeThread delayed: delay time: 50000Jump to behavior
Source: yanidfx.exe, 00000003.00000002.2246797634.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: yanidfx.exe, 0000000A.00000002.2721900414.0000000000DE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
Source: psjpq2i82ktsjq0yguk.exe, 00000002.00000002.1501380176.000000000165E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeAPI call chain: ExitProcess graph end nodegraph_1-8844
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeAPI call chain: ExitProcess graph end nodegraph_2-8491
Source: C:\hjflhukc\yanidfx.exeAPI call chain: ExitProcess graph end nodegraph_3-8592
Source: C:\hjflhukc\yanidfx.exeAPI call chain: ExitProcess graph end nodegraph_3-9198
Source: C:\hjflhukc\xxxniijvj.exeAPI call chain: ExitProcess graph end nodegraph_4-8837
Source: C:\hjflhukc\xxxniijvj.exeAPI call chain: ExitProcess graph end nodegraph_11-8535
Source: C:\hjflhukc\xxxniijvj.exeAPI call chain: ExitProcess graph end nodegraph_11-9099
Source: C:\hjflhukc\yanidfx.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000E84D7 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,1_2_000E84D7
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000CDE5A GetProcessHeap,RtlFreeHeap,1_2_000CDE5A
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000CE769 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,1_2_000CE769
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000ED256 GetSystemTime,GetTickCount,1_2_000ED256
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 1_2_000C88A8 GetVersionExA,CreateDirectoryA,DeleteFileA,RemoveDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,GetTempPathA,CreateDirectoryA,GetTempPathA,SetFileAttributesA,1_2_000C88A8
Source: C:\hjflhukc\psjpq2i82ktsjq0yguk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Service Execution		4
Windows Service		4
Windows Service		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		1
DLL Side-Loading		1
Process Injection		21
Virtualization/Sandbox Evasion		LSASS Memory111
Security Software Discovery		Remote Desktop ProtocolData from Removable Media4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Software Packing		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Service Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync1
System Network Configuration Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
File and Directory Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow4
System Information Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1488122 Sample: 7qBBKk0P4l.exe Startdate: 05/08/2024 Architecture: WINDOWS Score: 88 36 womantrust.net 2->36 38 womaninclude.net 2->38 40 168 other IPs or domains 2->40 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Machine Learning detection for sample 2->58 60 2 other signatures 2->60 9 yanidfx.exe 10 2->9         started        14 7qBBKk0P4l.exe 6 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 dnsIp5 42 followfriend.net 188.225.40.227, 60224, 80 TIMEWEB-ASRU Russian Federation 9->42 44 womanbelieve.net 15.197.142.173, 49707, 80 TANDEMUS United States 9->44 46 10 other IPs or domains 9->46 32 C:\hjflhukc\xxxniijvj.exe, PE32 9->32 dropped 62 Antivirus detection for dropped file 9->62 64 Multi AV Scanner detection for dropped file 9->64 66 Machine Learning detection for dropped file 9->66 18 xxxniijvj.exe 4 9->18         started        34 C:\hjflhukc\psjpq2i82ktsjq0yguk.exe, PE32 14->34 dropped 21 psjpq2i82ktsjq0yguk.exe 10 14->21         started        file6 signatures7 process8 file9 24 yanidfx.exe 8 18->24         started        30 C:\hjflhukc\yanidfx.exe, PE32 21->30 dropped 48 Antivirus detection for dropped file 21->48 50 Multi AV Scanner detection for dropped file 21->50 52 Machine Learning detection for dropped file 21->52 26 yanidfx.exe 4 21->26         started        signatures10 process11 process12 28 xxxniijvj.exe 4 24->28         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
7qBBKk0P4l.exe92%ReversingLabsWin32.Spyware.Nivdort
7qBBKk0P4l.exe100%AviraHEUR/AGEN.1318579
7qBBKk0P4l.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\hjflhukc\xxxniijvj.exe100%AviraHEUR/AGEN.1318579
C:\hjflhukc\yanidfx.exe100%AviraHEUR/AGEN.1318579
C:\hjflhukc\psjpq2i82ktsjq0yguk.exe100%AviraHEUR/AGEN.1318579
C:\hjflhukc\xxxniijvj.exe100%Joe Sandbox ML
C:\hjflhukc\yanidfx.exe100%Joe Sandbox ML
C:\hjflhukc\psjpq2i82ktsjq0yguk.exe100%Joe Sandbox ML
C:\hjflhukc\psjpq2i82ktsjq0yguk.exe92%ReversingLabsWin32.Spyware.Nivdort
C:\hjflhukc\xxxniijvj.exe92%ReversingLabsWin32.Spyware.Nivdort
C:\hjflhukc\yanidfx.exe92%ReversingLabsWin32.Spyware.Nivdort

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://fasthosts.co.uk/0%Avira URL Cloudsafe
https://followfriend.net/index.php0%Avira URL Cloudsafe
https://www.fasthosts.co.uk/domain-names/search/?domain=$0%Avira URL Cloudsafe
https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par0%Avira URL Cloudsafe
https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
crowdtrust.net
170.187.200.48
truefalse
    		unknown
    watersystem.net
    		64.190.63.222
    		truefalse
      		unknown
      thoughtsystem.net
      		213.171.195.105
      		truefalse
        		unknown
        membersystem.net
        		85.13.130.3
        		truefalse
          		unknown
          partygeneral.net
          		3.33.130.190
          		truefalse
            		unknown
            womanbelieve.net
            		15.197.142.173
            		truefalse
              		unknown
              womanhonor.net
              		54.244.188.177
              		truefalse
                		unknown
                membertrust.net
                		3.33.130.190
                		truefalse
                  		unknown
                  memberreceive.net
                  		35.164.78.200
                  		truefalse
                    		unknown
                    followfriend.net
                    		188.225.40.227
                    		truefalse
                      		unknown
                      partybelieve.net
                      		15.197.192.55
                      		truefalse
                        		unknown
                        freshfancy.net
                        		81.169.145.88
                        		truefalse
                          		unknown
                          alreadyfriend.net
                          		15.197.192.55
                          		truefalse
                            		unknown
                            thoughtbranch.net
                            		34.246.200.160
                            		truefalse
                              		unknown
                              beginhonor.net
                              		unknown
                              		unknowntrue
                                		unknown
                                memberlaughter.net
                                		unknown
                                		unknowntrue
                                  		unknown
                                  freshneither.net
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    thoughtneither.net
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      experiencefancy.net
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        followconsider.net
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          alreadyhonor.net
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            fighttrust.net
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              knownsystem.net
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                gentlemanhonor.net
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  memberfriend.net
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    freshtrust.net
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      experiencetrust.net
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        alreadybelieve.net
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown
                                                          partyclear.net
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            waterquarter.net
                                                            		unknown
                                                            		unknowntrue
                                                              		unknown
                                                              fightbranch.net
                                                              		unknown
                                                              		unknowntrue
                                                                		unknown
                                                                knownlaughter.net
                                                                		unknown
                                                                		unknowntrue
                                                                  		unknown
                                                                  followtrust.net
                                                                  		unknown
                                                                  		unknowntrue
                                                                    		unknown
                                                                    experiencebelieve.net
                                                                    		unknown
                                                                    		unknowntrue
                                                                      		unknown
                                                                      summerhonor.net
                                                                      		unknown
                                                                      		unknowntrue
                                                                        		unknown
                                                                        thoughttrust.net
                                                                        		unknown
                                                                        		unknowntrue
                                                                          		unknown
                                                                          freshhonor.net
                                                                          		unknown
                                                                          		unknowntrue
                                                                            		unknown
                                                                            followfancy.net
                                                                            		unknown
                                                                            		unknowntrue
                                                                              		unknown
                                                                              freshfriend.net
                                                                              		unknown
                                                                              		unknowntrue
                                                                                		unknown
                                                                                freshconsider.net
                                                                                		unknown
                                                                                		unknowntrue
                                                                                  		unknown
                                                                                  summerquarter.net
                                                                                  		unknown
                                                                                  		unknowntrue
                                                                                    		unknown
                                                                                    gentlemantrust.net
                                                                                    		unknown
                                                                                    		unknowntrue
                                                                                      		unknown
                                                                                      fightinclude.net
                                                                                      		unknown
                                                                                      		unknowntrue
                                                                                        		unknown
                                                                                        gentlemanlaughter.net
                                                                                        		unknown
                                                                                        		unknowntrue
                                                                                          		unknown
                                                                                          memberbelieve.net
                                                                                          		unknown
                                                                                          		unknowntrue
                                                                                            		unknown
                                                                                            alreadylaughter.net
                                                                                            		unknown
                                                                                            		unknowntrue
                                                                                              		unknown
                                                                                              summerreceive.net
                                                                                              		unknown
                                                                                              		unknowntrue
                                                                                                		unknown
                                                                                                smokequarter.net
                                                                                                		unknown
                                                                                                		unknowntrue
                                                                                                  		unknown
                                                                                                  experiencesystem.net
                                                                                                  		unknown
                                                                                                  		unknowntrue
                                                                                                    		unknown
                                                                                                    thoughthonor.net
                                                                                                    		unknown
                                                                                                    		unknowntrue
                                                                                                      		unknown
                                                                                                      followbelieve.net
                                                                                                      		unknown
                                                                                                      		unknowntrue
                                                                                                        		unknown
                                                                                                        knowntrust.net
                                                                                                        		unknown
                                                                                                        		unknowntrue
                                                                                                          		unknown
                                                                                                          partybranch.net
                                                                                                          		unknown
                                                                                                          		unknowntrue
                                                                                                            		unknown
                                                                                                            crowdneither.net
                                                                                                            		unknown
                                                                                                            		unknowntrue
                                                                                                              		unknown
                                                                                                              womaninclude.net
                                                                                                              		unknown
                                                                                                              		unknowntrue
                                                                                                                		unknown
                                                                                                                smokebelieve.net
                                                                                                                		unknown
                                                                                                                		unknowntrue
                                                                                                                  		unknown
                                                                                                                  fightnorth.net
                                                                                                                  		unknown
                                                                                                                  		unknowntrue
                                                                                                                    		unknown
                                                                                                                    gentlemanneither.net
                                                                                                                    		unknown
                                                                                                                    		unknowntrue
                                                                                                                      		unknown
                                                                                                                      followquarter.net
                                                                                                                      		unknown
                                                                                                                      		unknowntrue
                                                                                                                        		unknown
                                                                                                                        knownhonor.net
                                                                                                                        		unknown
                                                                                                                        		unknowntrue
                                                                                                                          		unknown
                                                                                                                          womantrust.net
                                                                                                                          		unknown
                                                                                                                          		unknowntrue
                                                                                                                            		unknown
                                                                                                                            memberquarter.net
                                                                                                                            		unknown
                                                                                                                            		unknowntrue
                                                                                                                              		unknown
                                                                                                                              experiencefriend.net
                                                                                                                              		unknown
                                                                                                                              		unknowntrue
                                                                                                                                		unknown
                                                                                                                                waterbranch.net
                                                                                                                                		unknown
                                                                                                                                		unknowntrue
                                                                                                                                  		unknown
                                                                                                                                  smoketrust.net
                                                                                                                                  		unknown
                                                                                                                                  		unknowntrue
                                                                                                                                    		unknown
                                                                                                                                    gentlemanreceive.net
                                                                                                                                    		unknown
                                                                                                                                    		unknowntrue
                                                                                                                                      		unknown
                                                                                                                                      fightsystem.net
                                                                                                                                      		unknown
                                                                                                                                      		unknowntrue
                                                                                                                                        		unknown
                                                                                                                                        memberfancy.net
                                                                                                                                        		unknown
                                                                                                                                        		unknowntrue
                                                                                                                                          		unknown
                                                                                                                                          crowdhonor.net
                                                                                                                                          		unknown
                                                                                                                                          		unknowntrue
                                                                                                                                            		unknown
                                                                                                                                            summerbelieve.net
                                                                                                                                            		unknown
                                                                                                                                            		unknowntrue
                                                                                                                                              		unknown
                                                                                                                                              womanbranch.net
                                                                                                                                              		unknown
                                                                                                                                              		unknowntrue
                                                                                                                                                		unknown
                                                                                                                                                crowdbranch.net
                                                                                                                                                		unknown
                                                                                                                                                		unknowntrue
                                                                                                                                                  		unknown
                                                                                                                                                  beginbranch.net
                                                                                                                                                  		unknown
                                                                                                                                                  		unknowntrue
                                                                                                                                                    		unknown
                                                                                                                                                    experiencehonor.net
                                                                                                                                                    		unknown
                                                                                                                                                    		unknowntrue
                                                                                                                                                      		unknown
                                                                                                                                                      waterreceive.net
                                                                                                                                                      		unknown
                                                                                                                                                      		unknowntrue
                                                                                                                                                        		unknown
                                                                                                                                                        gentlemansystem.net
                                                                                                                                                        		unknown
                                                                                                                                                        		unknowntrue
                                                                                                                                                          		unknown
                                                                                                                                                          crowdsystem.net
                                                                                                                                                          		unknown
                                                                                                                                                          		unknowntrue
                                                                                                                                                            		unknown
                                                                                                                                                            knownbelieve.net
                                                                                                                                                            		unknown
                                                                                                                                                            		unknowntrue
                                                                                                                                                              		unknown
                                                                                                                                                              knownquarter.net
                                                                                                                                                              		unknown
                                                                                                                                                              		unknowntrue
                                                                                                                                                                		unknown
                                                                                                                                                                beginsystem.net
                                                                                                                                                                		unknown
                                                                                                                                                                		unknowntrue
                                                                                                                                                                  		unknown
                                                                                                                                                                  followsystem.net
                                                                                                                                                                  		unknown
                                                                                                                                                                  		unknowntrue
                                                                                                                                                                    		unknown
                                                                                                                                                                    crowdreceive.net
                                                                                                                                                                    		unknown
                                                                                                                                                                    		unknowntrue
                                                                                                                                                                      		unknown
                                                                                                                                                                      alreadyquarter.net
                                                                                                                                                                      		unknown
                                                                                                                                                                      		unknowntrue
                                                                                                                                                                        		unknown
                                                                                                                                                                        beginquarter.net
                                                                                                                                                                        		unknown
                                                                                                                                                                        		unknowntrue
                                                                                                                                                                          		unknown
                                                                                                                                                                          freshbelieve.net
                                                                                                                                                                          		unknown
                                                                                                                                                                          		unknowntrue
                                                                                                                                                                            		unknown
                                                                                                                                                                            alreadyconsider.net
                                                                                                                                                                            		unknown
                                                                                                                                                                            		unknowntrue
                                                                                                                                                                              		unknown
                                                                                                                                                                              alreadytrust.net
                                                                                                                                                                              		unknown
                                                                                                                                                                              		unknowntrue
                                                                                                                                                                                		unknown
                                                                                                                                                                                freshquarter.net
                                                                                                                                                                                		unknown
                                                                                                                                                                                		unknowntrue
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  gentlemanfriend.net
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  		unknowntrue
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    beginbelieve.net
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    		unknowntrue
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      memberhonor.net
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      		unknowntrue
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        summersystem.net
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        		unknowntrue
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          partyquarter.net
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          		unknowntrue
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            alreadyfancy.net
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            		unknowntrue
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              fightneither.net
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              		unknowntrue
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                alreadybranch.net
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                		unknowntrue
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  partynorth.net
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  		unknowntrue
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    womangeneral.net
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    		unknowntrue
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      thoughtreceive.net
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      		unknowntrue
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        smokegeneral.net
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        		unknowntrue
                                                                                                                                                                                                          		unknown

                                                                                                                                                                                                          URLs from Memory and Binaries

                                                                                                                                                                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                                                                                                                                                                          https://fasthosts.co.uk/yanidfx.exe, 00000003.00000002.2246797634.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://www.fasthosts.co.uk/domain-names/search/?domain=$yanidfx.exe, 00000003.00000002.2246797634.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://followfriend.net/index.phpyanidfx.exe, 00000003.00000002.2246965678.000000000166D000.00000004.00000010.00020000.00000000.sdmp, yanidfx.exe, 00000003.00000002.2246797634.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_yanidfx.exe, 00000003.00000002.2246797634.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_paryanidfx.exe, 00000003.00000002.2246965678.000000000166D000.00000004.00000010.00020000.00000000.sdmp, yanidfx.exe, 00000003.00000002.2246797634.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown

                                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                                                          Public IPs

                                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                          85.13.130.3
                                                                                                                                                                                                          		membersystem.netGermany
                                                                                                                                                                                                          		34788NMM-ASD-02742FriedersdorfHauptstrasse68DEfalse
                                                                                                                                                                                                          188.225.40.227
                                                                                                                                                                                                          		followfriend.netRussian Federation
                                                                                                                                                                                                          		9123TIMEWEB-ASRUfalse
                                                                                                                                                                                                          34.246.200.160
                                                                                                                                                                                                          		thoughtbranch.netUnited States
                                                                                                                                                                                                          		16509AMAZON-02USfalse
                                                                                                                                                                                                          170.187.200.48
                                                                                                                                                                                                          		crowdtrust.netUnited States
                                                                                                                                                                                                          		7018ATT-INTERNET4USfalse
                                                                                                                                                                                                          35.164.78.200
                                                                                                                                                                                                          		memberreceive.netUnited States
                                                                                                                                                                                                          		16509AMAZON-02USfalse
                                                                                                                                                                                                          15.197.142.173
                                                                                                                                                                                                          		womanbelieve.netUnited States
                                                                                                                                                                                                          		7430TANDEMUSfalse
                                                                                                                                                                                                          54.244.188.177
                                                                                                                                                                                                          		womanhonor.netUnited States
                                                                                                                                                                                                          		16509AMAZON-02USfalse
                                                                                                                                                                                                          64.190.63.222
                                                                                                                                                                                                          		watersystem.netUnited States
                                                                                                                                                                                                          		11696NBS11696USfalse
                                                                                                                                                                                                          15.197.192.55
                                                                                                                                                                                                          		partybelieve.netUnited States
                                                                                                                                                                                                          		7430TANDEMUSfalse
                                                                                                                                                                                                          3.33.130.190
                                                                                                                                                                                                          		partygeneral.netUnited States
                                                                                                                                                                                                          		8987AMAZONEXPANSIONGBfalse
                                                                                                                                                                                                          213.171.195.105
                                                                                                                                                                                                          		thoughtsystem.netUnited Kingdom
                                                                                                                                                                                                          		8560ONEANDONE-ASBrauerstrasse48DEfalse
                                                                                                                                                                                                          81.169.145.88
                                                                                                                                                                                                          		freshfancy.netGermany
                                                                                                                                                                                                          		6724STRATOSTRATOAGDEfalse

                                                                                                                                                                                                          General Information

                                                                                                                                                                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                                          Analysis ID:1488122
                                                                                                                                                                                                          Start date and time:2024-08-05 16:28:02 +02:00
                                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                                          Overall analysis duration:0h 6m 28s
                                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                                          Report type:full
                                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                          Number of analysed new started processes analysed:13
                                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                                          Technologies:
                                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                                          Sample name:7qBBKk0P4l.exe
                                                                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                                                                          Original Sample Name:3397920e23cf8435201e9e90796b2a8c9ec340e4733cbc8064999e462dc53470.exe
                                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                                          Classification:mal88.troj.evad.winEXE@13/5@207/12
                                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                                          • Successful, ratio: 88%
                                                                                                                                                                                                          • Number of executed functions: 71
                                                                                                                                                                                                          • Number of non-executed functions: 84
                                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                                                                          Warnings

                                                                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                          • VT rate limit hit for: 7qBBKk0P4l.exe

                                                                                                                                                                                                          Simulations

                                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                                                          10:29:41API Interceptor1860x Sleep call for process: xxxniijvj.exe modified
                                                                                                                                                                                                          10:30:26API Interceptor436x Sleep call for process: yanidfx.exe modified

                                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                                          IPs

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          85.13.130.3mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • membersystem.net/index.php
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • membersystem.net/index.php
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • membersystem.net/index.php
                                                                                                                                                                                                          188.225.40.227mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • followfriend.net/index.php
                                                                                                                                                                                                          BeR96suzTx.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • www.skazhiraku.net/itq4/?ATvHA=k2MpXHpX2FlDSbL&m8=xx/ELnNnKvtlLUNVhX4h3nTX7+vGZrU3iKsqjiSQXnXFY1tr2Fuuzh2bLYvRiJP5MpAf
                                                                                                                                                                                                          Rh3zHXGC0W.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • www.ikra-prem.space/g8kn/?3f=SObGRIQc2SXqBOlWxSNvpO1BE/+cxQu6skH9Iz/5ZN4shibJkSmH+F/+6dh/KvA+GdhZXNtYOg==&s2J=v6Ah24bh4tF
                                                                                                                                                                                                          doc88.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • www.skazhiraku.net/itq4/?BJ=xx/ELnNnKvtlLUNVhX4h3nTX7+vGZrU3iKsqjiSQXnXFY1tr2Fuuzh2bLbPBtofBSMpY&k6Apv=4hB0VF
                                                                                                                                                                                                          p6le0wM39E.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • cq80904.tmweb.ru/vmHttpdefaultDb.php?K5Glm1IjUwWQCq0Uioy42v=MLZsFTiDn8Em9rir7K7wImpq3&EXQnpxYJ4aMICQvs=R7D0m961u58njgszmOLxASR&0xIfyHrB=3XszmcYUw52afU&3fe0eef725958b7929a02603a5aa73a2=f84fad6cd29a3006db8b86eab6e3e434&36f380f5a045f0456c7866159c7edf74=AZ4YzM3YjZzgDNxkzM5UzMhNTNmVTNhNjN0MmZ4EmN4gzYmVjN4kTZ&K5Glm1IjUwWQCq0Uioy42v=MLZsFTiDn8Em9rir7K7wImpq3&EXQnpxYJ4aMICQvs=R7D0m961u58njgszmOLxASR&0xIfyHrB=3XszmcYUw52afU
                                                                                                                                                                                                          UYAfvxRha7.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • cq80904.tmweb.ru/vmHttpdefaultDb.php?wNx8559dK63E8kRo7N3gYQ=50VYeNDsGBfOUR3suNfn4yWU&3fe0eef725958b7929a02603a5aa73a2=f84fad6cd29a3006db8b86eab6e3e434&36f380f5a045f0456c7866159c7edf74=AZ1MGNjVWZkZTMmRGOmRjNiZWMlNzYiNGZwEmY2UjNlRGZyMmZyQWM&wNx8559dK63E8kRo7N3gYQ=50VYeNDsGBfOUR3suNfn4yWU
                                                                                                                                                                                                          34.246.200.160mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • thoughtbranch.net/index.php
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • thoughtbranch.net/index.php
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • thoughtbranch.net/index.php
                                                                                                                                                                                                          7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • figurewithout.net/index.php
                                                                                                                                                                                                          7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • figurewithout.net/index.php
                                                                                                                                                                                                          5a5O0c0oJP.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • figurewithout.net/index.php
                                                                                                                                                                                                          5a5O0c0oJP.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • figurewithout.net/index.php
                                                                                                                                                                                                          Jla3M8Fe16.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • figurewithout.net/index.php

                                                                                                                                                                                                          Domains

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          membertrust.netmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.33.130.190
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.33.130.190
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.33.130.190
                                                                                                                                                                                                          watersystem.netmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 64.190.63.222
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 64.190.63.222
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 64.190.63.222
                                                                                                                                                                                                          crowdtrust.netmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          thoughtsystem.netmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 213.171.195.105
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 213.171.195.105
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 213.171.195.105
                                                                                                                                                                                                          womanbelieve.netmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 15.197.142.173
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 15.197.142.173
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 15.197.142.173
                                                                                                                                                                                                          womanhonor.netmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.244.188.177
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.244.188.177
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.244.188.177
                                                                                                                                                                                                          partygeneral.netmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.33.130.190
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.33.130.190
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.33.130.190
                                                                                                                                                                                                          membersystem.netmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3

                                                                                                                                                                                                          ASNs

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          ATT-INTERNET4USmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          View Invoice#98783859 Statement for dpo.lu.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                          • 13.32.27.44
                                                                                                                                                                                                          unLc6VekkL.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                          • 13.143.18.150
                                                                                                                                                                                                          17nDkQW4tK.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                          • 69.236.41.25
                                                                                                                                                                                                          2PQz3l61Pc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                          • 199.186.2.28
                                                                                                                                                                                                          botx.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                          • 75.56.221.43
                                                                                                                                                                                                          botx.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                          • 76.246.229.111
                                                                                                                                                                                                          botx.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                          • 12.169.146.180
                                                                                                                                                                                                          TIMEWEB-ASRUmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 188.225.40.227
                                                                                                                                                                                                          Runtime Broker.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          r6KYedz4VQ.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          Gz3zPqMdtn.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          cnGgzU2rkd.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          https://diigo.com/0wzrly?ID=QtERFQmXrhNlWxfeW9PbYZfS3+Email=ambre.boyon@gerflor.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 188.225.39.170
                                                                                                                                                                                                          5F6Ny9UaKt.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          LisectAVT_2403002C_62.dllGet hashmaliciousEmotetBrowse
                                                                                                                                                                                                          • 188.225.32.231
                                                                                                                                                                                                          qqMLbietPf.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          Reference ID6f5f047b6cdf41716e164ec64879e463.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                          • 185.114.245.110
                                                                                                                                                                                                          NMM-ASD-02742FriedersdorfHauptstrasse68DEmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3
                                                                                                                                                                                                          LisectAVT_2403002A_76.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                          • 85.13.147.213
                                                                                                                                                                                                          hNX3ktCRra.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.140.189
                                                                                                                                                                                                          Fzfee1Lgc2.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.155.154
                                                                                                                                                                                                          Yb6ztdvQaB.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.132.87
                                                                                                                                                                                                          SLL8zVmaGj.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.163.148
                                                                                                                                                                                                          Wk8eTHnajw.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.45
                                                                                                                                                                                                          0SpHek7Jd8.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.156.180
                                                                                                                                                                                                          AMAZON-02USmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.244.188.177
                                                                                                                                                                                                          Exv453QQIX.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • 76.223.105.230
                                                                                                                                                                                                          OneDriveSetup.exeGet hashmaliciousZTratBrowse
                                                                                                                                                                                                          • 3.126.224.214
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.244.188.177
                                                                                                                                                                                                          Scanned Docs from Emnes Metal Sdn Bhd_.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • 76.223.67.189
                                                                                                                                                                                                          http://verizonwireless-employmentvalidation.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.124.93.206
                                                                                                                                                                                                          UjCrfOAkJJiZyZh.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                          • 75.2.115.196
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.244.188.177
                                                                                                                                                                                                          .exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 52.42.85.34
                                                                                                                                                                                                          http://beonlineboo.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 35.165.37.251

                                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                          C:\Windows\hjflhukc\hhziccmdjsti

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\Desktop\7qBBKk0P4l.exe
                                                                                                                                                                                                          File Type:ISO-8859 text, with no line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6
                                                                                                                                                                                                          Entropy (8bit):2.584962500721156
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:o+k:op
                                                                                                                                                                                                          MD5:869F9B7357D5489D5FE37B208940AFD8
                                                                                                                                                                                                          SHA1:8D4C9419F43D41066C40C67ED43F63A268A7E7AC
                                                                                                                                                                                                          SHA-256:DEE53FC307F455BF9E72689A4472B6E5252C6B36B848C8F531DAD9714A8D3F80
                                                                                                                                                                                                          SHA-512:9B7E12978891487D2BD31DCF0BCF02CFC74331AEBA1372AE9B0DA3B4BD7B1B177F25FD4A9E798D48A7F7C569409647FD1D975C3E4D12631B0953A50BDF71C75D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:.RkQ.

                                                                                                                                                                                                          C:\hjflhukc\hhziccmdjsti

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\Desktop\7qBBKk0P4l.exe
                                                                                                                                                                                                          File Type:ISO-8859 text, with no line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6
                                                                                                                                                                                                          Entropy (8bit):2.584962500721156
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:o+k:op
                                                                                                                                                                                                          MD5:869F9B7357D5489D5FE37B208940AFD8
                                                                                                                                                                                                          SHA1:8D4C9419F43D41066C40C67ED43F63A268A7E7AC
                                                                                                                                                                                                          SHA-256:DEE53FC307F455BF9E72689A4472B6E5252C6B36B848C8F531DAD9714A8D3F80
                                                                                                                                                                                                          SHA-512:9B7E12978891487D2BD31DCF0BCF02CFC74331AEBA1372AE9B0DA3B4BD7B1B177F25FD4A9E798D48A7F7C569409647FD1D975C3E4D12631B0953A50BDF71C75D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:.RkQ.

                                                                                                                                                                                                          C:\hjflhukc\psjpq2i82ktsjq0yguk.exe

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\Desktop\7qBBKk0P4l.exe
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):236032
                                                                                                                                                                                                          Entropy (8bit):7.1119041831804
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:nSzlgBOTkmrLSoVjBLW5w+ihTEzD4NptOi9:n+gITkmrWoJZW+PhTEzcNptb
                                                                                                                                                                                                          MD5:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          SHA1:2AF48B80B7354B4A15EFF49AF3F3D70D3E5789A4
                                                                                                                                                                                                          SHA-256:3397920E23CF8435201E9E90796B2A8C9EC340E4733CBC8064999E462DC53470
                                                                                                                                                                                                          SHA-512:28F2B94180CBD451FDF887B6E47DC92596FDFB37D06B0F115B4C4A79524366681E05EB2624922A7311BCB9CA983D275BB10F29338628F8654FD673619669F101
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i............D..............q......q.....Rich....................PE..L...w..T.....................>....................@..........................@............@.....................................P................................w......................................................T............................text............................... ..`.rdata..............................@..@.data............>..................@....reloc...w.......x..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\hjflhukc\xxxniijvj.exe

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):236032
                                                                                                                                                                                                          Entropy (8bit):7.1119041831804
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:nSzlgBOTkmrLSoVjBLW5w+ihTEzD4NptOi9:n+gITkmrWoJZW+PhTEzcNptb
                                                                                                                                                                                                          MD5:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          SHA1:2AF48B80B7354B4A15EFF49AF3F3D70D3E5789A4
                                                                                                                                                                                                          SHA-256:3397920E23CF8435201E9E90796B2A8C9EC340E4733CBC8064999E462DC53470
                                                                                                                                                                                                          SHA-512:28F2B94180CBD451FDF887B6E47DC92596FDFB37D06B0F115B4C4A79524366681E05EB2624922A7311BCB9CA983D275BB10F29338628F8654FD673619669F101
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i............D..............q......q.....Rich....................PE..L...w..T.....................>....................@..........................@............@.....................................P................................w......................................................T............................text............................... ..`.rdata..............................@..@.data............>..................@....reloc...w.......x..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\hjflhukc\yanidfx.exe

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\hjflhukc\psjpq2i82ktsjq0yguk.exe
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):236032
                                                                                                                                                                                                          Entropy (8bit):7.1119041831804
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:nSzlgBOTkmrLSoVjBLW5w+ihTEzD4NptOi9:n+gITkmrWoJZW+PhTEzcNptb
                                                                                                                                                                                                          MD5:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          SHA1:2AF48B80B7354B4A15EFF49AF3F3D70D3E5789A4
                                                                                                                                                                                                          SHA-256:3397920E23CF8435201E9E90796B2A8C9EC340E4733CBC8064999E462DC53470
                                                                                                                                                                                                          SHA-512:28F2B94180CBD451FDF887B6E47DC92596FDFB37D06B0F115B4C4A79524366681E05EB2624922A7311BCB9CA983D275BB10F29338628F8654FD673619669F101
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i............D..............q......q.....Rich....................PE..L...w..T.....................>....................@..........................@............@.....................................P................................w......................................................T............................text............................... ..`.rdata..............................@..@.data............>..................@....reloc...w.......x..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                          General

                                                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Entropy (8bit):7.1119041831804
                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                          File name:7qBBKk0P4l.exe
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5:94e7772b2b1bda89b23a2fba0e57742e
                                                                                                                                                                                                          SHA1:2af48b80b7354b4a15eff49af3f3d70d3e5789a4
                                                                                                                                                                                                          SHA256:3397920e23cf8435201e9e90796b2a8c9ec340e4733cbc8064999e462dc53470
                                                                                                                                                                                                          SHA512:28f2b94180cbd451fdf887b6e47dc92596fdfb37d06b0f115b4c4a79524366681e05eb2624922a7311bcb9ca983d275bb10f29338628f8654fd673619669f101
                                                                                                                                                                                                          SSDEEP:6144:nSzlgBOTkmrLSoVjBLW5w+ihTEzD4NptOi9:n+gITkmrWoJZW+PhTEzcNptb
                                                                                                                                                                                                          TLSH:D234AE27EA481433C92B627C8F4F3BE555BF71735A216A0D87AD29C85CA13CDB23251B
                                                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i..............D................q.......q......Rich....................PE..L...w..T.....................>....................@

                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                          Icon Hash:00928e8e8686b000

                                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Entrypoint:0x42cffe
                                                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                          Time Stamp:0x5415F677 [Sun Sep 14 20:11:35 2014 UTC]
                                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                                          OS Version Major:5
                                                                                                                                                                                                          OS Version Minor:1
                                                                                                                                                                                                          File Version Major:5
                                                                                                                                                                                                          File Version Minor:1
                                                                                                                                                                                                          Subsystem Version Major:5
                                                                                                                                                                                                          Subsystem Version Minor:1
                                                                                                                                                                                                          Import Hash:f2a0245d6e1fa4eff8f7908b9115e5a5

                                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                                          Instruction
                                                                                                                                                                                                          inc dword ptr [004364E0h]
                                                                                                                                                                                                          mov eax, dword ptr [004364E0h]
                                                                                                                                                                                                          movsx ecx, word ptr [00439A58h]
                                                                                                                                                                                                          shl ecx, 05h
                                                                                                                                                                                                          add ecx, eax
                                                                                                                                                                                                          cmp ecx, 88FDF618h
                                                                                                                                                                                                          jne 00007FE034DCF4D5h
                                                                                                                                                                                                          movsx ecx, word ptr [00439E9Eh]
                                                                                                                                                                                                          movsx eax, word ptr [00438E72h]
                                                                                                                                                                                                          shl ecx, 09h
                                                                                                                                                                                                          add eax, eax
                                                                                                                                                                                                          or ecx, 8B9FEAD2h
                                                                                                                                                                                                          cmp eax, ecx
                                                                                                                                                                                                          jl 00007FE034DCF4AEh
                                                                                                                                                                                                          add dword ptr [004351D4h], 32000450h
                                                                                                                                                                                                          jmp 00007FE034DCF4ACh
                                                                                                                                                                                                          and dword ptr [004355ACh], FE8EB909h
                                                                                                                                                                                                          call 00007FE034DC81A8h
                                                                                                                                                                                                          mov ax, word ptr [00439448h]
                                                                                                                                                                                                          cwde
                                                                                                                                                                                                          and dword ptr [004364CCh], eax
                                                                                                                                                                                                          call 00007FE034DB818Eh
                                                                                                                                                                                                          movsx eax, word ptr [0043A870h]
                                                                                                                                                                                                          not eax
                                                                                                                                                                                                          cmp eax, 89F860A1h
                                                                                                                                                                                                          jle 00007FE034DCF4C8h
                                                                                                                                                                                                          mov ecx, dword ptr [00434EF8h]
                                                                                                                                                                                                          mov eax, dword ptr [00438310h]
                                                                                                                                                                                                          and ecx, 57A11F5Bh
                                                                                                                                                                                                          or eax, 87C03C33h
                                                                                                                                                                                                          inc dword ptr [00434EF8h]
                                                                                                                                                                                                          cmp ecx, eax
                                                                                                                                                                                                          jl 00007FE034DCF4A8h
                                                                                                                                                                                                          mov ax, word ptr [00438B68h]
                                                                                                                                                                                                          push esi
                                                                                                                                                                                                          push 0042F15Ch
                                                                                                                                                                                                          push 0042F154h
                                                                                                                                                                                                          call 00007FE034DC525Eh
                                                                                                                                                                                                          add dword ptr [004340B0h], FDBF763Fh
                                                                                                                                                                                                          pop ecx
                                                                                                                                                                                                          pop ecx
                                                                                                                                                                                                          call 00007FE034DCBE05h
                                                                                                                                                                                                          imul ecx, dword ptr [004347E0h], 0000ED7Bh

                                                                                                                                                                                                          Rich Headers

                                                                                                                                                                                                          Programming Language:
                                                                                                                                                                                                          • [C++] VS2013 UPD4 build 31101
                                                                                                                                                                                                          • [LNK] VS2013 UPD4 build 31101

                                                                                                                                                                                                          Data Directories

                                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2f1980x50.rdata
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x3c0000x77e8.reloc
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x2f0000x154.rdata
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                          Sections

                                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                          .text0x10000x2d4a40x2d600a008b9f965a55234d4e9fec1e12e9ec6False0.7345310347796143data6.839663016682375IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                          .rdata0x2f0000x8be0xa0055aa2668bd66e2095758bac52ad4d6a9False0.4265625data4.9731112242142945IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                          .data0x300000xbaa00x3e00bd6e729852a57125388e38f19ed205d8False0.9037298387096774data7.278103942872461IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                          .reloc0x3c0000x77e80x7800623b73b7d554b0184d990dca084cd43aFalse0.77333984375data6.84069434637676IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                          Imports

                                                                                                                                                                                                          DLLImport
                                                                                                                                                                                                          GDI32.dllGetBkColor, GetDCBrushColor, GetDCPenColor, GetClipRgn, GetMetaRgn, GetCurrentObject, GetDeviceCaps, GetObjectType, GetRandomRgn, GetStretchBltMode, GetSystemPaletteUse, GetTextCharacterExtra, GetTextAlign, GetTextColor, GetTextCharset, GetTextCharsetInfo, GetFontLanguageInfo
                                                                                                                                                                                                          USER32.dllGetMenuContextHelpId, GetCursor, GetWindowLongA, LoadIconA, GetWindowContextHelpId, SetWindowTextA, RemovePropA, GetPropA, GetScrollPos, EndPaint, GetDC, WindowFromDC, GetForegroundWindow, DrawTextA, GetMenuCheckMarkDimensions, GetMenuItemCount, GetMenuItemID, GetMenuState, GetMenu, IsWindowEnabled, EnableWindow, GetQueueStatus, SetFocus, GetDialogBaseUnits, CheckDlgButton, SetDlgItemTextA, GetDlgItemInt, GetDlgItem, EndDialog, MoveWindow, ShowWindow, CallWindowProcA, PostMessageA, SendMessageA, BeginPaint
                                                                                                                                                                                                          KERNEL32.dllMoveFileA, LocalFlags, GlobalHandle, GlobalFlags, GlobalSize, SizeofResource, LockResource, LoadResource, GetProcAddress, GetModuleHandleA, GetTickCount, GetVersion, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentProcess, GetProcessHeap, HeapAlloc, QueryPerformanceCounter, GetLastError, CloseHandle, IsDebuggerPresent, WriteFile, SetFilePointer, GetFileType, GetFileTime, GetDriveTypeA, FlushFileBuffers, FindClose, DeleteFileA, GetStdHandle

                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                                                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          2024-08-05T16:29:15.427900+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4970580192.168.2.835.164.78.200
                                                                                                                                                                                                          2024-08-05T16:29:21.526506+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4971180192.168.2.815.197.192.55
                                                                                                                                                                                                          2024-08-05T16:29:28.585913+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4971680192.168.2.8170.187.200.48
                                                                                                                                                                                                          2024-08-05T16:29:11.586178+0200UDP2811542ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)53569191.1.1.1192.168.2.8
                                                                                                                                                                                                          2024-08-05T16:29:12.540506+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4970480192.168.2.83.33.130.190
                                                                                                                                                                                                          2024-08-05T16:29:15.432885+0200TCP2037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst804970535.164.78.200192.168.2.8
                                                                                                                                                                                                          2024-08-05T16:29:17.836857+0200TCP2037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst804970634.246.200.160192.168.2.8
                                                                                                                                                                                                          2024-08-05T16:29:31.727756+0200TCP2037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst804971954.244.188.177192.168.2.8
                                                                                                                                                                                                          2024-08-05T16:31:09.914916+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort6022980192.168.2.835.164.78.200
                                                                                                                                                                                                          2024-08-05T16:30:40.325809+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort6022880192.168.2.83.33.130.190
                                                                                                                                                                                                          2024-08-05T16:29:18.843079+0200UDP2018316ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses53542661.1.1.1192.168.2.8

                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.065845013 CEST4970480192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.071082115 CEST80497043.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.071178913 CEST4970480192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.071218014 CEST4970480192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.076324940 CEST80497043.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.540308952 CEST80497043.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.540328979 CEST80497043.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.540505886 CEST4970480192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.540577888 CEST4970480192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.545561075 CEST80497043.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.686279058 CEST4970580192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.692420006 CEST804970535.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.692543030 CEST4970580192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.692574024 CEST4970580192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.698522091 CEST804970535.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.427299976 CEST804970535.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.427824020 CEST804970535.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.427900076 CEST4970580192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.428062916 CEST4970580192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.432884932 CEST804970535.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.035758972 CEST4970680192.168.2.834.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.040955067 CEST804970634.246.200.160192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.041033983 CEST4970680192.168.2.834.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.041102886 CEST4970680192.168.2.834.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.046912909 CEST804970634.246.200.160192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.830583096 CEST804970634.246.200.160192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.831773996 CEST804970634.246.200.160192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.831890106 CEST4970680192.168.2.834.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.831890106 CEST4970680192.168.2.834.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.836857080 CEST804970634.246.200.160192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.529993057 CEST4970780192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.535176992 CEST804970715.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.535249949 CEST4970780192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.535299063 CEST4970780192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.540290117 CEST804970715.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.101177931 CEST804970715.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.101299047 CEST4970780192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.117944956 CEST804970715.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.117995977 CEST4970780192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.049998999 CEST4971180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.055402994 CEST804971115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.055469036 CEST4971180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.055541992 CEST4971180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.060467958 CEST804971115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.526259899 CEST804971115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.526505947 CEST4971180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.526566029 CEST804971115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.526608944 CEST4971180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.531361103 CEST804971115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.561898947 CEST4971480192.168.2.885.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.566826105 CEST804971485.13.130.3192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.566931009 CEST4971480192.168.2.885.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.566958904 CEST4971480192.168.2.885.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.571830034 CEST804971485.13.130.3192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.243931055 CEST804971485.13.130.3192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.244179010 CEST4971480192.168.2.885.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.244664907 CEST804971485.13.130.3192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.244726896 CEST4971480192.168.2.885.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.249881029 CEST804971485.13.130.3192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.418395996 CEST4971580192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.426352978 CEST80497153.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.426425934 CEST4971580192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.426461935 CEST4971580192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.433134079 CEST80497153.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:26.839092970 CEST80497153.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:26.839190006 CEST80497153.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:26.839265108 CEST4971580192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:29:26.839318991 CEST4971580192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:29:26.845216036 CEST80497153.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.090379953 CEST4971680192.168.2.8170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.096540928 CEST8049716170.187.200.48192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.096625090 CEST4971680192.168.2.8170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.096674919 CEST4971680192.168.2.8170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.102552891 CEST8049716170.187.200.48192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.585762978 CEST8049716170.187.200.48192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.585912943 CEST4971680192.168.2.8170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.585988998 CEST8049716170.187.200.48192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.586029053 CEST4971680192.168.2.8170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.591212988 CEST8049716170.187.200.48192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.899480104 CEST4971780192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.904766083 CEST8049717213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.904879093 CEST4971780192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.904913902 CEST4971780192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.909677982 CEST8049717213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.508569956 CEST8049717213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.508590937 CEST8049717213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.508605003 CEST8049717213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.508676052 CEST4971780192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.508698940 CEST8049717213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.508738995 CEST4971780192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.508866072 CEST4971780192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.514097929 CEST8049717213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.894680023 CEST4971880192.168.2.864.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.899880886 CEST804971864.190.63.222192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.899956942 CEST4971880192.168.2.864.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.900022030 CEST4971880192.168.2.864.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.904846907 CEST804971864.190.63.222192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.538731098 CEST804971864.190.63.222192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.538876057 CEST804971864.190.63.222192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.539040089 CEST4971880192.168.2.864.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.539040089 CEST4971880192.168.2.864.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.544055939 CEST804971864.190.63.222192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.991458893 CEST4971980192.168.2.854.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.997493029 CEST804971954.244.188.177192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.997596025 CEST4971980192.168.2.854.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.997627974 CEST4971980192.168.2.854.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.003624916 CEST804971954.244.188.177192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.721687078 CEST804971954.244.188.177192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.722110987 CEST804971954.244.188.177192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.722199917 CEST4971980192.168.2.854.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.722739935 CEST4971980192.168.2.854.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.727756023 CEST804971954.244.188.177192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.677495956 CEST4972080192.168.2.881.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.682679892 CEST804972081.169.145.88192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.682810068 CEST4972080192.168.2.881.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.682877064 CEST4972080192.168.2.881.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.688606977 CEST804972081.169.145.88192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.358859062 CEST804972081.169.145.88192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.359009981 CEST4972080192.168.2.881.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.359103918 CEST804972081.169.145.88192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.359146118 CEST4972080192.168.2.881.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.363785982 CEST804972081.169.145.88192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.427856922 CEST6022380192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.432811975 CEST806022315.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.432909012 CEST6022380192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.432952881 CEST6022380192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.437908888 CEST806022315.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.959588051 CEST806022315.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.959820986 CEST6022380192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.959952116 CEST806022315.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.960002899 CEST6022380192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.964721918 CEST806022315.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.878561974 CEST6022480192.168.2.8188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.883460045 CEST8060224188.225.40.227192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.883611917 CEST6022480192.168.2.8188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.883701086 CEST6022480192.168.2.8188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.888633966 CEST8060224188.225.40.227192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.609452009 CEST8060224188.225.40.227192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.609632969 CEST6022480192.168.2.8188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.611435890 CEST8060224188.225.40.227192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.611502886 CEST6022480192.168.2.8188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.614476919 CEST8060224188.225.40.227192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:39.833633900 CEST6022880192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:30:39.838700056 CEST80602283.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:39.838896990 CEST6022880192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:30:39.838965893 CEST6022880192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:30:39.843888998 CEST80602283.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:40.325565100 CEST80602283.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:40.325807095 CEST80602283.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:40.325809002 CEST6022880192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:30:40.325864077 CEST6022880192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:30:40.330770016 CEST80602283.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:31:08.895189047 CEST6022980192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:31:09.140079021 CEST806022935.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:31:09.141366959 CEST6022980192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:31:09.141431093 CEST6022980192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:31:09.146253109 CEST806022935.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:31:09.908768892 CEST806022935.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:31:09.908910990 CEST806022935.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:31:09.914916039 CEST6022980192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:31:09.914963961 CEST6022980192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:31:09.919799089 CEST806022935.164.78.200192.168.2.8

                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.065494061 CEST6190253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.075903893 CEST53619021.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.078541994 CEST4945153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.319818020 CEST53494511.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.320658922 CEST6318553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.562056065 CEST53631851.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.563086033 CEST5570653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.574672937 CEST53557061.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.575319052 CEST5691953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.586178064 CEST53569191.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.586781025 CEST5541553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.597752094 CEST53554151.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.598402977 CEST6104553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.769155979 CEST53610451.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.770251989 CEST6240753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.020760059 CEST53624071.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.021816015 CEST5559953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.033452034 CEST53555991.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.034068108 CEST5944853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.045797110 CEST53594481.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.046355963 CEST5961353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.063851118 CEST53596131.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.541176081 CEST6157353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.552897930 CEST53615731.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.553683996 CEST6463853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.564909935 CEST53646381.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.565465927 CEST6029753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.806520939 CEST53602971.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.812391043 CEST5734953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.823904037 CEST53573491.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.824645996 CEST5052353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.836756945 CEST53505231.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.840949059 CEST5204653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.082669973 CEST53520461.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.083547115 CEST6163253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.094002008 CEST53616321.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.094641924 CEST5977453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.104852915 CEST53597741.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.105659962 CEST6408253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.349757910 CEST53640821.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.350748062 CEST6373253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.361143112 CEST53637321.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.362283945 CEST5228053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.610430002 CEST53522801.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.613801956 CEST6274953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.630697012 CEST53627491.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.631630898 CEST6170153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.873183966 CEST53617011.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.874267101 CEST5733453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.886759996 CEST53573341.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.887563944 CEST5384353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.898473024 CEST53538431.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.899183989 CEST5868553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.908046961 CEST53586851.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.908596992 CEST5960953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.919905901 CEST53596091.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.920641899 CEST5008553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.166552067 CEST53500851.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.167725086 CEST5465253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.179265976 CEST53546521.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.180432081 CEST5814753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.421227932 CEST53581471.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.422060013 CEST6290353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.435067892 CEST53629031.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.435710907 CEST5937153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.449076891 CEST53593711.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.449692965 CEST5314653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.462477922 CEST53531461.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.463047981 CEST5605353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.473382950 CEST53560531.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.473974943 CEST6429553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.485368013 CEST53642951.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.485919952 CEST5459653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.497977972 CEST53545961.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.498548031 CEST4939653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.685664892 CEST53493961.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.428821087 CEST6504553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.442127943 CEST53650451.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.442900896 CEST6229953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.454788923 CEST53622991.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.455332041 CEST5954753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.467430115 CEST53595471.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.467931986 CEST5990953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.717009068 CEST53599091.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.718341112 CEST5251753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.959619045 CEST53525171.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.960390091 CEST6107453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.972425938 CEST53610741.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.973066092 CEST5769053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.986114979 CEST53576901.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.987015963 CEST6192853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.000363111 CEST53619281.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.001110077 CEST5090153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.016840935 CEST53509011.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.017591953 CEST6309653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.029915094 CEST53630961.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.030514002 CEST5614353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.273901939 CEST53561431.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.274945021 CEST5355453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.527143955 CEST53535541.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.527899027 CEST5603053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.538775921 CEST53560301.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.539710045 CEST5300253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.550420046 CEST53530021.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.551245928 CEST6306453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.561091900 CEST53630641.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.561868906 CEST5218853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.573014021 CEST53521881.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.573728085 CEST5788853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.826725006 CEST53578881.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.827564001 CEST5960753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.842817068 CEST53596071.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.843451023 CEST5691653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.033474922 CEST53569161.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.832559109 CEST6112853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.072935104 CEST53611281.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.073951960 CEST5804653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.325112104 CEST53580461.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.326138973 CEST5628853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.577333927 CEST53562881.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.578224897 CEST6310653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.591264963 CEST53631061.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.591835976 CEST4927453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.603315115 CEST53492741.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.603794098 CEST5426653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.843079090 CEST53542661.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.843851089 CEST5506053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.086600065 CEST53550601.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.087703943 CEST6482053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.264308929 CEST53648201.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.265280008 CEST5403053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.275741100 CEST53540301.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.276313066 CEST6098353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.529501915 CEST53609831.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.101965904 CEST4944953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.576548100 CEST53494491.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.577208042 CEST5605553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.590104103 CEST53560551.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.590744019 CEST5515753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.602689981 CEST53551571.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.603493929 CEST5236353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.616842985 CEST53523631.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.617430925 CEST5889153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.628355980 CEST53588911.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.628869057 CEST5536953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.644896030 CEST53553691.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.645447969 CEST5267653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.657478094 CEST53526761.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.657969952 CEST5888453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.049282074 CEST53588841.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.527123928 CEST5448753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.539367914 CEST53544871.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.540577888 CEST5452153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.551533937 CEST53545211.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.574789047 CEST5226453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.586282969 CEST53522641.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.588284016 CEST6529153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.599277973 CEST53652911.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.605344057 CEST6362253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.774164915 CEST53636221.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.775163889 CEST5970953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.790712118 CEST53597091.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.791454077 CEST5378553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.035350084 CEST53537851.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.036303043 CEST5931853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.283190966 CEST53593181.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.284100056 CEST4934353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.295522928 CEST53493431.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.296231985 CEST5433853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.542083025 CEST53543381.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.543116093 CEST6061453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.556404114 CEST53606141.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.557199955 CEST6479653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.802392006 CEST53647961.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.803252935 CEST5953553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.816875935 CEST53595351.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.817553997 CEST6550753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.068275928 CEST53655071.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.069380045 CEST5045253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.080602884 CEST53504521.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.081440926 CEST6549453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.092896938 CEST53654941.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.094146967 CEST6540553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.105020046 CEST53654051.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.105925083 CEST6496353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.349452019 CEST53649631.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.350382090 CEST5887853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.600841045 CEST53588781.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.601757050 CEST4943553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.844789028 CEST53494351.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.845623016 CEST5794153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.856199026 CEST53579411.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.859431982 CEST5860053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.110539913 CEST53586001.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.111649036 CEST6358453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.121798992 CEST53635841.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.122636080 CEST5453153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.132436991 CEST53545311.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.133210897 CEST5013453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.374351978 CEST53501341.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.375549078 CEST5549753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.386292934 CEST53554971.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.387716055 CEST6078353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.561223030 CEST53607831.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.244843006 CEST5577653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.405180931 CEST53557761.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.406193018 CEST6137553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.417926073 CEST53613751.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:26.839979887 CEST6055253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.180814028 CEST53605521.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.181804895 CEST5106453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.193702936 CEST53510641.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.209050894 CEST5643553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.218801022 CEST53564351.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.219665051 CEST5273653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.231834888 CEST53527361.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.232584953 CEST6010753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.241944075 CEST53601071.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.244308949 CEST5617953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.255887032 CEST53561791.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.256525040 CEST6144253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.268976927 CEST53614421.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.269598007 CEST6422853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.280803919 CEST53642281.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.281316042 CEST6204053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.292068958 CEST53620401.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.295509100 CEST6230953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.540225029 CEST53623091.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.541318893 CEST6478053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.551896095 CEST53647801.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.552515984 CEST6331053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.563276052 CEST53633101.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.563822985 CEST6499653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.575335979 CEST53649961.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.576066971 CEST5329753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.586533070 CEST53532971.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.587156057 CEST5577653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.835112095 CEST53557761.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.836185932 CEST5590853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.089803934 CEST53559081.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.586568117 CEST6284853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.598711014 CEST53628481.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.599617958 CEST6353753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.611409903 CEST53635371.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.612117052 CEST5267853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.623290062 CEST53526781.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.623883963 CEST6116253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.633673906 CEST53611621.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.634130001 CEST5177653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.898875952 CEST53517761.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.509442091 CEST6289453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.893948078 CEST53628941.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.539659023 CEST5323453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.550525904 CEST53532341.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.551412106 CEST6427253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.561933041 CEST53642721.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.562755108 CEST6349653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.990739107 CEST53634961.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.722907066 CEST4958953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.735565901 CEST53495891.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.736613035 CEST5555853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.986884117 CEST53555581.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.987783909 CEST6380653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.229449034 CEST53638061.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.230547905 CEST5809953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.471544027 CEST53580991.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.472404003 CEST6116853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.715445042 CEST53611681.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.716721058 CEST5923253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.728327990 CEST53592321.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.729016066 CEST5441753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.739342928 CEST53544171.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.740132093 CEST5104253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.753119946 CEST53510421.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.753752947 CEST5728053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.764743090 CEST53572801.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.765336037 CEST6484153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.776576042 CEST53648411.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.777215004 CEST5579653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.788311005 CEST53557961.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.788881063 CEST5245553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.799129009 CEST53524551.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.799729109 CEST6061353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.833617926 CEST53606131.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.836863041 CEST6322453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.849631071 CEST53632241.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.850334883 CEST5595453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.862149954 CEST53559541.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.863744020 CEST5027853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.105950117 CEST53502781.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.106801987 CEST5896853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.347024918 CEST53589681.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.348392963 CEST5406753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.676670074 CEST53540671.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.359734058 CEST5058153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.372128963 CEST53505811.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.373200893 CEST5776953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.386163950 CEST53577691.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.387434959 CEST5110153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.398993969 CEST53511011.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.399947882 CEST5761253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.408263922 CEST53576121.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.983928919 CEST5582953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.996634960 CEST53558291.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.997538090 CEST5071653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.245126963 CEST53507161.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.246263027 CEST6464353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.491301060 CEST53646431.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.492263079 CEST6531353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.503212929 CEST53653131.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.503863096 CEST5461353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.743726015 CEST53546131.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.744888067 CEST5109953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.755346060 CEST53510991.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.756145000 CEST6417053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.916809082 CEST53641701.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.918016911 CEST6494353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.928347111 CEST53649431.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.929451942 CEST5975853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.426992893 CEST53597581.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.961030960 CEST5801153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.977796078 CEST53580111.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.978693008 CEST6270653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.231750011 CEST53627061.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.232698917 CEST6539753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.242609978 CEST53653971.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.243967056 CEST6472053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.258848906 CEST53647201.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.259624004 CEST6076553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.276952028 CEST53607651.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.277749062 CEST5814453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.289258003 CEST53581441.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.290199995 CEST6084553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.877857924 CEST53608451.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.610333920 CEST4921853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.621022940 CEST53492181.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.621824980 CEST5540153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.631786108 CEST53554011.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.633855104 CEST5388653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.884322882 CEST53538861.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:30.198882103 CEST6377553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:30.211678028 CEST53637751.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:31.220506907 CEST5412653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:31.232464075 CEST53541261.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:32.236110926 CEST5378153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:32.477427959 CEST53537811.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:33.486401081 CEST6479753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:33.496949911 CEST53647971.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:34.501719952 CEST5577853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:34.741450071 CEST53557781.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:35.751744986 CEST6252453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:35.763319016 CEST53625241.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:36.767462015 CEST6512753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:36.782304049 CEST53651271.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:37.798796892 CEST6540153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:37.810231924 CEST53654011.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:38.814814091 CEST6169853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:38.828094959 CEST53616981.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:41.329832077 CEST5938253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:41.581301928 CEST53593821.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:42.595699072 CEST5972653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:42.606931925 CEST53597261.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:43.611092091 CEST6096853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:43.622618914 CEST53609681.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:44.627640009 CEST5443053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:44.639799118 CEST53544301.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:45.642466068 CEST5431653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:45.720616102 CEST53543161.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:46.736110926 CEST6348453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:46.980622053 CEST53634841.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:47.986190081 CEST6531653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:47.997689009 CEST53653161.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:49.002470016 CEST6273053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:49.020262003 CEST53627301.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:50.032907963 CEST6030953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:50.044676065 CEST53603091.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:51.048510075 CEST5353553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:51.060859919 CEST53535351.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:52.064111948 CEST5813053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:52.074872017 CEST53581301.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:53.080308914 CEST6156053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:53.100538015 CEST53615601.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:54.114175081 CEST5058653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:54.125411987 CEST53505861.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:55.142385960 CEST6216353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:55.160931110 CEST53621631.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:56.173604965 CEST5200553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:56.414340019 CEST53520051.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:57.423520088 CEST5088753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:57.437084913 CEST53508871.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:58.439157963 CEST6055653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:58.684453964 CEST53605561.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:30:59.689167976 CEST6407153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:30:59.699279070 CEST53640711.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:31:00.704968929 CEST5569453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:31:00.946132898 CEST53556941.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:31:01.954981089 CEST5091853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:31:01.965470076 CEST53509181.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:31:03.009968996 CEST5157153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:31:03.020843029 CEST53515711.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:31:04.048811913 CEST6164253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:31:04.060475111 CEST53616421.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:31:05.033351898 CEST6400653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:31:05.277419090 CEST53640061.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:31:06.220510006 CEST5371853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:31:06.230575085 CEST53537181.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:31:07.142529964 CEST5001053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:31:07.155838966 CEST53500101.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:31:08.033078909 CEST5815553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:31:08.045919895 CEST53581551.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:31:10.736260891 CEST5623253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:31:11.173512936 CEST53562321.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:31:11.970381975 CEST5639353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:31:11.978821993 CEST53563931.1.1.1192.168.2.8

                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.065494061 CEST192.168.2.81.1.1.10x6d10Standard query (0)womanclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.078541994 CEST192.168.2.81.1.1.10x8476Standard query (0)smokeclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.320658922 CEST192.168.2.81.1.1.10xfe28Standard query (0)womangeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.563086033 CEST192.168.2.81.1.1.10xd7bbStandard query (0)smokegeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.575319052 CEST192.168.2.81.1.1.10x88aeStandard query (0)womaninclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.586781025 CEST192.168.2.81.1.1.10x9463Standard query (0)smokeinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.598402977 CEST192.168.2.81.1.1.10x38e8Standard query (0)womannorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.770251989 CEST192.168.2.81.1.1.10x3387Standard query (0)smokenorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.021816015 CEST192.168.2.81.1.1.10x4e84Standard query (0)partyclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.034068108 CEST192.168.2.81.1.1.10x2b79Standard query (0)fightclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.046355963 CEST192.168.2.81.1.1.10xc3a9Standard query (0)partygeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.541176081 CEST192.168.2.81.1.1.10x4803Standard query (0)fightgeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.553683996 CEST192.168.2.81.1.1.10xd9aaStandard query (0)partyinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.565465927 CEST192.168.2.81.1.1.10x1f95Standard query (0)fightinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.812391043 CEST192.168.2.81.1.1.10xb26Standard query (0)partynorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.824645996 CEST192.168.2.81.1.1.10x3b37Standard query (0)fightnorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.840949059 CEST192.168.2.81.1.1.10xaf47Standard query (0)freshbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.083547115 CEST192.168.2.81.1.1.10x9bd2Standard query (0)experiencebranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.094641924 CEST192.168.2.81.1.1.10xb315Standard query (0)freshbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.105659962 CEST192.168.2.81.1.1.10x28bbStandard query (0)experiencebelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.350748062 CEST192.168.2.81.1.1.10x79f9Standard query (0)freshreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.362283945 CEST192.168.2.81.1.1.10x7c87Standard query (0)experiencereceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.613801956 CEST192.168.2.81.1.1.10x614dStandard query (0)freshquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.631630898 CEST192.168.2.81.1.1.10x137fStandard query (0)experiencequarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.874267101 CEST192.168.2.81.1.1.10xa541Standard query (0)gentlemanbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.887563944 CEST192.168.2.81.1.1.10x52e0Standard query (0)alreadybranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.899183989 CEST192.168.2.81.1.1.10x7cd6Standard query (0)gentlemanbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.908596992 CEST192.168.2.81.1.1.10x7fa7Standard query (0)alreadybelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.920641899 CEST192.168.2.81.1.1.10x3357Standard query (0)gentlemanreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.167725086 CEST192.168.2.81.1.1.10x3ef9Standard query (0)alreadyreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.180432081 CEST192.168.2.81.1.1.10x9ea2Standard query (0)gentlemanquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.422060013 CEST192.168.2.81.1.1.10x10cbStandard query (0)alreadyquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.435710907 CEST192.168.2.81.1.1.10xe392Standard query (0)followbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.449692965 CEST192.168.2.81.1.1.10x9a7dStandard query (0)memberbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.463047981 CEST192.168.2.81.1.1.10xedaStandard query (0)followbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.473974943 CEST192.168.2.81.1.1.10x7059Standard query (0)memberbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.485919952 CEST192.168.2.81.1.1.10x942cStandard query (0)followreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.498548031 CEST192.168.2.81.1.1.10xf05fStandard query (0)memberreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.428821087 CEST192.168.2.81.1.1.10x6e28Standard query (0)followquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.442900896 CEST192.168.2.81.1.1.10x68f1Standard query (0)memberquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.455332041 CEST192.168.2.81.1.1.10xedf9Standard query (0)beginbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.467931986 CEST192.168.2.81.1.1.10x4d20Standard query (0)knownbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.718341112 CEST192.168.2.81.1.1.10xb61dStandard query (0)beginbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.960390091 CEST192.168.2.81.1.1.10x799fStandard query (0)knownbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.973066092 CEST192.168.2.81.1.1.10x304Standard query (0)beginreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.987015963 CEST192.168.2.81.1.1.10x62bfStandard query (0)knownreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.001110077 CEST192.168.2.81.1.1.10xc50bStandard query (0)beginquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.017591953 CEST192.168.2.81.1.1.10x6516Standard query (0)knownquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.030514002 CEST192.168.2.81.1.1.10x4770Standard query (0)summerbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.274945021 CEST192.168.2.81.1.1.10x70fbStandard query (0)crowdbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.527899027 CEST192.168.2.81.1.1.10x2cabStandard query (0)summerbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.539710045 CEST192.168.2.81.1.1.10x3930Standard query (0)crowdbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.551245928 CEST192.168.2.81.1.1.10x8d10Standard query (0)summerreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.561868906 CEST192.168.2.81.1.1.10x13efStandard query (0)crowdreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.573728085 CEST192.168.2.81.1.1.10xbf38Standard query (0)summerquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.827564001 CEST192.168.2.81.1.1.10x8305Standard query (0)crowdquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.843451023 CEST192.168.2.81.1.1.10xb621Standard query (0)thoughtbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.832559109 CEST192.168.2.81.1.1.10x1a7aStandard query (0)waterbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.073951960 CEST192.168.2.81.1.1.10xf4fdStandard query (0)thoughtbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.326138973 CEST192.168.2.81.1.1.10x52a1Standard query (0)waterbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.578224897 CEST192.168.2.81.1.1.10xae7aStandard query (0)thoughtreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.591835976 CEST192.168.2.81.1.1.10x2b38Standard query (0)waterreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.603794098 CEST192.168.2.81.1.1.10x696Standard query (0)thoughtquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.843851089 CEST192.168.2.81.1.1.10x89baStandard query (0)waterquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.087703943 CEST192.168.2.81.1.1.10x8c0Standard query (0)womanbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.265280008 CEST192.168.2.81.1.1.10x2ccdStandard query (0)smokebranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.276313066 CEST192.168.2.81.1.1.10x604aStandard query (0)womanbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.101965904 CEST192.168.2.81.1.1.10x34c0Standard query (0)smokebelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.577208042 CEST192.168.2.81.1.1.10x43eaStandard query (0)womanreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.590744019 CEST192.168.2.81.1.1.10xcfceStandard query (0)smokereceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.603493929 CEST192.168.2.81.1.1.10xe433Standard query (0)womanquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.617430925 CEST192.168.2.81.1.1.10xaf58Standard query (0)smokequarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.628869057 CEST192.168.2.81.1.1.10xbab5Standard query (0)partybranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.645447969 CEST192.168.2.81.1.1.10xdc0Standard query (0)fightbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.657969952 CEST192.168.2.81.1.1.10xda1eStandard query (0)partybelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.527123928 CEST192.168.2.81.1.1.10x33acStandard query (0)fightbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.540577888 CEST192.168.2.81.1.1.10xc188Standard query (0)partyreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.574789047 CEST192.168.2.81.1.1.10x2213Standard query (0)fightreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.588284016 CEST192.168.2.81.1.1.10x711bStandard query (0)partyquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.605344057 CEST192.168.2.81.1.1.10x46c1Standard query (0)fightquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.775163889 CEST192.168.2.81.1.1.10x83cdStandard query (0)freshhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.791454077 CEST192.168.2.81.1.1.10x80Standard query (0)experiencehonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.036303043 CEST192.168.2.81.1.1.10x3781Standard query (0)freshneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.284100056 CEST192.168.2.81.1.1.10xb7c2Standard query (0)experienceneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.296231985 CEST192.168.2.81.1.1.10x767dStandard query (0)freshsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.543116093 CEST192.168.2.81.1.1.10xcffStandard query (0)experiencesystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.557199955 CEST192.168.2.81.1.1.10xfdc6Standard query (0)freshtrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.803252935 CEST192.168.2.81.1.1.10xf6d0Standard query (0)experiencetrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.817553997 CEST192.168.2.81.1.1.10xc008Standard query (0)gentlemanhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.069380045 CEST192.168.2.81.1.1.10xf4c0Standard query (0)alreadyhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.081440926 CEST192.168.2.81.1.1.10xc1caStandard query (0)gentlemanneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.094146967 CEST192.168.2.81.1.1.10xdcd7Standard query (0)alreadyneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.105925083 CEST192.168.2.81.1.1.10xf441Standard query (0)gentlemansystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.350382090 CEST192.168.2.81.1.1.10x974bStandard query (0)alreadysystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.601757050 CEST192.168.2.81.1.1.10x413eStandard query (0)gentlemantrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.845623016 CEST192.168.2.81.1.1.10x289dStandard query (0)alreadytrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.859431982 CEST192.168.2.81.1.1.10x9770Standard query (0)followhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.111649036 CEST192.168.2.81.1.1.10x4c2eStandard query (0)memberhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.122636080 CEST192.168.2.81.1.1.10x9aaStandard query (0)followneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.133210897 CEST192.168.2.81.1.1.10x6f24Standard query (0)memberneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.375549078 CEST192.168.2.81.1.1.10x3251Standard query (0)followsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.387716055 CEST192.168.2.81.1.1.10x3d51Standard query (0)membersystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.244843006 CEST192.168.2.81.1.1.10x4fdfStandard query (0)followtrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.406193018 CEST192.168.2.81.1.1.10x254fStandard query (0)membertrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:26.839979887 CEST192.168.2.81.1.1.10xdaa5Standard query (0)beginhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.181804895 CEST192.168.2.81.1.1.10x3be6Standard query (0)knownhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.209050894 CEST192.168.2.81.1.1.10xd2e6Standard query (0)beginneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.219665051 CEST192.168.2.81.1.1.10xa591Standard query (0)knownneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.232584953 CEST192.168.2.81.1.1.10x57c8Standard query (0)beginsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.244308949 CEST192.168.2.81.1.1.10xa8caStandard query (0)knownsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.256525040 CEST192.168.2.81.1.1.10xc0bcStandard query (0)begintrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.269598007 CEST192.168.2.81.1.1.10x82beStandard query (0)knowntrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.281316042 CEST192.168.2.81.1.1.10x34a7Standard query (0)summerhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.295509100 CEST192.168.2.81.1.1.10xc793Standard query (0)crowdhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.541318893 CEST192.168.2.81.1.1.10x6ff4Standard query (0)summerneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.552515984 CEST192.168.2.81.1.1.10xb55cStandard query (0)crowdneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.563822985 CEST192.168.2.81.1.1.10xbf43Standard query (0)summersystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.576066971 CEST192.168.2.81.1.1.10x2c77Standard query (0)crowdsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.587156057 CEST192.168.2.81.1.1.10x8c6bStandard query (0)summertrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.836185932 CEST192.168.2.81.1.1.10x4106Standard query (0)crowdtrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.586568117 CEST192.168.2.81.1.1.10xbc52Standard query (0)thoughthonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.599617958 CEST192.168.2.81.1.1.10x5215Standard query (0)waterhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.612117052 CEST192.168.2.81.1.1.10xe59cStandard query (0)thoughtneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.623883963 CEST192.168.2.81.1.1.10xb28eStandard query (0)waterneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.634130001 CEST192.168.2.81.1.1.10xe350Standard query (0)thoughtsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.509442091 CEST192.168.2.81.1.1.10xc454Standard query (0)watersystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.539659023 CEST192.168.2.81.1.1.10xbc3bStandard query (0)thoughttrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.551412106 CEST192.168.2.81.1.1.10x21b1Standard query (0)watertrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.562755108 CEST192.168.2.81.1.1.10xa572Standard query (0)womanhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.722907066 CEST192.168.2.81.1.1.10x2bfdStandard query (0)smokehonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.736613035 CEST192.168.2.81.1.1.10x407dStandard query (0)womanneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.987783909 CEST192.168.2.81.1.1.10xa179Standard query (0)smokeneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.230547905 CEST192.168.2.81.1.1.10x6759Standard query (0)womansystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.472404003 CEST192.168.2.81.1.1.10x88f9Standard query (0)smokesystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.716721058 CEST192.168.2.81.1.1.10x9f5fStandard query (0)womantrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.729016066 CEST192.168.2.81.1.1.10xf9a2Standard query (0)smoketrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.740132093 CEST192.168.2.81.1.1.10xac47Standard query (0)partyhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.753752947 CEST192.168.2.81.1.1.10x5114Standard query (0)fighthonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.765336037 CEST192.168.2.81.1.1.10x6a23Standard query (0)partyneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.777215004 CEST192.168.2.81.1.1.10x561eStandard query (0)fightneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.788881063 CEST192.168.2.81.1.1.10x9abcStandard query (0)partysystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.799729109 CEST192.168.2.81.1.1.10xf52bStandard query (0)fightsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.836863041 CEST192.168.2.81.1.1.10xc0dbStandard query (0)partytrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.850334883 CEST192.168.2.81.1.1.10xb32cStandard query (0)fighttrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.863744020 CEST192.168.2.81.1.1.10x9f65Standard query (0)freshlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.106801987 CEST192.168.2.81.1.1.10x8a77Standard query (0)experiencelaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.348392963 CEST192.168.2.81.1.1.10x6b13Standard query (0)freshfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.359734058 CEST192.168.2.81.1.1.10x1d6cStandard query (0)experiencefancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.373200893 CEST192.168.2.81.1.1.10x81d2Standard query (0)freshconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.387434959 CEST192.168.2.81.1.1.10x6b12Standard query (0)experienceconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.399947882 CEST192.168.2.81.1.1.10x463aStandard query (0)freshfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.983928919 CEST192.168.2.81.1.1.10xb6b7Standard query (0)experiencefriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.997538090 CEST192.168.2.81.1.1.10xf2ceStandard query (0)gentlemanlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.246263027 CEST192.168.2.81.1.1.10x2ce3Standard query (0)alreadylaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.492263079 CEST192.168.2.81.1.1.10x7ac2Standard query (0)gentlemanfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.503863096 CEST192.168.2.81.1.1.10x7e89Standard query (0)alreadyfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.744888067 CEST192.168.2.81.1.1.10x2d97Standard query (0)gentlemanconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.756145000 CEST192.168.2.81.1.1.10x12dStandard query (0)alreadyconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.918016911 CEST192.168.2.81.1.1.10x2a0aStandard query (0)gentlemanfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.929451942 CEST192.168.2.81.1.1.10x7839Standard query (0)alreadyfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.961030960 CEST192.168.2.81.1.1.10xe21Standard query (0)followlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.978693008 CEST192.168.2.81.1.1.10xa71aStandard query (0)memberlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.232698917 CEST192.168.2.81.1.1.10x3525Standard query (0)followfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.243967056 CEST192.168.2.81.1.1.10xf5e7Standard query (0)memberfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.259624004 CEST192.168.2.81.1.1.10xfd1Standard query (0)followconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.277749062 CEST192.168.2.81.1.1.10x7520Standard query (0)memberconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.290199995 CEST192.168.2.81.1.1.10x154fStandard query (0)followfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.610333920 CEST192.168.2.81.1.1.10x1d24Standard query (0)memberfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.621824980 CEST192.168.2.81.1.1.10x5b5dStandard query (0)beginlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.633855104 CEST192.168.2.81.1.1.10xc016Standard query (0)knownlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:30.198882103 CEST192.168.2.81.1.1.10x9c67Standard query (0)smokeclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:31.220506907 CEST192.168.2.81.1.1.10xd09Standard query (0)womangeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:32.236110926 CEST192.168.2.81.1.1.10x9ae1Standard query (0)smokegeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:33.486401081 CEST192.168.2.81.1.1.10xe179Standard query (0)womaninclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:34.501719952 CEST192.168.2.81.1.1.10x463bStandard query (0)smokeinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:35.751744986 CEST192.168.2.81.1.1.10xfec1Standard query (0)womannorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:36.767462015 CEST192.168.2.81.1.1.10x1880Standard query (0)smokenorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:37.798796892 CEST192.168.2.81.1.1.10x49dStandard query (0)partyclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:38.814814091 CEST192.168.2.81.1.1.10x6890Standard query (0)fightclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:41.329832077 CEST192.168.2.81.1.1.10x749aStandard query (0)fightgeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:42.595699072 CEST192.168.2.81.1.1.10xf04Standard query (0)partyinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:43.611092091 CEST192.168.2.81.1.1.10x6903Standard query (0)fightinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:44.627640009 CEST192.168.2.81.1.1.10x3984Standard query (0)partynorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:45.642466068 CEST192.168.2.81.1.1.10x8a3dStandard query (0)fightnorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:46.736110926 CEST192.168.2.81.1.1.10x9178Standard query (0)freshbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:47.986190081 CEST192.168.2.81.1.1.10x1fbfStandard query (0)experiencebranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:49.002470016 CEST192.168.2.81.1.1.10xf922Standard query (0)freshbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:50.032907963 CEST192.168.2.81.1.1.10x8935Standard query (0)experiencebelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:51.048510075 CEST192.168.2.81.1.1.10x7c09Standard query (0)freshreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:52.064111948 CEST192.168.2.81.1.1.10xad79Standard query (0)experiencereceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:53.080308914 CEST192.168.2.81.1.1.10x482cStandard query (0)freshquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:54.114175081 CEST192.168.2.81.1.1.10x2639Standard query (0)experiencequarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:55.142385960 CEST192.168.2.81.1.1.10x8ac6Standard query (0)gentlemanbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:56.173604965 CEST192.168.2.81.1.1.10xb15dStandard query (0)alreadybranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:57.423520088 CEST192.168.2.81.1.1.10x176eStandard query (0)gentlemanbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:58.439157963 CEST192.168.2.81.1.1.10xda66Standard query (0)alreadybelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:59.689167976 CEST192.168.2.81.1.1.10xc207Standard query (0)gentlemanreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:00.704968929 CEST192.168.2.81.1.1.10x6279Standard query (0)alreadyreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:01.954981089 CEST192.168.2.81.1.1.10xbb7dStandard query (0)gentlemanquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:03.009968996 CEST192.168.2.81.1.1.10xbf1fStandard query (0)alreadyquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:04.048811913 CEST192.168.2.81.1.1.10xa1bStandard query (0)followbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:05.033351898 CEST192.168.2.81.1.1.10x96f5Standard query (0)memberbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:06.220510006 CEST192.168.2.81.1.1.10xc0f4Standard query (0)followbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:07.142529964 CEST192.168.2.81.1.1.10xb540Standard query (0)memberbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:08.033078909 CEST192.168.2.81.1.1.10xa8c9Standard query (0)followreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:10.736260891 CEST192.168.2.81.1.1.10x17b8Standard query (0)followquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:11.970381975 CEST192.168.2.81.1.1.10x270bStandard query (0)memberquarter.netA (IP address)IN (0x0001)false

                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.075903893 CEST1.1.1.1192.168.2.80x6d10Name error (3)womanclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.319818020 CEST1.1.1.1192.168.2.80x8476Name error (3)smokeclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.562056065 CEST1.1.1.1192.168.2.80xfe28Name error (3)womangeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.574672937 CEST1.1.1.1192.168.2.80xd7bbName error (3)smokegeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.586178064 CEST1.1.1.1192.168.2.80x88aeName error (3)womaninclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.597752094 CEST1.1.1.1192.168.2.80x9463Name error (3)smokeinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:11.769155979 CEST1.1.1.1192.168.2.80x38e8Name error (3)womannorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.020760059 CEST1.1.1.1192.168.2.80x3387Name error (3)smokenorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.033452034 CEST1.1.1.1192.168.2.80x4e84Name error (3)partyclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.045797110 CEST1.1.1.1192.168.2.80x2b79Name error (3)fightclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.063851118 CEST1.1.1.1192.168.2.80xc3a9No error (0)partygeneral.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.063851118 CEST1.1.1.1192.168.2.80xc3a9No error (0)partygeneral.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.552897930 CEST1.1.1.1192.168.2.80x4803Name error (3)fightgeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.564909935 CEST1.1.1.1192.168.2.80xd9aaName error (3)partyinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.806520939 CEST1.1.1.1192.168.2.80x1f95Name error (3)fightinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.823904037 CEST1.1.1.1192.168.2.80xb26Name error (3)partynorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.836756945 CEST1.1.1.1192.168.2.80x3b37Name error (3)fightnorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.082669973 CEST1.1.1.1192.168.2.80xaf47Name error (3)freshbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.094002008 CEST1.1.1.1192.168.2.80x9bd2Name error (3)experiencebranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.104852915 CEST1.1.1.1192.168.2.80xb315Name error (3)freshbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.349757910 CEST1.1.1.1192.168.2.80x28bbName error (3)experiencebelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.361143112 CEST1.1.1.1192.168.2.80x79f9Name error (3)freshreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.610430002 CEST1.1.1.1192.168.2.80x7c87Name error (3)experiencereceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.630697012 CEST1.1.1.1192.168.2.80x614dName error (3)freshquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.873183966 CEST1.1.1.1192.168.2.80x137fName error (3)experiencequarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.886759996 CEST1.1.1.1192.168.2.80xa541Name error (3)gentlemanbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.898473024 CEST1.1.1.1192.168.2.80x52e0Name error (3)alreadybranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.908046961 CEST1.1.1.1192.168.2.80x7cd6Name error (3)gentlemanbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:13.919905901 CEST1.1.1.1192.168.2.80x7fa7Name error (3)alreadybelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.166552067 CEST1.1.1.1192.168.2.80x3357Name error (3)gentlemanreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.179265976 CEST1.1.1.1192.168.2.80x3ef9Name error (3)alreadyreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.421227932 CEST1.1.1.1192.168.2.80x9ea2Name error (3)gentlemanquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.435067892 CEST1.1.1.1192.168.2.80x10cbName error (3)alreadyquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.449076891 CEST1.1.1.1192.168.2.80xe392Name error (3)followbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.462477922 CEST1.1.1.1192.168.2.80x9a7dName error (3)memberbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.473382950 CEST1.1.1.1192.168.2.80xedaName error (3)followbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.485368013 CEST1.1.1.1192.168.2.80x7059Name error (3)memberbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.497977972 CEST1.1.1.1192.168.2.80x942cName error (3)followreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.685664892 CEST1.1.1.1192.168.2.80xf05fNo error (0)memberreceive.net35.164.78.200A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.442127943 CEST1.1.1.1192.168.2.80x6e28Name error (3)followquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.454788923 CEST1.1.1.1192.168.2.80x68f1Name error (3)memberquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.467430115 CEST1.1.1.1192.168.2.80xedf9Name error (3)beginbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.717009068 CEST1.1.1.1192.168.2.80x4d20Name error (3)knownbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.959619045 CEST1.1.1.1192.168.2.80xb61dName error (3)beginbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.972425938 CEST1.1.1.1192.168.2.80x799fName error (3)knownbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.986114979 CEST1.1.1.1192.168.2.80x304Name error (3)beginreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.000363111 CEST1.1.1.1192.168.2.80x62bfName error (3)knownreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.016840935 CEST1.1.1.1192.168.2.80xc50bName error (3)beginquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.029915094 CEST1.1.1.1192.168.2.80x6516Name error (3)knownquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.273901939 CEST1.1.1.1192.168.2.80x4770Name error (3)summerbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.527143955 CEST1.1.1.1192.168.2.80x70fbName error (3)crowdbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.538775921 CEST1.1.1.1192.168.2.80x2cabName error (3)summerbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.550420046 CEST1.1.1.1192.168.2.80x3930Name error (3)crowdbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.561091900 CEST1.1.1.1192.168.2.80x8d10Name error (3)summerreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.573014021 CEST1.1.1.1192.168.2.80x13efName error (3)crowdreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.826725006 CEST1.1.1.1192.168.2.80xbf38Name error (3)summerquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:16.842817068 CEST1.1.1.1192.168.2.80x8305Name error (3)crowdquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.033474922 CEST1.1.1.1192.168.2.80xb621No error (0)thoughtbranch.net34.246.200.160A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.072935104 CEST1.1.1.1192.168.2.80x1a7aName error (3)waterbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.325112104 CEST1.1.1.1192.168.2.80xf4fdName error (3)thoughtbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.577333927 CEST1.1.1.1192.168.2.80x52a1Name error (3)waterbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.591264963 CEST1.1.1.1192.168.2.80xae7aName error (3)thoughtreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.603315115 CEST1.1.1.1192.168.2.80x2b38Name error (3)waterreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:18.843079090 CEST1.1.1.1192.168.2.80x696Name error (3)thoughtquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.086600065 CEST1.1.1.1192.168.2.80x89baName error (3)waterquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.264308929 CEST1.1.1.1192.168.2.80x8c0Name error (3)womanbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.275741100 CEST1.1.1.1192.168.2.80x2ccdName error (3)smokebranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.529501915 CEST1.1.1.1192.168.2.80x604aNo error (0)womanbelieve.net15.197.142.173A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.529501915 CEST1.1.1.1192.168.2.80x604aNo error (0)womanbelieve.net3.33.152.147A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.576548100 CEST1.1.1.1192.168.2.80x34c0Name error (3)smokebelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.590104103 CEST1.1.1.1192.168.2.80x43eaName error (3)womanreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.602689981 CEST1.1.1.1192.168.2.80xcfceName error (3)smokereceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.616842985 CEST1.1.1.1192.168.2.80xe433Name error (3)womanquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.628355980 CEST1.1.1.1192.168.2.80xaf58Name error (3)smokequarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.644896030 CEST1.1.1.1192.168.2.80xbab5Name error (3)partybranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.657478094 CEST1.1.1.1192.168.2.80xdc0Name error (3)fightbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.049282074 CEST1.1.1.1192.168.2.80xda1eNo error (0)partybelieve.net15.197.192.55A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.539367914 CEST1.1.1.1192.168.2.80x33acName error (3)fightbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.551533937 CEST1.1.1.1192.168.2.80xc188Name error (3)partyreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.586282969 CEST1.1.1.1192.168.2.80x2213Name error (3)fightreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.599277973 CEST1.1.1.1192.168.2.80x711bName error (3)partyquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.774164915 CEST1.1.1.1192.168.2.80x46c1Name error (3)fightquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.790712118 CEST1.1.1.1192.168.2.80x83cdName error (3)freshhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.035350084 CEST1.1.1.1192.168.2.80x80Name error (3)experiencehonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.283190966 CEST1.1.1.1192.168.2.80x3781Name error (3)freshneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.295522928 CEST1.1.1.1192.168.2.80xb7c2Name error (3)experienceneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.542083025 CEST1.1.1.1192.168.2.80x767dName error (3)freshsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.556404114 CEST1.1.1.1192.168.2.80xcffName error (3)experiencesystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.802392006 CEST1.1.1.1192.168.2.80xfdc6Name error (3)freshtrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:22.816875935 CEST1.1.1.1192.168.2.80xf6d0Name error (3)experiencetrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.068275928 CEST1.1.1.1192.168.2.80xc008Name error (3)gentlemanhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.080602884 CEST1.1.1.1192.168.2.80xf4c0Name error (3)alreadyhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.092896938 CEST1.1.1.1192.168.2.80xc1caName error (3)gentlemanneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.105020046 CEST1.1.1.1192.168.2.80xdcd7Name error (3)alreadyneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.349452019 CEST1.1.1.1192.168.2.80xf441Name error (3)gentlemansystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.600841045 CEST1.1.1.1192.168.2.80x974bName error (3)alreadysystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.844789028 CEST1.1.1.1192.168.2.80x413eName error (3)gentlemantrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:23.856199026 CEST1.1.1.1192.168.2.80x289dName error (3)alreadytrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.110539913 CEST1.1.1.1192.168.2.80x9770Name error (3)followhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.121798992 CEST1.1.1.1192.168.2.80x4c2eName error (3)memberhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.132436991 CEST1.1.1.1192.168.2.80x9aaName error (3)followneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.374351978 CEST1.1.1.1192.168.2.80x6f24Name error (3)memberneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.386292934 CEST1.1.1.1192.168.2.80x3251Name error (3)followsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.561223030 CEST1.1.1.1192.168.2.80x3d51No error (0)membersystem.net85.13.130.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.405180931 CEST1.1.1.1192.168.2.80x4fdfName error (3)followtrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.417926073 CEST1.1.1.1192.168.2.80x254fNo error (0)membertrust.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.417926073 CEST1.1.1.1192.168.2.80x254fNo error (0)membertrust.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.180814028 CEST1.1.1.1192.168.2.80xdaa5Name error (3)beginhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.193702936 CEST1.1.1.1192.168.2.80x3be6Name error (3)knownhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.218801022 CEST1.1.1.1192.168.2.80xd2e6Name error (3)beginneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.231834888 CEST1.1.1.1192.168.2.80xa591Name error (3)knownneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.241944075 CEST1.1.1.1192.168.2.80x57c8Name error (3)beginsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.255887032 CEST1.1.1.1192.168.2.80xa8caName error (3)knownsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.268976927 CEST1.1.1.1192.168.2.80xc0bcName error (3)begintrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.280803919 CEST1.1.1.1192.168.2.80x82beName error (3)knowntrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.292068958 CEST1.1.1.1192.168.2.80x34a7Name error (3)summerhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.540225029 CEST1.1.1.1192.168.2.80xc793Name error (3)crowdhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.551896095 CEST1.1.1.1192.168.2.80x6ff4Name error (3)summerneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.563276052 CEST1.1.1.1192.168.2.80xb55cName error (3)crowdneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.575335979 CEST1.1.1.1192.168.2.80xbf43Name error (3)summersystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.586533070 CEST1.1.1.1192.168.2.80x2c77Name error (3)crowdsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:27.835112095 CEST1.1.1.1192.168.2.80x8c6bName error (3)summertrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.089803934 CEST1.1.1.1192.168.2.80x4106No error (0)crowdtrust.net170.187.200.48A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.598711014 CEST1.1.1.1192.168.2.80xbc52Name error (3)thoughthonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.611409903 CEST1.1.1.1192.168.2.80x5215Name error (3)waterhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.623290062 CEST1.1.1.1192.168.2.80xe59cName error (3)thoughtneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.633673906 CEST1.1.1.1192.168.2.80xb28eName error (3)waterneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.898875952 CEST1.1.1.1192.168.2.80xe350No error (0)thoughtsystem.net213.171.195.105A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.893948078 CEST1.1.1.1192.168.2.80xc454No error (0)watersystem.net64.190.63.222A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.550525904 CEST1.1.1.1192.168.2.80xbc3bName error (3)thoughttrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.561933041 CEST1.1.1.1192.168.2.80x21b1Name error (3)watertrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.990739107 CEST1.1.1.1192.168.2.80xa572No error (0)womanhonor.net54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.735565901 CEST1.1.1.1192.168.2.80x2bfdName error (3)smokehonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.986884117 CEST1.1.1.1192.168.2.80x407dName error (3)womanneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.229449034 CEST1.1.1.1192.168.2.80xa179Name error (3)smokeneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.471544027 CEST1.1.1.1192.168.2.80x6759Name error (3)womansystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.715445042 CEST1.1.1.1192.168.2.80x88f9Name error (3)smokesystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.728327990 CEST1.1.1.1192.168.2.80x9f5fName error (3)womantrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.739342928 CEST1.1.1.1192.168.2.80xf9a2Name error (3)smoketrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.753119946 CEST1.1.1.1192.168.2.80xac47Name error (3)partyhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.764743090 CEST1.1.1.1192.168.2.80x5114Name error (3)fighthonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.776576042 CEST1.1.1.1192.168.2.80x6a23Name error (3)partyneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.788311005 CEST1.1.1.1192.168.2.80x561eName error (3)fightneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.799129009 CEST1.1.1.1192.168.2.80x9abcName error (3)partysystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.849631071 CEST1.1.1.1192.168.2.80xc0dbName error (3)partytrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:32.862149954 CEST1.1.1.1192.168.2.80xb32cName error (3)fighttrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.105950117 CEST1.1.1.1192.168.2.80x9f65Name error (3)freshlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.347024918 CEST1.1.1.1192.168.2.80x8a77Name error (3)experiencelaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.676670074 CEST1.1.1.1192.168.2.80x6b13No error (0)freshfancy.net81.169.145.88A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.372128963 CEST1.1.1.1192.168.2.80x1d6cName error (3)experiencefancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.386163950 CEST1.1.1.1192.168.2.80x81d2Name error (3)freshconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.398993969 CEST1.1.1.1192.168.2.80x6b12Name error (3)experienceconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.996634960 CEST1.1.1.1192.168.2.80xb6b7Name error (3)experiencefriend.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.245126963 CEST1.1.1.1192.168.2.80xf2ceName error (3)gentlemanlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.491301060 CEST1.1.1.1192.168.2.80x2ce3Name error (3)alreadylaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.503212929 CEST1.1.1.1192.168.2.80x7ac2Name error (3)gentlemanfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.743726015 CEST1.1.1.1192.168.2.80x7e89Name error (3)alreadyfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.755346060 CEST1.1.1.1192.168.2.80x2d97Name error (3)gentlemanconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.916809082 CEST1.1.1.1192.168.2.80x12dName error (3)alreadyconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:35.928347111 CEST1.1.1.1192.168.2.80x2a0aName error (3)gentlemanfriend.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.426992893 CEST1.1.1.1192.168.2.80x7839No error (0)alreadyfriend.net15.197.192.55A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.977796078 CEST1.1.1.1192.168.2.80xe21Name error (3)followlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.231750011 CEST1.1.1.1192.168.2.80xa71aName error (3)memberlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.242609978 CEST1.1.1.1192.168.2.80x3525Name error (3)followfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.258848906 CEST1.1.1.1192.168.2.80xf5e7Name error (3)memberfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.276952028 CEST1.1.1.1192.168.2.80xfd1Name error (3)followconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.289258003 CEST1.1.1.1192.168.2.80x7520Name error (3)memberconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.877857924 CEST1.1.1.1192.168.2.80x154fNo error (0)followfriend.net188.225.40.227A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.621022940 CEST1.1.1.1192.168.2.80x1d24Name error (3)memberfriend.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.631786108 CEST1.1.1.1192.168.2.80x5b5dName error (3)beginlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.884322882 CEST1.1.1.1192.168.2.80xc016Name error (3)knownlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:30.211678028 CEST1.1.1.1192.168.2.80x9c67Name error (3)smokeclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:31.232464075 CEST1.1.1.1192.168.2.80xd09Name error (3)womangeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:32.477427959 CEST1.1.1.1192.168.2.80x9ae1Name error (3)smokegeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:33.496949911 CEST1.1.1.1192.168.2.80xe179Name error (3)womaninclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:34.741450071 CEST1.1.1.1192.168.2.80x463bName error (3)smokeinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:35.763319016 CEST1.1.1.1192.168.2.80xfec1Name error (3)womannorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:36.782304049 CEST1.1.1.1192.168.2.80x1880Name error (3)smokenorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:37.810231924 CEST1.1.1.1192.168.2.80x49dName error (3)partyclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:38.828094959 CEST1.1.1.1192.168.2.80x6890Name error (3)fightclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:41.581301928 CEST1.1.1.1192.168.2.80x749aName error (3)fightgeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:42.606931925 CEST1.1.1.1192.168.2.80xf04Name error (3)partyinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:43.622618914 CEST1.1.1.1192.168.2.80x6903Name error (3)fightinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:44.639799118 CEST1.1.1.1192.168.2.80x3984Name error (3)partynorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:45.720616102 CEST1.1.1.1192.168.2.80x8a3dName error (3)fightnorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:46.980622053 CEST1.1.1.1192.168.2.80x9178Name error (3)freshbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:47.997689009 CEST1.1.1.1192.168.2.80x1fbfName error (3)experiencebranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:49.020262003 CEST1.1.1.1192.168.2.80xf922Name error (3)freshbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:50.044676065 CEST1.1.1.1192.168.2.80x8935Name error (3)experiencebelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:51.060859919 CEST1.1.1.1192.168.2.80x7c09Name error (3)freshreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:52.074872017 CEST1.1.1.1192.168.2.80xad79Name error (3)experiencereceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:53.100538015 CEST1.1.1.1192.168.2.80x482cName error (3)freshquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:54.125411987 CEST1.1.1.1192.168.2.80x2639Name error (3)experiencequarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:55.160931110 CEST1.1.1.1192.168.2.80x8ac6Name error (3)gentlemanbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:56.414340019 CEST1.1.1.1192.168.2.80xb15dName error (3)alreadybranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:57.437084913 CEST1.1.1.1192.168.2.80x176eName error (3)gentlemanbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:58.684453964 CEST1.1.1.1192.168.2.80xda66Name error (3)alreadybelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:30:59.699279070 CEST1.1.1.1192.168.2.80xc207Name error (3)gentlemanreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:00.946132898 CEST1.1.1.1192.168.2.80x6279Name error (3)alreadyreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:01.965470076 CEST1.1.1.1192.168.2.80xbb7dName error (3)gentlemanquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:03.020843029 CEST1.1.1.1192.168.2.80xbf1fName error (3)alreadyquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:04.060475111 CEST1.1.1.1192.168.2.80xa1bName error (3)followbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:05.277419090 CEST1.1.1.1192.168.2.80x96f5Name error (3)memberbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:06.230575085 CEST1.1.1.1192.168.2.80xc0f4Name error (3)followbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:07.155838966 CEST1.1.1.1192.168.2.80xb540Name error (3)memberbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:08.045919895 CEST1.1.1.1192.168.2.80xa8c9Name error (3)followreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:11.173512936 CEST1.1.1.1192.168.2.80x17b8Name error (3)followquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:31:11.978821993 CEST1.1.1.1192.168.2.80x270bName error (3)memberquarter.netnonenoneA (IP address)IN (0x0001)false

                                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                                          • partygeneral.net
                                                                                                                                                                                                          • memberreceive.net
                                                                                                                                                                                                          • thoughtbranch.net
                                                                                                                                                                                                          • womanbelieve.net
                                                                                                                                                                                                          • partybelieve.net
                                                                                                                                                                                                          • membersystem.net
                                                                                                                                                                                                          • membertrust.net
                                                                                                                                                                                                          • crowdtrust.net
                                                                                                                                                                                                          • thoughtsystem.net
                                                                                                                                                                                                          • watersystem.net
                                                                                                                                                                                                          • womanhonor.net
                                                                                                                                                                                                          • freshfancy.net
                                                                                                                                                                                                          • alreadyfriend.net
                                                                                                                                                                                                          • followfriend.net

                                                                                                                                                                                                          HTTP Packets

                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          0192.168.2.8497043.33.130.190802768C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.071218014 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: partygeneral.net
                                                                                                                                                                                                          Aug 5, 2024 16:29:12.540308952 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:29:12 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          1192.168.2.84970535.164.78.200802768C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:29:14.692574024 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: memberreceive.net
                                                                                                                                                                                                          Aug 5, 2024 16:29:15.427299976 CEST382INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:29:15 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: btst=3f009f681c83367b74541261127a886f|8.46.123.33|1722868155|1722868155|0|1|0; path=/; domain=.memberreceive.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                          Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          2192.168.2.84970634.246.200.160802768C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.041102886 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: thoughtbranch.net
                                                                                                                                                                                                          Aug 5, 2024 16:29:17.830583096 CEST382INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:29:17 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: btst=8258cda71c936d7b7244f8a65d537fb1|8.46.123.33|1722868157|1722868157|0|1|0; path=/; domain=.thoughtbranch.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                          Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          3192.168.2.84970715.197.142.173802768C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:29:19.535299063 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: womanbelieve.net
                                                                                                                                                                                                          Aug 5, 2024 16:29:20.101177931 CEST266INHTTP/1.1 403 Forbidden
                                                                                                                                                                                                          Server: awselb/2.0
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:29:19 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 118
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                          Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          4192.168.2.84971115.197.192.55802768C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.055541992 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: partybelieve.net
                                                                                                                                                                                                          Aug 5, 2024 16:29:21.526259899 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:29:21 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          5192.168.2.84971485.13.130.3802768C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:29:24.566958904 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: membersystem.net
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.243931055 CEST452INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:29:25 GMT
                                                                                                                                                                                                          Server: Apache
                                                                                                                                                                                                          Location: https://all-inkl.com/index.php
                                                                                                                                                                                                          Content-Length: 238
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 6c 6c 2d 69 6e 6b 6c 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://all-inkl.com/index.php">here</a>.</p></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          6192.168.2.8497153.33.130.190802768C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:29:25.426461935 CEST82OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: membertrust.net
                                                                                                                                                                                                          Aug 5, 2024 16:29:26.839092970 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:29:26 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          7192.168.2.849716170.187.200.48802768C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.096674919 CEST81OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: crowdtrust.net
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.585762978 CEST289INHTTP/1.1 404 Not Found
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:29:28 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 146
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          8192.168.2.849717213.171.195.105802768C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:29:28.904913902 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: thoughtsystem.net
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.508569956 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                          server: nginx/1.20.1
                                                                                                                                                                                                          date: Mon, 05 Aug 2024 14:29:29 GMT
                                                                                                                                                                                                          content-type: text/html
                                                                                                                                                                                                          content-length: 2873
                                                                                                                                                                                                          last-modified: Tue, 16 Jul 2024 11:33:23 GMT
                                                                                                                                                                                                          etag: "66965a83-b39"
                                                                                                                                                                                                          accept-ranges: bytes
                                                                                                                                                                                                          connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 70 61 72 6b 69 6e 67 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 73 2f 63 73 73 2f 69 6e 64 65 78 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 66 61 73 [TRUNCATED]
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Domain parking page</title> <link rel="stylesheet" href="/styles/css/index.css"> <link rel="shortcut icon" href="https://static.fasthosts.co.uk/icons/favicon.ico" type="image/x-icon" /> ... Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-199510482-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-199510482-1'); </script> </head><body> <div class="container"> <nav class="logo"> <a href="https://fasthosts.co.uk/" rel="nofollow"> <img src="/assets/fasthosts-logo-secondary.svg" alt="Fasthosts"></img> </a> </nav> <main> <h2>Welcome to <span class="domain
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.508590937 CEST1236INData Raw: 56 61 72 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 68 32 3e 0a 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 69 73 20 70 61 72 6b 65 64 20 66 6f 72 20 46 52 45 45 20 62 79 0a 20 20 20 20 20 20 20
                                                                                                                                                                                                          Data Ascii: Var"></span></h2> <p> This domain name is parked for FREE by <strong><a href="https://fasthosts.co.uk/" rel="nofollow">fasthosts.co.uk</a></strong> </p> <div class="row"> <div class="card card--is-cta
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.508605003 CEST635INData Raw: 66 61 73 74 68 6f 73 74 73 2e 63 6f 2e 75 6b 2f 63 6f 6e 74 61 63 74 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 64 6f 6d 61 69 6e 70 61 72 6b 69 6e 67 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 72 65 66 65 72 72 61 6c 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d
                                                                                                                                                                                                          Data Ascii: fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_parking_contact">Contact us</a> </main> </div> <script> const cleanHostname = document.location.hostname.indexOf("www.") && document.location.hos


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          9192.168.2.84971864.190.63.222802768C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:29:29.900022030 CEST82OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: watersystem.net
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.538731098 CEST208INHTTP/1.1 403 Forbidden
                                                                                                                                                                                                          content-length: 93
                                                                                                                                                                                                          cache-control: no-cache
                                                                                                                                                                                                          content-type: text/html
                                                                                                                                                                                                          connection: close
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                          Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          10192.168.2.84971954.244.188.177802768C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:29:30.997627974 CEST81OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: womanhonor.net
                                                                                                                                                                                                          Aug 5, 2024 16:29:31.721687078 CEST379INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:29:31 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: btst=5a675666a9e15e650b2851028bb30416|8.46.123.33|1722868171|1722868171|0|1|0; path=/; domain=.womanhonor.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                          Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          11192.168.2.84972081.169.145.88802768C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:29:33.682877064 CEST81OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: freshfancy.net
                                                                                                                                                                                                          Aug 5, 2024 16:29:34.358859062 CEST374INHTTP/1.1 404 Not Found
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:29:34 GMT
                                                                                                                                                                                                          Server: Apache/2.4.61 (Unix)
                                                                                                                                                                                                          Content-Length: 196
                                                                                                                                                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          12192.168.2.86022315.197.192.55802768C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.432952881 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: alreadyfriend.net
                                                                                                                                                                                                          Aug 5, 2024 16:29:36.959588051 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:29:36 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          13192.168.2.860224188.225.40.227802768C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:29:37.883701086 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: followfriend.net
                                                                                                                                                                                                          Aug 5, 2024 16:29:38.609452009 CEST373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                          Server: nginx/1.26.1
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:29:38 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Location: https://followfriend.net/index.php
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.26.1</center></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          14192.168.2.8602283.33.130.190803392C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:30:39.838965893 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: partygeneral.net
                                                                                                                                                                                                          Aug 5, 2024 16:30:40.325565100 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:30:40 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          15192.168.2.86022935.164.78.200803392C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:31:09.141431093 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: memberreceive.net
                                                                                                                                                                                                          Aug 5, 2024 16:31:09.908768892 CEST382INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:31:09 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: btst=443bdde055355c9f079649ca0975a0a4|8.46.123.33|1722868269|1722868269|0|1|0; path=/; domain=.memberreceive.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                          Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:1
                                                                                                                                                                                                          Start time:10:29:05
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\Users\user\Desktop\7qBBKk0P4l.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\7qBBKk0P4l.exe"
                                                                                                                                                                                                          Imagebase:0xc0000
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5 hash:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                          Start time:10:29:06
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\hjflhukc\psjpq2i82ktsjq0yguk.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\hjflhukc\psjpq2i82ktsjq0yguk.exe"
                                                                                                                                                                                                          Imagebase:0x920000
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5 hash:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                          • Detection: 92%, ReversingLabs
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:3
                                                                                                                                                                                                          Start time:10:29:06
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          Imagebase:0x6e0000
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5 hash:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                          • Detection: 92%, ReversingLabs
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                          Start time:10:29:08
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\hjflhukc\xxxniijvj.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"
                                                                                                                                                                                                          Imagebase:0xe0000
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5 hash:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                          • Detection: 92%, ReversingLabs
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:5
                                                                                                                                                                                                          Start time:10:29:09
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\hjflhukc\yanidfx.exe"
                                                                                                                                                                                                          Imagebase:0x6e0000
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5 hash:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                                          Start time:10:29:48
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                                                                                          Imagebase:0x7ff67e6d0000
                                                                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:10
                                                                                                                                                                                                          Start time:10:30:25
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"c:\hjflhukc\yanidfx.exe"
                                                                                                                                                                                                          Imagebase:0x6e0000
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5 hash:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                                          Start time:10:30:26
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\hjflhukc\xxxniijvj.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"
                                                                                                                                                                                                          Imagebase:0xe20000
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5 hash:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:9.3%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:54.1%
                                                                                                                                                                                                            Total number of Nodes:1491
                                                                                                                                                                                                            Total number of Limit Nodes:4
                                                                                                                                                                                                            execution_graph 8943 d7686 8946 cfc1b 8943->8946 8949 e94b4 8946->8949 8950 e94bd Mailbox 8949->8950 8952 e94e3 8949->8952 8951 cde5a Mailbox 2 API calls 8950->8951 8951->8952 9206 cad87 9207 cada3 9206->9207 9262 c501c 9207->9262 9209 cae0e 9210 e443e 4 API calls 9209->9210 9215 cb26c Mailbox 9209->9215 9211 caeff 9210->9211 9212 da805 2 API calls 9211->9212 9213 caf15 9212->9213 9214 c846d 9 API calls 9213->9214 9216 caf2d 9214->9216 9217 d8251 2 API calls 9216->9217 9218 caf56 9217->9218 9265 e2306 9218->9265 9223 c5724 8 API calls 9224 caf88 Mailbox 9223->9224 9225 da805 2 API calls 9224->9225 9226 cafc5 9225->9226 9227 d0b92 9 API calls 9226->9227 9228 cafe2 9227->9228 9229 c5724 8 API calls 9228->9229 9230 cafee Mailbox 9229->9230 9231 d8251 2 API calls 9230->9231 9232 cb00f 9231->9232 9233 cfe4b 8 API calls 9232->9233 9234 cb02d 9233->9234 9235 c5724 8 API calls 9234->9235 9236 cb036 Mailbox 9235->9236 9271 d1c14 9236->9271 9238 cb066 9275 c60ad 9238->9275 9240 cb085 Mailbox 9241 d5fba 9 API calls 9240->9241 9242 cb0c9 9241->9242 9329 c7ef1 9242->9329 9245 da805 2 API calls 9246 cb0f8 9245->9246 9247 d0b92 9 API calls 9246->9247 9248 cb149 9247->9248 9249 c5724 8 API calls 9248->9249 9250 cb155 Mailbox 9249->9250 9251 d8251 2 API calls 9250->9251 9252 cb174 Mailbox 9251->9252 9253 e9883 8 API calls 9252->9253 9254 cb19a 9253->9254 9255 e9707 Mailbox 8 API calls 9254->9255 9256 cb1ea 9255->9256 9257 da805 2 API calls 9256->9257 9258 cb217 9257->9258 9333 d8695 9258->9333 9260 cb235 9261 d8251 2 API calls 9260->9261 9261->9215 9263 e9883 8 API calls 9262->9263 9264 c5042 SetEvent 9263->9264 9264->9209 9433 c4f0b 9265->9433 9268 d1bc3 9269 e7848 8 API calls 9268->9269 9270 caf7c 9269->9270 9270->9223 9272 d1c36 Mailbox 9271->9272 9273 cbdcb 8 API calls 9272->9273 9274 d1ce6 Mailbox 9273->9274 9274->9238 9276 c6101 9275->9276 9277 da805 2 API calls 9276->9277 9282 c623b Mailbox 9276->9282 9278 c61a7 9277->9278 9279 c846d 9 API calls 9278->9279 9280 c61d6 9279->9280 9281 d8251 2 API calls 9280->9281 9281->9282 9283 c6321 9282->9283 9286 c63fd 9282->9286 9284 da805 2 API calls 9283->9284 9285 c635d 9284->9285 9287 c846d 9 API calls 9285->9287 9289 da805 2 API calls 9286->9289 9288 c6381 9287->9288 9290 d8251 2 API calls 9288->9290 9291 c6487 Mailbox 9289->9291 9292 c639c Mailbox 9290->9292 9441 d7ab8 9291->9441 9292->9240 9295 d8251 2 API calls 9296 c64eb 9295->9296 9297 c651c 9296->9297 9298 c6598 9296->9298 9299 da805 2 API calls 9297->9299 9453 c8036 9298->9453 9301 c6532 9299->9301 9303 c846d 9 API calls 9301->9303 9306 c6548 9303->9306 9304 c6668 9307 cddd3 lstrlen 9304->9307 9305 c65cb 9310 da805 2 API calls 9305->9310 9308 d8251 2 API calls 9306->9308 9309 c66a4 9307->9309 9308->9292 9457 dae3b 9309->9457 9311 c65f2 9310->9311 9312 c846d 9 API calls 9311->9312 9314 c6612 9312->9314 9316 d8251 2 API calls 9314->9316 9316->9292 9319 da805 2 API calls 9320 c6718 9319->9320 9321 d8251 2 API calls 9320->9321 9322 c6775 9321->9322 9323 e42b6 lstrlen 9322->9323 9324 c67c4 9323->9324 9325 cc622 5 API calls 9324->9325 9326 c67e3 9325->9326 9465 ed831 9326->9465 9330 c7f14 9329->9330 9331 cdd8f 8 API calls 9330->9331 9332 c7f37 9331->9332 9332->9245 9334 d86b6 9333->9334 9335 c3e8c GetSystemTimeAsFileTime 9334->9335 9336 d8873 9335->9336 9337 e42b6 lstrlen 9336->9337 9343 d88d0 9337->9343 9338 d9185 Mailbox 9338->9260 9339 e42b6 lstrlen 9340 d8a48 9339->9340 9341 e42b6 lstrlen 9340->9341 9342 d8a56 9341->9342 9342->9338 9344 da805 2 API calls 9342->9344 9343->9338 9343->9339 9345 d8ad5 9344->9345 9346 c846d 9 API calls 9345->9346 9347 d8b0f 9346->9347 9348 d8251 2 API calls 9347->9348 9349 d8b3d Mailbox 9348->9349 9350 da805 2 API calls 9349->9350 9363 d8d19 9349->9363 9352 d8b9e 9350->9352 9351 d0b92 9 API calls 9353 d8dbe 9351->9353 9354 d23e9 9 API calls 9352->9354 9355 c5724 8 API calls 9353->9355 9357 d8bc8 Mailbox 9354->9357 9356 d8dca Mailbox 9355->9356 9358 da805 2 API calls 9356->9358 9360 d8251 2 API calls 9357->9360 9359 d8ded 9358->9359 9361 d0b92 9 API calls 9359->9361 9366 d8bf7 9360->9366 9362 d8e04 9361->9362 9364 c5724 8 API calls 9362->9364 9363->9351 9365 d8e10 Mailbox 9364->9365 9368 d8251 2 API calls 9365->9368 9366->9363 9367 d1c14 8 API calls 9366->9367 9369 d8c77 9367->9369 9370 d8e3b 9368->9370 9371 da805 2 API calls 9369->9371 9372 d0b92 9 API calls 9370->9372 9373 d8cbd 9371->9373 9374 d8e8b 9372->9374 9376 c846d 9 API calls 9373->9376 9375 c5724 8 API calls 9374->9375 9379 d8e9a Mailbox 9375->9379 9377 d8cff 9376->9377 9378 d8251 2 API calls 9377->9378 9378->9363 9381 da805 2 API calls 9379->9381 9416 d9051 Mailbox 9379->9416 9380 da805 2 API calls 9382 d9087 9380->9382 9383 d8f09 9381->9383 9385 d0b92 9 API calls 9382->9385 9384 d0b92 9 API calls 9383->9384 9386 d8f23 9384->9386 9387 d90d7 9385->9387 9388 c5724 8 API calls 9386->9388 9389 c5724 8 API calls 9387->9389 9390 d8f32 Mailbox 9388->9390 9391 d90e3 Mailbox 9389->9391 9392 da805 2 API calls 9390->9392 9393 d8251 2 API calls 9391->9393 9394 d8f5b 9392->9394 9395 d90fd 9393->9395 9397 d8251 2 API calls 9394->9397 9396 d9142 socket 9395->9396 9399 c5724 8 API calls 9395->9399 9396->9338 9398 d9197 9396->9398 9400 d8fbc Mailbox 9397->9400 9401 d91bb setsockopt 9398->9401 9402 d91f3 gethostbyname 9398->9402 9399->9396 9403 d074e wvsprintfA 9400->9403 9401->9402 9402->9338 9406 d9289 inet_ntoa inet_addr 9402->9406 9405 d8fdd 9403->9405 9407 d8251 2 API calls 9405->9407 9410 d92ef 9406->9410 9411 d92f9 htons connect 9406->9411 9409 d8ff4 9407->9409 9412 d0b92 9 API calls 9409->9412 9410->9411 9411->9338 9414 d932f Mailbox 9411->9414 9413 d9042 9412->9413 9415 c5724 8 API calls 9413->9415 9417 d939f send 9414->9417 9415->9416 9416->9380 9418 d93bb Mailbox 9417->9418 9418->9338 9419 e9707 Mailbox 8 API calls 9418->9419 9421 d93df Mailbox 9419->9421 9420 d946b recv 9420->9421 9421->9420 9424 d9784 closesocket 9421->9424 9427 d7f29 Mailbox 8 API calls 9421->9427 9428 e9883 8 API calls 9421->9428 9429 da805 GetProcessHeap RtlAllocateHeap 9421->9429 9430 d23e9 9 API calls 9421->9430 9431 d8251 GetProcessHeap RtlFreeHeap 9421->9431 9663 ed5e8 9421->9663 9667 cf1bd 9421->9667 9424->9338 9425 d97e1 9424->9425 9426 d1c14 8 API calls 9425->9426 9426->9338 9427->9421 9428->9421 9429->9421 9430->9421 9431->9421 9434 c4f16 9433->9434 9437 ce739 9434->9437 9438 ce751 9437->9438 9439 cdd8f 8 API calls 9438->9439 9440 c4f36 9439->9440 9440->9268 9442 d7ae2 9441->9442 9448 c64bc 9442->9448 9494 e6c12 9442->9494 9447 d7d11 9452 d7c94 Mailbox 9447->9452 9504 dbff6 9447->9504 9448->9295 9450 d7dab 9511 d70e6 9450->9511 9521 d761b 9452->9521 9454 c804b GetModuleFileNameA 9453->9454 9456 c65c2 9454->9456 9456->9304 9456->9305 9458 dae5e 9457->9458 9459 cbece 8 API calls 9458->9459 9460 c66de 9458->9460 9459->9460 9461 e3ca3 9460->9461 9462 c6702 9461->9462 9464 e3cd9 9461->9464 9462->9319 9463 dae3b 8 API calls 9463->9464 9464->9462 9464->9463 9466 ed84e Mailbox 9465->9466 9467 ed94f CreatePipe 9466->9467 9468 ed9ad SetHandleInformation 9467->9468 9469 ed999 9467->9469 9473 eda3b CreatePipe 9468->9473 9474 eda12 9468->9474 9470 e9707 Mailbox 8 API calls 9469->9470 9472 c6894 DeleteFileA 9469->9472 9470->9472 9472->9292 9475 eda66 SetHandleInformation 9473->9475 9476 eda52 9473->9476 9474->9473 9479 eda9a Mailbox 9475->9479 9477 ede64 CloseHandle 9476->9477 9477->9469 9478 ede7b CloseHandle 9477->9478 9478->9469 9480 edb76 CreateProcessA 9479->9480 9481 edc04 WriteFile 9480->9481 9482 edbe0 CloseHandle 9480->9482 9481->9482 9484 edc3e CloseHandle CloseHandle 9481->9484 9488 eddd2 CloseHandle 9482->9488 9487 edca1 9484->9487 9656 e4101 9487->9656 9488->9477 9492 edd6c CloseHandle CloseHandle 9492->9488 9495 e6c2d 9494->9495 9496 c4088 4 API calls 9495->9496 9497 e6cb8 9496->9497 9498 d7c5d 9497->9498 9499 c86e2 4 API calls 9497->9499 9498->9452 9500 c86e2 9498->9500 9499->9498 9501 c86f8 9500->9501 9502 c4088 4 API calls 9501->9502 9503 c873e Mailbox 9502->9503 9503->9447 9524 c7bf8 9504->9524 9508 dc05c 9536 c774c 9508->9536 9510 dc089 Mailbox 9510->9450 9512 d70f3 9511->9512 9514 d71ef 9512->9514 9548 da4b9 9512->9548 9514->9452 9516 d745e 9516->9514 9518 da805 2 API calls 9516->9518 9517 da805 2 API calls 9519 d740b 9517->9519 9518->9514 9519->9514 9520 d8251 2 API calls 9519->9520 9520->9516 9522 e572d 2 API calls 9521->9522 9523 d7661 9522->9523 9523->9448 9525 c7c25 9524->9525 9526 da805 2 API calls 9525->9526 9527 c7c4e Mailbox 9526->9527 9528 d8251 2 API calls 9527->9528 9529 c7c82 9528->9529 9530 d0ce6 9529->9530 9531 d0d32 Mailbox 9530->9531 9533 d1054 Mailbox 9531->9533 9534 d0ecd 9531->9534 9542 d0113 9531->9542 9533->9508 9534->9533 9535 d0113 4 API calls 9534->9535 9535->9534 9537 c77a8 Mailbox 9536->9537 9538 d0ce6 4 API calls 9537->9538 9539 c7a60 9538->9539 9540 d0ce6 4 API calls 9539->9540 9541 c7ab2 9540->9541 9541->9510 9543 d0132 Mailbox 9542->9543 9544 da805 2 API calls 9543->9544 9545 d0318 9544->9545 9546 d8251 2 API calls 9545->9546 9547 d05f9 9546->9547 9547->9534 9549 da506 9548->9549 9550 e6c12 4 API calls 9549->9550 9553 da539 9550->9553 9551 da5e4 9552 e572d 2 API calls 9551->9552 9557 d719b 9552->9557 9553->9551 9554 da58e 9553->9554 9555 da563 9553->9555 9559 c69a8 9554->9559 9556 e572d 2 API calls 9555->9556 9556->9557 9557->9514 9557->9516 9557->9517 9561 c69c7 Mailbox 9559->9561 9560 c76f7 9560->9551 9561->9560 9562 c4088 4 API calls 9561->9562 9563 c6c45 9562->9563 9565 c4088 4 API calls 9563->9565 9593 c70f3 9563->9593 9564 c76cf 9566 c76fc 9564->9566 9567 c76e7 9564->9567 9568 c6c6a 9565->9568 9571 e572d 2 API calls 9566->9571 9570 e572d 2 API calls 9567->9570 9572 c4088 4 API calls 9568->9572 9568->9593 9569 e572d 2 API calls 9569->9593 9570->9560 9571->9560 9573 c6c97 9572->9573 9574 c86e2 4 API calls 9573->9574 9584 c6cb9 Mailbox 9573->9584 9573->9593 9575 c6d18 9574->9575 9575->9593 9594 cdec6 9575->9594 9577 c6e4c 9581 c85a4 4 API calls 9577->9581 9578 c6e3d 9580 e2405 4 API calls 9578->9580 9583 c6e47 9580->9583 9581->9583 9585 c85a4 4 API calls 9583->9585 9584->9577 9584->9578 9584->9593 9586 c6ec5 9585->9586 9587 c4088 4 API calls 9586->9587 9586->9593 9588 c6f71 9587->9588 9589 c85a4 4 API calls 9588->9589 9588->9593 9591 c6f9e 9589->9591 9590 c4088 4 API calls 9590->9591 9591->9590 9592 c85a4 4 API calls 9591->9592 9591->9593 9592->9591 9593->9564 9593->9569 9595 cdf1f 9594->9595 9596 c4088 4 API calls 9595->9596 9597 c6d62 9595->9597 9596->9597 9597->9593 9598 e2405 9597->9598 9599 e2431 9598->9599 9606 c9903 9599->9606 9601 e2450 9602 ce4e4 4 API calls 9601->9602 9603 e248c 9601->9603 9604 e24b6 9601->9604 9602->9601 9603->9604 9646 d6d72 9603->9646 9604->9584 9607 c9924 9606->9607 9608 c99a4 9607->9608 9609 c9a10 9607->9609 9612 c9952 9607->9612 9610 c99c4 9608->9610 9611 c86e2 4 API calls 9608->9611 9613 c85a4 4 API calls 9609->9613 9610->9612 9614 c85a4 4 API calls 9610->9614 9639 c99ea 9610->9639 9611->9610 9612->9601 9616 c9a45 9613->9616 9614->9639 9615 e572d 2 API calls 9615->9612 9617 c85a4 4 API calls 9616->9617 9616->9639 9618 c9aaa 9617->9618 9619 c4088 4 API calls 9618->9619 9618->9639 9620 c9aed 9619->9620 9621 c86e2 4 API calls 9620->9621 9620->9639 9622 c9b25 9621->9622 9623 c4088 4 API calls 9622->9623 9622->9639 9624 c9b46 9623->9624 9625 c4088 4 API calls 9624->9625 9624->9639 9626 c9b73 9625->9626 9627 cdec6 4 API calls 9626->9627 9629 c9c7b 9626->9629 9626->9639 9628 c9c56 9627->9628 9631 cdec6 4 API calls 9628->9631 9628->9639 9630 cdec6 4 API calls 9629->9630 9629->9639 9632 c9d47 9630->9632 9631->9629 9633 d6d72 4 API calls 9632->9633 9640 c9e51 9632->9640 9633->9632 9634 ca66b 9635 c85a4 4 API calls 9634->9635 9636 ca6fa 9634->9636 9635->9636 9638 c85a4 4 API calls 9636->9638 9636->9639 9637 c86e2 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9637->9640 9638->9639 9639->9612 9639->9615 9640->9634 9640->9637 9640->9639 9641 c534c GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9640->9641 9642 cdec6 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9640->9642 9643 d6d72 4 API calls 9640->9643 9644 c85a4 4 API calls 9640->9644 9645 ce4e4 4 API calls 9640->9645 9641->9640 9642->9640 9643->9640 9644->9640 9645->9640 9647 d6d97 9646->9647 9648 d6dd4 9647->9648 9649 d6f07 9647->9649 9651 d6df4 9648->9651 9652 d6e66 9648->9652 9650 cb38e 4 API calls 9649->9650 9655 d6e24 9650->9655 9653 e58f9 4 API calls 9651->9653 9654 e58f9 4 API calls 9652->9654 9653->9655 9654->9655 9655->9603 9657 e410e 9656->9657 9658 e9707 Mailbox 8 API calls 9657->9658 9661 e419c 9658->9661 9659 e41f1 ReadFile 9660 e4256 WaitForSingleObject 9659->9660 9659->9661 9660->9492 9661->9659 9661->9660 9662 e9883 8 API calls 9661->9662 9662->9661 9664 ed5ff 9663->9664 9665 c3e8c GetSystemTimeAsFileTime 9664->9665 9666 ed628 9664->9666 9665->9666 9666->9421 9668 cf206 9667->9668 9669 da805 2 API calls 9668->9669 9670 cf22f 9669->9670 9671 d23e9 9 API calls 9670->9671 9672 cf250 Mailbox 9671->9672 9673 d8251 2 API calls 9672->9673 9674 cf28d 9673->9674 9675 da805 2 API calls 9674->9675 9680 cf2a5 9674->9680 9676 cf2cb 9675->9676 9677 d23e9 9 API calls 9676->9677 9678 cf2e2 Mailbox 9677->9678 9679 d8251 2 API calls 9678->9679 9679->9680 9680->9421 8835 c519e 8836 e23a6 Mailbox 2 API calls 8835->8836 8837 c51b3 8836->8837 8838 ed01d 8839 ed03a 8838->8839 8845 e5d58 8839->8845 8843 ed067 8844 ed108 ExitProcess 8843->8844 8846 e5d93 8845->8846 8856 c565e 8846->8856 8848 e5dbb 8849 d5d50 8848->8849 8850 d5d74 8849->8850 8851 d5d87 GetStdHandle 8849->8851 8850->8851 8852 d5dc5 GetStdHandle 8851->8852 8853 d5db3 8851->8853 8854 d5dfa GetStdHandle 8852->8854 8853->8852 8854->8843 8857 c56c5 GetProcessHeap HeapAlloc 8856->8857 8858 c5695 8856->8858 8857->8848 8858->8857 8953 d5498 8954 d54ba 8953->8954 8955 d550a Mailbox 8953->8955 8956 d55fd CreateProcessA 8955->8956 8957 d5677 8956->8957 8958 d5633 CloseHandle CloseHandle 8956->8958 8958->8957 9688 c59a1 9691 ecf7e 9688->9691 9692 e236a lstrlen 9691->9692 9693 c59af 9692->9693 8863 c4e3c 8864 c4e47 8863->8864 8867 d56c6 8864->8867 8868 d56e3 Mailbox 8867->8868 8871 da7bc 8868->8871 8870 c4e9b 8872 cf821 Mailbox 8 API calls 8871->8872 8873 da7d6 Mailbox 8872->8873 8873->8870 7952 ecdbf 7953 ece1b 7952->7953 7956 dff20 7953->7956 7954 ecf4c 8181 d8251 7956->8181 7960 dff74 7961 d8251 2 API calls 7960->7961 7962 dff88 7961->7962 7963 da805 2 API calls 7962->7963 7964 dffc7 7963->7964 7965 d8251 2 API calls 7964->7965 7966 dffdb 7965->7966 7967 da805 2 API calls 7966->7967 7968 e001a 7967->7968 7969 d8251 2 API calls 7968->7969 7970 e002e 7969->7970 7971 da805 2 API calls 7970->7971 7972 e0063 7971->7972 7973 d8251 2 API calls 7972->7973 7974 e0077 7973->7974 7975 da805 2 API calls 7974->7975 7976 e00f0 7975->7976 7977 d8251 2 API calls 7976->7977 7978 e0126 7977->7978 7979 da805 2 API calls 7978->7979 7980 e01a6 7979->7980 7981 d8251 2 API calls 7980->7981 7982 e01c4 7981->7982 7983 da805 2 API calls 7982->7983 7984 e0238 7983->7984 7985 d8251 2 API calls 7984->7985 7986 e0252 7985->7986 7987 da805 2 API calls 7986->7987 7988 e0283 7987->7988 7989 d8251 2 API calls 7988->7989 7990 e02bf 7989->7990 7991 da805 2 API calls 7990->7991 7992 e0325 7991->7992 7993 d8251 2 API calls 7992->7993 7994 e0339 7993->7994 7995 da805 2 API calls 7994->7995 7996 e036a 7995->7996 7997 d8251 2 API calls 7996->7997 7998 e03bd 7997->7998 7999 da805 2 API calls 7998->7999 8000 e0402 7999->8000 8001 d8251 2 API calls 8000->8001 8002 e0422 8001->8002 8003 da805 2 API calls 8002->8003 8004 e0469 8003->8004 8005 d8251 2 API calls 8004->8005 8006 e04b2 8005->8006 8007 d8251 2 API calls 8006->8007 8008 e0503 Mailbox 8007->8008 8188 cde5a GetProcessHeap RtlFreeHeap 8008->8188 8012 e054a 8013 da805 2 API calls 8012->8013 8014 e0560 GetEnvironmentVariableA 8013->8014 8015 e05b2 8014->8015 8016 d8251 2 API calls 8015->8016 8017 e05d0 CreateMutexA CreateMutexA CreateMutexA 8016->8017 8018 e0665 8017->8018 8019 e0809 8018->8019 8020 e06de GetTickCount 8018->8020 8021 e06c9 8018->8021 8195 c88a8 8019->8195 8024 e06f2 8020->8024 8021->8020 8023 e0818 GetCommandLineA 8027 e08a8 8023->8027 8025 da805 2 API calls 8024->8025 8029 e0710 8025->8029 8028 da805 2 API calls 8027->8028 8031 e08c5 8028->8031 8030 d8251 2 API calls 8029->8030 8032 e07b7 8030->8032 8033 d8251 2 API calls 8031->8033 8032->8019 8034 e092f 8033->8034 8035 e0964 8034->8035 8036 e1311 GetCommandLineA 8034->8036 8037 da805 2 API calls 8035->8037 8298 e3e09 8036->8298 8041 e0996 8037->8041 8040 e13a1 8301 e42b6 8040->8301 8042 d8251 2 API calls 8041->8042 8044 e0a10 8042->8044 8046 da805 2 API calls 8044->8046 8059 e0a21 8044->8059 8045 e13dc GetModuleFileNameA 8304 d20d8 lstrlen 8045->8304 8050 e0ac3 8046->8050 8053 d8251 2 API calls 8050->8053 8052 e145c 8058 d20d8 2 API calls 8052->8058 8055 e0b1f 8053->8055 8054 da805 2 API calls 8056 e22a4 8054->8056 8055->8059 8330 cf793 8055->8330 8557 ce2f8 8056->8557 8060 e1510 8058->8060 8327 d15e5 8059->8327 8062 d20d8 2 API calls 8060->8062 8075 e1523 8062->8075 8063 e0b80 8064 da805 2 API calls 8063->8064 8069 e0ba4 8064->8069 8065 e22c9 8065->7954 8066 e1785 8379 c3b2c 8066->8379 8068 e17c8 8070 e12d7 8068->8070 8387 db3db 8068->8387 8072 d8251 2 API calls 8069->8072 8070->8059 8074 e0be7 8072->8074 8073 e17ed 8076 c3e8c GetSystemTimeAsFileTime 8073->8076 8088 e0c44 8074->8088 8075->8066 8079 e15b0 8075->8079 8077 e1806 8076->8077 8481 cddd3 8077->8481 8307 daf1f 8079->8307 8083 e15e1 8313 c5c39 8083->8313 8086 e0d00 Sleep 8087 db046 5 API calls 8086->8087 8087->8088 8088->8086 8089 e0dd2 Sleep 8088->8089 8114 e0dfe 8088->8114 8335 d571f 8088->8335 8346 db046 8088->8346 8355 c3e8c 8088->8355 8089->8088 8090 e15fa 8090->8059 8091 da805 2 API calls 8090->8091 8094 e1680 8091->8094 8092 e186d 8097 e18fb WSAStartup 8092->8097 8093 d571f 6 API calls 8093->8114 8095 e42b6 lstrlen 8094->8095 8096 e1695 MessageBoxA 8095->8096 8104 e1738 8096->8104 8100 e1928 8097->8100 8107 e197d 8097->8107 8098 e0ee5 8099 db046 5 API calls 8098->8099 8102 e0ef9 8099->8102 8100->8054 8105 e0f60 GetModuleFileNameA SetFileAttributesA 8102->8105 8148 e126d 8102->8148 8106 d8251 2 API calls 8104->8106 8109 e0fcc CopyFileA 8105->8109 8106->8059 8108 e1a3d 8107->8108 8485 e395f 8107->8485 8115 e1a8c CloseHandle SetFileAttributesA 8108->8115 8141 e1d7e 8108->8141 8116 da805 2 API calls 8109->8116 8110 e0ea2 Sleep 8110->8114 8114->8093 8114->8098 8114->8110 8359 d0806 8114->8359 8117 e1ae9 8115->8117 8118 e1b05 CopyFileA 8115->8118 8119 e1044 8116->8119 8117->8118 8121 e1b22 SetFileAttributesA 8118->8121 8122 e1c76 8118->8122 8129 d8251 2 API calls 8119->8129 8120 d571f 6 API calls 8120->8141 8127 e1b5b 8121->8127 8128 e1b79 8121->8128 8526 cb7cd WaitForSingleObject 8122->8526 8123 e19d7 8123->8070 8495 cf02c 8123->8495 8126 e1e3f SetFileAttributesA CopyFileA SetFileAttributesA 8138 cf793 lstrlen 8126->8138 8504 e35ad 8127->8504 8135 e1c27 Sleep 8128->8135 8517 d6bd8 8128->8517 8131 e1077 8129->8131 8145 da805 2 API calls 8131->8145 8155 e111d 8131->8155 8133 d0806 9 API calls 8137 e1dcb Sleep 8133->8137 8140 d54d8 3 API calls 8135->8140 8137->8141 8144 e1ed0 8138->8144 8139 e1bef 8139->8135 8140->8122 8141->8120 8141->8126 8141->8133 8142 e1206 SetFileAttributesA 8142->8148 8143 e1195 SetFileAttributesA 8143->8148 8147 da805 2 API calls 8144->8147 8151 e10ce 8145->8151 8150 e1ee6 8147->8150 8372 d54d8 8148->8372 8152 da805 2 API calls 8150->8152 8153 d8251 2 API calls 8151->8153 8154 e1f29 8152->8154 8153->8155 8156 d8251 2 API calls 8154->8156 8155->8142 8155->8143 8157 e1f4e 8156->8157 8528 e75ce 8157->8528 8159 e1f65 8160 d8251 2 API calls 8159->8160 8161 e1fc0 8160->8161 8532 e473b 8161->8532 8164 da805 2 API calls 8165 e2012 8164->8165 8166 da805 2 API calls 8165->8166 8167 e2031 8166->8167 8553 d074e 8167->8553 8169 e2063 8170 d8251 2 API calls 8169->8170 8171 e2079 8170->8171 8172 d8251 2 API calls 8171->8172 8173 e2092 8172->8173 8174 d54d8 3 API calls 8173->8174 8175 e20d2 Mailbox 8174->8175 8176 e2140 CreateThread 8175->8176 8178 e2179 8176->8178 8177 e21c3 Sleep 8178->8177 8556 e74e8 StartServiceCtrlDispatcherA 8178->8556 8182 d8268 Mailbox 8181->8182 8183 cde5a Mailbox 2 API calls 8182->8183 8184 d82cb 8183->8184 8185 da805 8184->8185 8563 e23a6 8185->8563 8187 da878 Mailbox 8187->7960 8189 cde8a 8188->8189 8190 ed256 GetSystemTime 8189->8190 8191 ed2ec 8190->8191 8192 c3e8c GetSystemTimeAsFileTime 8191->8192 8193 ed368 GetTickCount 8192->8193 8194 ed39b 8193->8194 8194->8012 8196 c88cc 8195->8196 8197 c88ea GetVersionExA 8196->8197 8566 ce769 8197->8566 8203 c89fc 8206 c8a89 CreateDirectoryA 8203->8206 8204 c8b28 8205 da805 2 API calls 8204->8205 8207 c8bc2 8205->8207 8208 da805 2 API calls 8206->8208 8589 c846d 8207->8589 8210 c8ae2 8208->8210 8213 d8251 2 API calls 8210->8213 8212 d8251 2 API calls 8214 c8c06 Mailbox 8212->8214 8213->8204 8593 cc622 8214->8593 8216 c8d6f 8218 dc0de 6 API calls 8216->8218 8217 c8cfe DeleteFileA 8220 c8d3d RemoveDirectoryA 8217->8220 8221 c8d2b 8217->8221 8222 c8d85 8218->8222 8220->8216 8221->8220 8223 c8dc3 CreateDirectoryA 8222->8223 8224 c8e00 8223->8224 8225 cf793 lstrlen 8224->8225 8226 c8e64 CreateDirectoryA 8225->8226 8228 da805 2 API calls 8226->8228 8229 c8eb8 8228->8229 8230 da805 2 API calls 8229->8230 8231 c8f10 8230->8231 8232 d8251 2 API calls 8231->8232 8233 c8f6c 8232->8233 8234 c846d 9 API calls 8233->8234 8235 c8f89 8234->8235 8236 d8251 2 API calls 8235->8236 8237 c8f9b Mailbox 8236->8237 8238 cc622 5 API calls 8237->8238 8239 c8fca 8238->8239 8240 c9769 8239->8240 8241 c906c 8239->8241 8242 c8fec 8239->8242 8243 cf793 lstrlen 8240->8243 8245 da805 2 API calls 8241->8245 8244 da805 2 API calls 8242->8244 8246 c977f SetFileAttributesA 8243->8246 8247 c900e 8244->8247 8248 c9082 8245->8248 8253 c97e1 Mailbox 8246->8253 8249 d074e wvsprintfA 8247->8249 8250 d074e wvsprintfA 8248->8250 8251 c9034 8249->8251 8252 c90a0 8250->8252 8254 d8251 2 API calls 8251->8254 8255 d8251 2 API calls 8252->8255 8253->8023 8256 c905d 8254->8256 8255->8256 8257 c9128 8256->8257 8258 c9144 CreateDirectoryA 8257->8258 8259 c917e 8258->8259 8260 cf793 lstrlen 8259->8260 8261 c91cd CreateDirectoryA 8260->8261 8262 da805 2 API calls 8261->8262 8263 c9210 8262->8263 8264 da805 2 API calls 8263->8264 8265 c923f 8264->8265 8266 d8251 2 API calls 8265->8266 8267 c927a 8266->8267 8268 c846d 9 API calls 8267->8268 8269 c928f 8268->8269 8270 d8251 2 API calls 8269->8270 8271 c9307 Mailbox 8270->8271 8272 cc622 5 API calls 8271->8272 8273 c9336 8272->8273 8274 c9716 8273->8274 8275 c9341 GetTempPathA 8273->8275 8274->8240 8276 e42b6 lstrlen 8275->8276 8277 c938b 8276->8277 8278 cf793 lstrlen 8277->8278 8279 c94ae CreateDirectoryA 8278->8279 8280 c94fd 8279->8280 8281 da805 2 API calls 8280->8281 8282 c9519 8281->8282 8283 da805 2 API calls 8282->8283 8284 c9577 8283->8284 8285 d8251 2 API calls 8284->8285 8286 c95a4 8285->8286 8287 c846d 9 API calls 8286->8287 8288 c95ba 8287->8288 8289 d8251 2 API calls 8288->8289 8290 c95dc Mailbox 8289->8290 8291 cc622 5 API calls 8290->8291 8292 c960b 8291->8292 8292->8274 8293 c9633 GetTempPathA 8292->8293 8294 c9670 8293->8294 8295 da805 2 API calls 8294->8295 8296 c96a4 8295->8296 8297 d8251 2 API calls 8296->8297 8297->8274 8299 e42b6 lstrlen 8298->8299 8300 e3e48 8299->8300 8300->8040 8302 e42cf lstrlen 8301->8302 8302->8045 8305 d210f CharLowerBuffA 8304->8305 8305->8052 8308 daf3f 8307->8308 8642 d111e 8308->8642 8310 daf7b 8311 d54d8 3 API calls 8310->8311 8312 dafe0 Mailbox 8311->8312 8312->8083 8314 c5c69 8313->8314 8315 e42b6 lstrlen 8314->8315 8323 c6052 Mailbox 8314->8323 8316 c5dce Sleep 8315->8316 8317 c5e25 8316->8317 8318 da805 2 API calls 8317->8318 8319 c5e52 8318->8319 8320 d8251 2 API calls 8319->8320 8321 c5e87 FindFirstFileA 8320->8321 8322 c5ecd 8321->8322 8321->8323 8324 c5fdb DeleteFileA 8322->8324 8325 c6018 FindNextFileA 8322->8325 8323->8090 8324->8322 8324->8325 8325->8322 8326 c602e FindClose 8325->8326 8326->8323 8673 dbf87 8327->8673 8329 d1600 ExitProcess 8331 cddd3 lstrlen 8330->8331 8333 cf7bd 8331->8333 8332 cf80a 8332->8063 8333->8332 8334 e42b6 lstrlen 8333->8334 8334->8332 8336 d5751 CreateToolhelp32Snapshot 8335->8336 8340 d5828 8336->8340 8338 d5a95 Mailbox 8338->8088 8339 d58da Process32First 8341 d5a6c CloseHandle 8339->8341 8343 d590e 8339->8343 8340->8338 8340->8339 8341->8338 8342 d20d8 2 API calls 8342->8343 8343->8342 8344 d5a29 8343->8344 8345 d59c2 Process32Next 8343->8345 8344->8341 8345->8343 8347 db068 CreateFileA 8346->8347 8349 db142 GetFileTime 8347->8349 8354 db11b 8347->8354 8351 db177 CloseHandle 8349->8351 8352 db1c7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 8349->8352 8351->8354 8353 db264 GetFileSize CloseHandle 8352->8353 8353->8354 8354->8088 8356 c3ebf GetSystemTimeAsFileTime 8355->8356 8358 c3f11 __aulldiv 8356->8358 8358->8088 8361 d084d CreateToolhelp32Snapshot 8359->8361 8362 d0b20 Mailbox 8361->8362 8364 d08ee Process32First 8361->8364 8362->8114 8365 d0aea CloseHandle 8364->8365 8370 d0988 8364->8370 8365->8362 8367 d20d8 2 API calls 8367->8370 8368 d09f5 OpenProcess 8368->8370 8369 d0aa4 Process32Next 8369->8365 8369->8370 8370->8367 8370->8368 8370->8369 8371 d0a61 TerminateProcess CloseHandle 8370->8371 8371->8370 8373 d54ea Mailbox 8372->8373 8374 d55fd CreateProcessA 8373->8374 8375 d5677 8374->8375 8376 d5633 8374->8376 8375->8070 8377 d564f CloseHandle CloseHandle 8376->8377 8378 d5645 8376->8378 8377->8375 8378->8377 8380 cf793 lstrlen 8379->8380 8381 c3b68 8380->8381 8382 da805 2 API calls 8381->8382 8383 c3b88 8382->8383 8384 d8251 2 API calls 8383->8384 8385 c3bc6 CreateFileA 8384->8385 8386 c3c14 Mailbox 8385->8386 8386->8068 8389 db41c 8387->8389 8388 db4ff GetComputerNameA 8390 db536 8388->8390 8391 db59e 8388->8391 8389->8388 8392 da805 2 API calls 8390->8392 8393 da805 2 API calls 8391->8393 8394 db552 8392->8394 8395 db5fa 8393->8395 8396 d8251 2 API calls 8394->8396 8397 d8251 2 API calls 8395->8397 8396->8391 8398 db63d 8397->8398 8399 c846d 9 API calls 8398->8399 8400 db661 8399->8400 8675 c695e 8400->8675 8402 db6db Mailbox 8678 e84d7 8402->8678 8405 e42b6 lstrlen 8406 db7d9 8405->8406 8713 d0b92 8406->8713 8410 db834 Mailbox 8411 c695e 8 API calls 8410->8411 8412 db891 8411->8412 8413 d0b92 9 API calls 8412->8413 8414 db92e 8413->8414 8415 c5724 8 API calls 8414->8415 8416 db93d Mailbox 8415->8416 8417 c695e 8 API calls 8416->8417 8418 db964 8417->8418 8419 d0b92 9 API calls 8418->8419 8420 db988 8419->8420 8421 c5724 8 API calls 8420->8421 8422 db997 Mailbox 8421->8422 8423 c695e 8 API calls 8422->8423 8424 db9cf 8423->8424 8425 d0b92 9 API calls 8424->8425 8426 db9fe 8425->8426 8427 c5724 8 API calls 8426->8427 8428 dba0a Mailbox 8427->8428 8429 c695e 8 API calls 8428->8429 8430 dba25 8429->8430 8431 d0b92 9 API calls 8430->8431 8432 dba48 8431->8432 8433 c5724 8 API calls 8432->8433 8434 dba57 Mailbox 8433->8434 8435 c695e 8 API calls 8434->8435 8436 dba79 8435->8436 8437 da805 2 API calls 8436->8437 8438 dba95 8437->8438 8439 d0b92 9 API calls 8438->8439 8440 dbab9 8439->8440 8441 c5724 8 API calls 8440->8441 8442 dbac8 Mailbox 8441->8442 8443 d8251 2 API calls 8442->8443 8444 dbaf7 8443->8444 8445 c695e 8 API calls 8444->8445 8446 dbb1f 8445->8446 8447 d0b92 9 API calls 8446->8447 8448 dbb3d 8447->8448 8449 c5724 8 API calls 8448->8449 8450 dbb49 Mailbox 8449->8450 8451 c695e 8 API calls 8450->8451 8452 dbb75 8451->8452 8453 d0b92 9 API calls 8452->8453 8454 dbb96 8453->8454 8455 c5724 8 API calls 8454->8455 8456 dbba5 Mailbox 8455->8456 8457 c695e 8 API calls 8456->8457 8458 dbbcb 8457->8458 8720 c3cdc 8458->8720 8462 dbc06 8463 d0b92 9 API calls 8462->8463 8464 dbc12 8463->8464 8465 c5724 8 API calls 8464->8465 8466 dbc21 Mailbox 8465->8466 8467 c695e 8 API calls 8466->8467 8468 dbc3f 8467->8468 8469 d0b92 9 API calls 8468->8469 8470 dbc85 8469->8470 8471 c5724 8 API calls 8470->8471 8472 dbc94 Mailbox 8471->8472 8730 d5fba 8472->8730 8474 dbccc 8757 e9707 8474->8757 8476 dbd04 Mailbox 8760 e9883 8476->8760 8478 dbd30 8764 cee34 8478->8764 8480 dbd6e Mailbox 8480->8073 8482 cde20 8481->8482 8483 e42b6 lstrlen 8482->8483 8484 cde3f 8483->8484 8484->8092 8486 e3980 8485->8486 8487 cf793 lstrlen 8486->8487 8488 e39f3 8487->8488 8489 da805 2 API calls 8488->8489 8494 e3a11 Mailbox 8488->8494 8490 e3ace 8489->8490 8491 d8251 2 API calls 8490->8491 8492 e3b0d 8491->8492 8812 d9b78 8492->8812 8494->8123 8496 cf065 8495->8496 8497 c3e8c GetSystemTimeAsFileTime 8496->8497 8499 cf079 8497->8499 8498 cf15a 8498->8108 8499->8498 8500 c3e8c GetSystemTimeAsFileTime 8499->8500 8503 cf104 8500->8503 8501 cf10f Sleep 8502 c3e8c GetSystemTimeAsFileTime 8501->8502 8502->8503 8503->8498 8503->8501 8505 e35f3 OpenSCManagerA 8504->8505 8507 e36a9 CreateServiceA 8505->8507 8514 e38db 8505->8514 8508 e3777 OpenServiceA 8507->8508 8509 e36f0 ChangeServiceConfig2A StartServiceA CloseServiceHandle 8507->8509 8513 e37eb 8508->8513 8512 e388e CloseServiceHandle 8509->8512 8512->8514 8515 e3866 8513->8515 8516 e3811 StartServiceA CloseServiceHandle 8513->8516 8514->8128 8515->8512 8516->8515 8519 d6c36 8517->8519 8518 da805 2 API calls 8520 d6c9d RegOpenKeyA 8518->8520 8519->8518 8521 d8251 2 API calls 8520->8521 8522 d6ccb 8521->8522 8523 d6d31 RegCloseKey 8522->8523 8524 e42b6 lstrlen 8522->8524 8523->8139 8525 d6d0f RegSetValueExA 8524->8525 8525->8523 8527 cb846 8526->8527 8527->8070 8529 e75f4 8528->8529 8530 e76ef CreateFileA 8529->8530 8531 e7732 Mailbox 8530->8531 8531->8159 8533 e4797 8532->8533 8534 e4771 8532->8534 8535 da805 2 API calls 8533->8535 8537 cbece 8 API calls 8534->8537 8536 e47be 8535->8536 8538 e75ce CreateFileA 8536->8538 8537->8533 8539 e47e5 8538->8539 8540 d8251 2 API calls 8539->8540 8541 e4803 8540->8541 8542 e4835 Sleep 8541->8542 8552 e48af 8541->8552 8543 da805 2 API calls 8542->8543 8544 e4886 8543->8544 8547 e75ce CreateFileA 8544->8547 8549 e489b 8547->8549 8551 d8251 2 API calls 8549->8551 8550 e1fe7 8550->8164 8551->8552 8552->8550 8829 e91aa 8552->8829 8554 d0764 wvsprintfA 8553->8554 8554->8169 8556->8177 8558 ce30a 8557->8558 8559 cb7cd WaitForSingleObject 8558->8559 8560 ce324 8559->8560 8561 d15e5 ExitProcess 8560->8561 8562 ce35a 8561->8562 8562->8065 8564 e23e2 GetProcessHeap RtlAllocateHeap 8563->8564 8565 e23c0 8563->8565 8564->8187 8565->8564 8568 ce79e AllocateAndInitializeSid 8566->8568 8569 c8954 8568->8569 8570 ce883 CheckTokenMembership 8568->8570 8573 c457c 8569->8573 8571 ce89f 8570->8571 8572 ce8c9 FreeSid 8570->8572 8571->8572 8572->8569 8574 c4595 8573->8574 8575 da805 2 API calls 8574->8575 8576 c45da GetProcAddress 8575->8576 8577 d8251 2 API calls 8576->8577 8578 c4613 8577->8578 8579 c463a 8578->8579 8580 c4623 GetCurrentProcess 8578->8580 8579->8204 8581 dc0de GetWindowsDirectoryA 8579->8581 8580->8579 8582 dc125 8581->8582 8583 da805 2 API calls 8582->8583 8588 dc1b6 8582->8588 8584 dc164 8583->8584 8585 d8251 2 API calls 8584->8585 8586 dc1a4 8585->8586 8587 e42b6 lstrlen 8586->8587 8587->8588 8588->8203 8590 c848a 8589->8590 8611 c4f47 8590->8611 8594 cc62f 8593->8594 8595 cb7cd WaitForSingleObject 8594->8595 8596 cc686 8595->8596 8597 cc6ef CreateFileA 8596->8597 8598 cc6b3 8596->8598 8601 cc75d 8597->8601 8604 cc79f Mailbox 8597->8604 8640 c4eb1 ReleaseMutex 8598->8640 8602 c4eb1 ReleaseMutex 8601->8602 8603 c8c6e 8602->8603 8603->8216 8603->8217 8605 cc8fa WriteFile 8604->8605 8605->8604 8606 cc94e CloseHandle 8605->8606 8609 c4eb1 ReleaseMutex 8606->8609 8610 cc9a7 8609->8610 8610->8603 8612 c4f6e 8611->8612 8613 e42b6 lstrlen 8612->8613 8614 c4f99 8613->8614 8617 e2f94 8614->8617 8616 c4fa3 8616->8212 8620 e94ec 8617->8620 8619 e2fac Mailbox 8619->8616 8621 e9509 Mailbox 8620->8621 8623 e950e Mailbox 8621->8623 8624 cf821 8621->8624 8623->8619 8625 cf845 8624->8625 8627 cf85a Mailbox 8625->8627 8628 d7f29 8625->8628 8627->8623 8630 d7f48 Mailbox 8628->8630 8629 d8135 8637 e90f1 8629->8637 8630->8629 8632 d802a 8630->8632 8636 d8109 Mailbox 8630->8636 8633 e23a6 Mailbox 2 API calls 8632->8633 8634 d8057 Mailbox 8633->8634 8635 cde5a Mailbox 2 API calls 8634->8635 8635->8636 8636->8627 8638 e912b GetProcessHeap RtlReAllocateHeap 8637->8638 8639 e9152 GetProcessHeap HeapAlloc 8637->8639 8638->8636 8639->8636 8641 c4ecb 8640->8641 8641->8603 8643 d114d 8642->8643 8644 d11d9 CreateFileA 8643->8644 8645 d1219 8644->8645 8646 d124b ReadFile FindCloseChangeNotification 8645->8646 8648 d15a4 8645->8648 8647 d129d 8646->8647 8649 d12bd GetTickCount 8647->8649 8648->8310 8669 c51ca 8649->8669 8651 d12de 8652 e42b6 lstrlen 8651->8652 8653 d1310 8652->8653 8654 da805 2 API calls 8653->8654 8655 d1378 8654->8655 8656 d8251 2 API calls 8655->8656 8657 d1416 8656->8657 8661 da805 2 API calls 8657->8661 8668 d14e0 CreateFileA 8657->8668 8659 d154f 8659->8648 8660 d1564 WriteFile CloseHandle 8659->8660 8660->8648 8662 d147e 8661->8662 8663 e42b6 lstrlen 8662->8663 8664 d14a0 8663->8664 8665 d074e wvsprintfA 8664->8665 8666 d14a9 8665->8666 8667 d8251 2 API calls 8666->8667 8667->8668 8668->8659 8670 c51ea 8669->8670 8671 e42b6 lstrlen 8670->8671 8672 c5235 8671->8672 8672->8651 8674 dbfa3 8673->8674 8674->8329 8676 e9883 8 API calls 8675->8676 8677 c6983 8676->8677 8677->8402 8679 e8577 8678->8679 8680 da805 2 API calls 8679->8680 8681 e8652 8680->8681 8682 d8251 2 API calls 8681->8682 8683 e86d5 GetProcessHeap 8682->8683 8684 e8711 8683->8684 8690 db7c4 8683->8690 8685 da805 2 API calls 8684->8685 8686 e8739 LoadLibraryA 8685->8686 8688 d8251 2 API calls 8686->8688 8689 e878f 8688->8689 8689->8690 8691 da805 2 API calls 8689->8691 8690->8405 8692 e8837 GetProcAddress 8691->8692 8693 d8251 2 API calls 8692->8693 8694 e886e 8693->8694 8695 e88ac HeapAlloc 8694->8695 8696 e8886 FreeLibrary 8694->8696 8697 e88fb FreeLibrary 8695->8697 8698 e8926 8695->8698 8696->8690 8697->8690 8699 e896c HeapFree 8698->8699 8703 e8a27 8698->8703 8700 e898e HeapAlloc 8699->8700 8702 e89fb FreeLibrary 8700->8702 8700->8703 8702->8690 8704 da805 2 API calls 8703->8704 8712 e8d26 Mailbox 8703->8712 8706 e8ac3 8704->8706 8705 e9094 HeapFree FreeLibrary 8705->8690 8707 d8251 2 API calls 8706->8707 8708 e8b17 8707->8708 8709 da805 2 API calls 8708->8709 8708->8712 8710 e8d41 8709->8710 8711 d8251 2 API calls 8710->8711 8711->8712 8712->8705 8770 d23e9 8713->8770 8716 c5724 8717 c573e Mailbox 8716->8717 8718 e9883 8 API calls 8717->8718 8719 c5789 8718->8719 8719->8410 8721 c3d0f Mailbox 8720->8721 8722 da805 2 API calls 8721->8722 8723 c3d74 8722->8723 8724 d8251 2 API calls 8723->8724 8725 c3db8 8724->8725 8726 c4d07 8725->8726 8727 c4d1f 8726->8727 8728 e42b6 lstrlen 8727->8728 8729 c4d4c 8728->8729 8729->8462 8731 d6020 8730->8731 8732 da805 2 API calls 8731->8732 8733 d604e 8732->8733 8734 da805 2 API calls 8733->8734 8735 d6067 8734->8735 8736 da805 2 API calls 8735->8736 8737 d60be 8736->8737 8738 d8251 2 API calls 8737->8738 8739 d60d2 8738->8739 8740 da805 2 API calls 8739->8740 8741 d6144 8740->8741 8742 d8251 2 API calls 8741->8742 8743 d61a1 8742->8743 8744 d8251 2 API calls 8743->8744 8754 d621c 8744->8754 8745 d6a70 8746 d8251 2 API calls 8745->8746 8749 d6b1c Mailbox 8746->8749 8747 d07f5 8 API calls 8756 d664d Mailbox 8747->8756 8749->8474 8750 d6983 8750->8745 8752 d07f5 8 API calls 8750->8752 8779 c5071 8750->8779 8751 c5071 9 API calls 8751->8754 8752->8750 8753 c5071 9 API calls 8753->8756 8754->8751 8754->8756 8776 d07f5 8754->8776 8756->8745 8756->8747 8756->8750 8756->8753 8758 e94ec Mailbox 8 API calls 8757->8758 8759 e970e 8758->8759 8759->8476 8761 e9898 Mailbox 8760->8761 8762 e94ec Mailbox 8 API calls 8761->8762 8763 e98a3 Mailbox 8762->8763 8763->8478 8765 cee52 8764->8765 8789 d1da2 8765->8789 8767 cee71 Mailbox 8768 e9883 8 API calls 8767->8768 8769 cef9f 8767->8769 8768->8769 8769->8480 8771 d23f5 8770->8771 8772 e42b6 lstrlen 8771->8772 8773 d2488 8772->8773 8774 e2f94 8 API calls 8773->8774 8775 d0ba0 8774->8775 8775->8716 8785 cba10 8776->8785 8778 d0802 8778->8754 8780 cacbe 8779->8780 8781 e42b6 lstrlen 8780->8781 8782 cad02 8781->8782 8783 e9883 8 API calls 8782->8783 8784 cad0c 8783->8784 8784->8750 8786 cba25 Mailbox 8785->8786 8787 e94ec Mailbox 8 API calls 8786->8787 8788 cba30 Mailbox 8787->8788 8788->8778 8794 cdb48 8789->8794 8791 d1e43 8791->8767 8793 d1db4 8793->8791 8798 cbece 8793->8798 8795 cdb9f 8794->8795 8796 cdb5b Mailbox 8794->8796 8795->8793 8797 e9707 Mailbox 8 API calls 8796->8797 8797->8795 8799 cbf08 8798->8799 8800 cb7cd WaitForSingleObject 8799->8800 8801 cbfa2 8800->8801 8802 da805 2 API calls 8801->8802 8811 cc09d 8801->8811 8803 cbfe5 GetProcAddress 8802->8803 8804 da805 2 API calls 8803->8804 8807 cc033 8804->8807 8805 c4eb1 ReleaseMutex 8806 cc2bd 8805->8806 8806->8793 8808 d8251 2 API calls 8807->8808 8809 cc06d GetProcAddress 8808->8809 8810 d8251 2 API calls 8809->8810 8810->8811 8811->8805 8813 d9b85 8812->8813 8814 e9707 Mailbox 8 API calls 8813->8814 8815 d9c02 8814->8815 8816 cb7cd WaitForSingleObject 8815->8816 8817 d9c24 CreateFileA 8816->8817 8818 d9c5a 8817->8818 8823 d9c78 Mailbox 8817->8823 8820 c4eb1 ReleaseMutex 8818->8820 8819 d9c8b ReadFile 8819->8823 8821 d9e2f Mailbox 8820->8821 8821->8494 8822 d7f29 Mailbox 8 API calls 8822->8823 8823->8819 8823->8822 8824 d9e6a CloseHandle 8823->8824 8825 e9883 8 API calls 8823->8825 8826 d9dbc CloseHandle 8823->8826 8824->8818 8825->8823 8827 d9dd9 8826->8827 8828 c4eb1 ReleaseMutex 8827->8828 8828->8821 8832 e91e0 8829->8832 8830 e48e6 8833 cea59 CloseHandle 8830->8833 8831 e92ba WriteFile 8831->8830 8832->8830 8832->8831 8834 cea8e 8833->8834 8834->8550 9694 e95bd 9695 e95c3 Mailbox 9694->9695 9696 e90f1 Mailbox 4 API calls 9695->9696 9697 e9605 Mailbox 9696->9697 8960 e40bb 8961 e40c6 8960->8961 8964 cdd8f 8961->8964 8965 cdda0 8964->8965 8966 e2f94 8 API calls 8965->8966 8967 cddad 8966->8967 8874 cfa34 8877 c7fce 8874->8877 8876 cfa42 8878 e42b6 lstrlen 8877->8878 8879 c7fe9 Mailbox 8878->8879 8879->8876 9704 c81b5 9705 c81dc 9704->9705 9706 c3b08 8 API calls 9705->9706 9707 c823c 9706->9707 9708 dbf07 8 API calls 9707->9708 9709 c8276 9708->9709 9710 c11b7 9711 c1214 9710->9711 9714 c122a Mailbox 9710->9714 9712 e42b6 lstrlen 9712->9714 9713 d074e wvsprintfA 9713->9714 9714->9711 9714->9712 9714->9713 8880 c9830 8881 c983b Mailbox 8880->8881 8882 e2f94 8 API calls 8881->8882 8883 c98bd 8882->8883 9715 ce9b3 9716 d9a0f 8 API calls 9715->9716 9717 ce9e3 9716->9717 9718 c5724 8 API calls 9717->9718 9719 cea10 9718->9719 8971 d98cc 8972 d1da2 12 API calls 8971->8972 8973 d9900 8972->8973 8974 e9883 8 API calls 8973->8974 8975 d9994 8974->8975 8884 c444e 8885 c446b 8884->8885 8888 ce4e4 8885->8888 8889 ce513 8888->8889 8890 ce69a 8889->8890 8891 ce553 8889->8891 8906 cb38e 8890->8906 8893 ce576 8891->8893 8894 ce621 8891->8894 8898 e58f9 8893->8898 8896 e58f9 4 API calls 8894->8896 8897 c4575 8896->8897 8899 e5931 8898->8899 8901 e59a1 8899->8901 8905 e5937 8899->8905 8914 c85a4 8899->8914 8902 c85a4 4 API calls 8901->8902 8903 e59f4 8901->8903 8902->8903 8918 e572d 8903->8918 8905->8897 8907 cb3c3 8906->8907 8908 c85a4 4 API calls 8907->8908 8910 cb456 8907->8910 8908->8910 8909 cb7b4 8909->8897 8910->8909 8911 c4088 4 API calls 8910->8911 8912 cb4c3 8911->8912 8912->8909 8913 c4088 4 API calls 8912->8913 8913->8912 8915 c85be 8914->8915 8917 c860a Mailbox 8915->8917 8922 c4088 8915->8922 8917->8901 8920 e5761 Mailbox 8918->8920 8919 e58d3 8919->8905 8920->8919 8921 cde5a Mailbox 2 API calls 8920->8921 8921->8920 8923 c40bc 8922->8923 8924 c40d8 8922->8924 8925 e23a6 Mailbox 2 API calls 8923->8925 8924->8917 8926 c40d1 Mailbox 8925->8926 8926->8924 8927 cde5a Mailbox 2 API calls 8926->8927 8927->8924 8980 e84c2 8983 c8020 8980->8983 8986 e236a 8983->8986 8985 c802b 8987 e42b6 lstrlen 8986->8987 8988 e2378 8987->8988 8988->8985 8989 c50c3 8990 c50e0 8989->8990 8991 e42b6 lstrlen 8990->8991 8992 c510f Mailbox 8991->8992 8993 d7f29 Mailbox 8 API calls 8992->8993 8994 c5123 8993->8994 8995 c5071 9 API calls 8994->8995 8996 c5145 8995->8996 8999 dbf07 8996->8999 9000 dbf15 Mailbox 8999->9000 9001 e9883 8 API calls 9000->9001 9002 c5183 9001->9002 9003 cbcdc 9004 cbcfa 9003->9004 9005 e9707 Mailbox 8 API calls 9004->9005 9006 cbd13 9005->9006 9011 c563a 9006->9011 9008 cbd3a Mailbox 9009 e9707 Mailbox 8 API calls 9008->9009 9010 cbdb8 9009->9010 9012 c5648 9011->9012 9013 cdd8f 8 API calls 9012->9013 9014 c5659 9013->9014 9014->9008 9175 e2f5d ExitProcess 9023 ccedb FlushFileBuffers 9024 ccf0d GetLastError 9023->9024 9025 ccf39 9023->9025 9024->9025 9026 e24d3 9027 e250c 9026->9027 9028 ed256 3 API calls 9027->9028 9029 e261c 9028->9029 9030 c5c39 10 API calls 9029->9030 9031 e2645 9030->9031 9032 cf793 lstrlen 9031->9032 9033 e2697 9032->9033 9034 da805 2 API calls 9033->9034 9035 e26ad 9034->9035 9036 d8251 2 API calls 9035->9036 9052 e2706 Mailbox 9036->9052 9037 e9707 Mailbox 8 API calls 9038 e2cf0 Sleep 9037->9038 9071 d2192 9038->9071 9040 d571f 6 API calls 9040->9052 9041 c3e8c GetSystemTimeAsFileTime 9041->9052 9042 d54d8 3 API calls 9042->9052 9044 e473b 12 API calls 9044->9052 9045 d8695 21 API calls 9045->9052 9046 da805 GetProcessHeap RtlAllocateHeap 9046->9052 9047 c846d 9 API calls 9047->9052 9048 c695e 8 API calls 9048->9052 9050 c5724 8 API calls 9050->9052 9051 d8251 GetProcessHeap RtlFreeHeap 9051->9052 9052->9037 9052->9040 9052->9041 9052->9042 9052->9044 9052->9045 9052->9046 9052->9047 9052->9048 9052->9050 9052->9051 9053 e7dc0 50 API calls 9052->9053 9054 e4927 32 API calls 9052->9054 9055 e443e 9052->9055 9067 cfe4b 9052->9067 9053->9052 9054->9052 9056 e4470 9055->9056 9057 da805 2 API calls 9056->9057 9058 e44cd 9057->9058 9059 da805 2 API calls 9058->9059 9060 e44fc 9059->9060 9080 ca928 9060->9080 9063 d8251 2 API calls 9064 e4546 9063->9064 9065 d8251 2 API calls 9064->9065 9066 e456f 9065->9066 9066->9052 9068 cfe66 Mailbox 9067->9068 9069 e9883 8 API calls 9068->9069 9070 cff60 Mailbox 9068->9070 9069->9070 9070->9052 9074 d21ab 9071->9074 9072 d233c 9076 d23c2 9072->9076 9091 cb920 9072->9091 9073 d22b7 DeleteFileA 9073->9074 9074->9072 9074->9073 9079 d23d9 9074->9079 9086 d9ef6 9074->9086 9095 c5430 9076->9095 9079->9052 9081 ca95f Mailbox 9080->9081 9082 da805 2 API calls 9081->9082 9083 cac5d 9082->9083 9084 d8251 2 API calls 9083->9084 9085 cac90 9084->9085 9085->9063 9099 d5b3e 9086->9099 9088 d9f0d 9103 c82bf 9088->9103 9092 cb93a 9091->9092 9093 cb97f 9092->9093 9118 cde9c 9092->9118 9093->9072 9096 c5438 9095->9096 9097 e94b4 Mailbox 2 API calls 9096->9097 9098 cfc29 9097->9098 9100 d5b5a Mailbox 9099->9100 9101 d7f29 Mailbox 8 API calls 9100->9101 9102 d5b64 Mailbox 9101->9102 9102->9088 9104 c82cc 9103->9104 9105 c82dc 9104->9105 9107 d9a0f 9104->9107 9105->9074 9110 e7848 9107->9110 9109 d9a1d 9109->9105 9111 e785a Mailbox 9110->9111 9114 e4333 9111->9114 9113 e7870 Mailbox 9113->9109 9115 e433e 9114->9115 9116 cf821 Mailbox 8 API calls 9115->9116 9117 e43a8 9116->9117 9117->9113 9121 c84ea 9118->9121 9122 c8529 9121->9122 9125 cbdcb 9122->9125 9124 c854b 9124->9093 9126 cbde1 Mailbox 9125->9126 9127 d7f29 Mailbox 8 API calls 9126->9127 9128 cbe04 Mailbox 9127->9128 9128->9124 9176 cf553 9177 cf5b5 9176->9177 9179 cf567 9176->9179 9178 cf671 ReadFile 9177->9178 9177->9179 9178->9179 9180 cb353 9181 e2f94 8 API calls 9180->9181 9182 cb377 9181->9182 9724 cc9ed 9725 cca6f RegisterServiceCtrlHandlerA 9724->9725 9727 ccb13 SetServiceStatus CreateEventA 9725->9727 9738 ccda7 9725->9738 9729 ccbcd 9727->9729 9730 ccbde SetServiceStatus 9727->9730 9729->9730 9731 ccc00 9730->9731 9732 ccc42 WaitForSingleObject 9731->9732 9732->9732 9733 ccc6f 9732->9733 9734 cb7cd WaitForSingleObject 9733->9734 9735 ccc84 SetServiceStatus CloseHandle 9734->9735 9737 ccd01 SetServiceStatus 9735->9737 9737->9738 9183 db360 9184 db378 9183->9184 9185 e42b6 lstrlen 9184->9185 9186 db3a5 9185->9186 9189 cfc31 9186->9189 9192 e98df 9189->9192 9191 cfc47 9193 e9923 9192->9193 9194 e998f 9193->9194 9195 e9982 9193->9195 9197 cdbdf 8 API calls 9194->9197 9198 e998d Mailbox 9194->9198 9196 cbdcb 8 API calls 9195->9196 9196->9198 9197->9198 9198->9191 9129 e4ee1 9130 e4efa 9129->9130 9133 ed527 9130->9133 9132 e4f99 9134 ed544 9133->9134 9137 cdbdf 9134->9137 9136 ed559 Mailbox 9136->9132 9138 cdbf5 Mailbox 9137->9138 9139 cf821 Mailbox 8 API calls 9138->9139 9140 cdc18 9139->9140 9140->9136 9739 ecffe 9740 ed050 9739->9740 9741 e5d58 2 API calls 9740->9741 9742 ed055 9741->9742 9743 d5d50 3 API calls 9742->9743 9744 ed067 9743->9744 9745 ed108 ExitProcess 9744->9745 9141 ce2f9 9142 ce30a 9141->9142 9143 cb7cd WaitForSingleObject 9142->9143 9144 ce324 9143->9144 9145 d15e5 ExitProcess 9144->9145 9146 ce35a 9145->9146 8931 c507a 8932 e42b6 lstrlen 8931->8932 8933 c50a9 8932->8933 8934 cba72 8937 cbb03 SetServiceStatus 8934->8937 8939 cba89 8934->8939 8938 cbb88 SetEvent 8937->8938 8940 cbcd8 8938->8940 8939->8937 8942 cbaa1 SetServiceStatus 8939->8942 8942->8940

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 000DFF20 Relevance: 65.0, APIs: 29, Strings: 7, Instructions: 2030synchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 000E0590
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000E05E4
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000E0629
                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 000E0649
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 000E06E6
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 000E0873
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateMutex$CommandCountEnvironmentLineTickVariable
                                                                                                                                                                                                            • String ID: $}\N$241$C:\Users\user$HO$^d/$wb_m$~z0
                                                                                                                                                                                                            • API String ID: 3327569919-2066331522
                                                                                                                                                                                                            • Opcode ID: cc13ec0fe6d8ade43902024f07155eb0d9060ea195597cc6a4e6e7602ea72d4e
                                                                                                                                                                                                            • Instruction ID: 05a4aceeacadd651943cdfeae31799d91f9c42994799875e4b6f14718543a14f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cc13ec0fe6d8ade43902024f07155eb0d9060ea195597cc6a4e6e7602ea72d4e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5903EC716046409FF758DF69FC82ABA37F4FB44301B10411AE906DAEB1EB7D9981EB12
                                                                                                                                                                                                            Function 000C88A8 Relevance: 28.9, APIs: 12, Strings: 4, Instructions: 877fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 490 c88a8-c88de call c57a9 493 c88ea-c898e GetVersionExA call ce769 call c457c 490->493 494 c88e0 490->494 499 c899c-c89c2 493->499 500 c8990-c899a 493->500 494->493 501 c89d7-c89dd 499->501 502 c89c4-c89d1 499->502 500->501 503 c8b3f-c8b5f 501->503 504 c89e3-c8add call dc0de call cf38b CreateDirectoryA call da805 501->504 502->501 506 c8b65-c8b77 503->506 518 c8ae2-c8b3d call cf38b call d8251 504->518 508 c8ba9-c8bb0 506->508 509 c8b79-c8b93 506->509 510 c8bb6-c8c17 call da805 call c846d call d8251 508->510 509->510 512 c8b95-c8ba7 509->512 525 c8c2d-c8c3f 510->525 526 c8c19-c8c2b 510->526 512->510 518->506 528 c8c4b-c8c73 call cc9ba call ed492 call cc622 525->528 529 c8c41 525->529 526->528 536 c8d6f-c8e0c call dc0de call cf38b CreateDirectoryA call e5eaf 528->536 537 c8c79-c8ccc 528->537 529->528 549 c8e0e-c8e18 536->549 550 c8e1a 536->550 538 c8cfe-c8d29 DeleteFileA 537->538 539 c8cce-c8cec 537->539 542 c8d3d-c8d65 RemoveDirectoryA 538->542 543 c8d2b-c8d37 538->543 539->538 541 c8cee-c8cf8 539->541 541->538 542->536 543->542 551 c8e24-c8e26 549->551 550->551 552 c8e28-c8e42 551->552 553 c8e44 551->553 554 c8e46-c8e73 call cf793 552->554 553->554 557 c8e89-c8e8e 554->557 558 c8e75-c8e87 554->558 559 c8e94-c8f2f CreateDirectoryA call da805 call cf38b call da805 557->559 558->559 566 c8f64-c8fcf call d8251 call c846d call d8251 call cc9ba call ed492 call cc622 559->566 567 c8f31-c8f57 559->567 581 c9769-c97f8 call cf793 SetFileAttributesA call d06af 566->581 582 c8fd5-c8fe6 566->582 567->566 568 c8f59-c8f5e 567->568 568->566 595 c97fa-c9815 581->595 596 c981b-c9826 call c5017 581->596 583 c906c-c90da call da805 call d074e call d8251 582->583 584 c8fec-c906a call da805 call d074e call d8251 582->584 605 c90e0-c910d 583->605 584->605 595->596 606 c910f-c9126 605->606 607 c9132-c9192 call cf38b CreateDirectoryA call e5eaf 605->607 606->607 608 c9128 606->608 613 c9194-c91a0 607->613 614 c91c1-c9257 call cf793 CreateDirectoryA call da805 call cf38b call da805 607->614 608->607 613->614 615 c91a2-c91bb 613->615 624 c9259-c926c 614->624 625 c9272-c92a4 call d8251 call c846d 614->625 615->614 624->625 630 c92a6-c92be 625->630 631 c92c0-c92e7 625->631 632 c92ff-c933b call d8251 call cc9ba call ed492 call cc622 630->632 631->632 633 c92e9-c92f9 631->633 642 c9756-c9763 632->642 643 c9341-c93c2 GetTempPathA call e42b6 632->643 633->632 642->581 646 c93ea-c93ec 643->646 647 c93ee 646->647 648 c93c4-c93dd 646->648 651 c946e-c94fb call e5eaf call cf793 CreateDirectoryA 647->651 649 c93df-c93e9 648->649 650 c93f0-c9412 648->650 649->646 652 c9414-c941c 650->652 653 c9422-c9453 650->653 659 c950d-c9557 call da805 call cf38b 651->659 660 c94fd-c9507 651->660 652->653 653->651 656 c9455-c9469 653->656 656->651 665 c9559-c9565 659->665 666 c956b-c9610 call da805 call d8251 call c846d call d8251 call cc9ba call ed492 call cc622 659->666 660->659 665->666 681 c9736-c9751 666->681 682 c9616-c9627 666->682 681->642 683 c9629 682->683 684 c9633-c96ce GetTempPathA call e5eaf call da805 682->684 683->684 689 c96da-c96fe call cf38b 684->689 690 c96d0 684->690 693 c970f-c972a call d8251 689->693 694 c9700-c970a 689->694 690->689 693->681 697 c972c 693->697 694->693 697->681
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersionExA.KERNEL32(000FB028), ref: 000C893E
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 000C8AB6
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?,00000000), ref: 000C8D05
                                                                                                                                                                                                            • RemoveDirectoryA.KERNELBASE(00000000), ref: 000C8D5F
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 000C8DD9
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 000C8E9C
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 000C9158
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 000C91F4
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?,?,?,?,00000000), ref: 000C936E
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(0000005C,00000000,?,?,?,?,?,?,00000000), ref: 000C94DA
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,0000005C,?,?,?,00000000), ref: 000C963F
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 000C97B0
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                            • String ID: C:\Users\user$C:\hjflhukc\$\$gKV`
                                                                                                                                                                                                            • API String ID: 1691758827-3473430694
                                                                                                                                                                                                            • Opcode ID: 778ef66eed9e010294ea5ac634631dbf82583273810f14e389e1f415edef4fb3
                                                                                                                                                                                                            • Instruction ID: 194d7e943f75bb312d412f21b4b146f55b9ac6c8a599a9ba3faec92eb9e5b9ec
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 778ef66eed9e010294ea5ac634631dbf82583273810f14e389e1f415edef4fb3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F82F4B15046059FF708DF64EC86AFA37B4FB54301B00802EE906D6AB2EB3C9945EF56
                                                                                                                                                                                                            Function 000D111E Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 289fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 698 d111e-d114b 699 d114d-d1161 698->699 700 d117c-d1186 698->700 701 d118b-d11a3 699->701 702 d1163-d117a 699->702 700->701 703 d11ce-d1217 call ed787 CreateFileA 701->703 704 d11a5-d11b6 701->704 702->701 708 d1219-d123b 703->708 709 d1242-d1245 703->709 704->703 706 d11b8-d11c7 704->706 706->703 708->709 710 d124b-d129b ReadFile FindCloseChangeNotification 709->710 711 d15c3-d15e4 call da689 709->711 713 d129d-d12a9 710->713 714 d12af-d12f9 call e7d24 GetTickCount call c51ca 710->714 713->714 720 d12fb-d1305 714->720 721 d130a-d131f call e42b6 714->721 720->721 724 d1336-d13cf call cf38b call da805 call cf38b 721->724 725 d1321-d1330 721->725 732 d140e-d142c call d8251 724->732 733 d13d1-d13e6 724->733 725->724 737 d150d-d1519 732->737 738 d1432-d1441 732->738 733->732 734 d13e8-d1408 733->734 734->732 739 d152d-d154d CreateFileA 737->739 740 d151b-d1527 737->740 741 d1460-d146c 738->741 742 d1443-d145e 738->742 743 d155f-d1562 739->743 744 d154f-d1559 739->744 740->739 745 d1472-d14bb call da805 call e42b6 call d074e 741->745 742->745 746 d15a4-d15bc 743->746 747 d1564-d159f WriteFile CloseHandle 743->747 744->743 754 d14bd-d14cc 745->754 755 d14d8-d1507 call d8251 745->755 746->711 747->746 754->755 756 d14ce 754->756 755->737 756->755
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000D11F7
                                                                                                                                                                                                            • ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 000D1267
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 000D128B
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 000D12D1
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 000D153B
                                                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 000D157E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000D158F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreate$ChangeCountFindHandleNotificationReadTickWrite
                                                                                                                                                                                                            • String ID: Ra);
                                                                                                                                                                                                            • API String ID: 688250028-4229484525
                                                                                                                                                                                                            • Opcode ID: 943f3e3e715df5df2d59fd2ce18c109223204c4b5d3781c349d29a1a8e621e20
                                                                                                                                                                                                            • Instruction ID: 75080ce39a08e03dc072e2bbeb67a45c59c6ff23a4f3bcabae16aa0a12dfb75b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 943f3e3e715df5df2d59fd2ce18c109223204c4b5d3781c349d29a1a8e621e20
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 95B1EFB1615600EEF7189F68FC85ABA37F8FB48351710401AF905C6EB1EB7C8941EB26
                                                                                                                                                                                                            Function 000C5C39 Relevance: 7.7, APIs: 5, Instructions: 247filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 759 c5c39-c5c67 760 c5c8e-c5ca3 759->760 761 c5c69-c5c8c 759->761 762 c5ca9-c5cb2 760->762 761->762 763 c60a8-c60ac 762->763 764 c5cb8-c5ce0 762->764 765 c5d09 764->765 766 c5ce2-c5cf1 764->766 767 c5d13-c5d4a 765->767 766->767 768 c5cf3-c5d07 766->768 769 c5d4c-c5d63 767->769 770 c5d85 767->770 768->767 771 c5d79-c5d83 769->771 772 c5d65-c5d77 769->772 773 c5d8f-c5ec7 call e7d24 call e42b6 Sleep call cf38b call da805 call cf38b call d8251 FindFirstFileA 770->773 771->773 772->773 786 c5ecd 773->786 787 c6052-c6066 773->787 788 c5ed7-c5ef2 786->788 789 c6068 787->789 790 c6072-c609c call d06af 787->790 791 c5f2d 788->791 792 c5ef4-c5f2b 788->792 789->790 790->763 798 c609e 790->798 794 c5f37-c5f5c 791->794 792->794 796 c5f5e-c5f6a 794->796 797 c5f70-c5f97 call cf38b 794->797 796->797 801 c5fbe-c5fd4 797->801 802 c5f99-c5fa3 797->802 798->763 805 c5fdb-c5ffd DeleteFileA 801->805 803 c5fa5-c5faf 802->803 804 c5fb1-c5fbc 802->804 803->805 804->805 806 c5fff-c6011 805->806 807 c6018-c6028 FindNextFileA 805->807 806->807 807->788 808 c602e-c6048 FindClose 807->808 808->787
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNELBASE(000003E8), ref: 000C5DEC
                                                                                                                                                                                                            • FindFirstFileA.KERNELBASE(?,?), ref: 000C5EB2
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?), ref: 000C5FE2
                                                                                                                                                                                                            • FindNextFileA.KERNELBASE(00000000,?), ref: 000C6020
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 000C6042
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: 0304f1a21f46f192774a60dfc0b2ed96913166de9c93906ce0e27c751e72419f
                                                                                                                                                                                                            • Instruction ID: 776328a147c840fca59686de9354d94b184148ff6fa1b872f9975b358b3a75e8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0304f1a21f46f192774a60dfc0b2ed96913166de9c93906ce0e27c751e72419f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E8A1EFB5114A05CFF758CF54EC86AB933B8F744342710402AE906CAE71EB7CA986EF52
                                                                                                                                                                                                            Function 000CE769 Relevance: 4.6, APIs: 3, Instructions: 101memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 886 ce769-ce79c 887 ce79e-ce7b7 886->887 888 ce7b9-ce7ce 886->888 889 ce7d4-ce807 887->889 888->889 890 ce809-ce818 889->890 891 ce81a-ce82f 889->891 892 ce83b-ce881 AllocateAndInitializeSid 890->892 891->892 893 ce831 891->893 894 ce8ef-ce908 892->894 895 ce883-ce89d CheckTokenMembership 892->895 893->892 896 ce89f-ce8c2 895->896 897 ce8c9-ce8e9 FreeSid 895->897 896->897 897->894
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(000C8954,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,000C8954), ref: 000CE865
                                                                                                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 000CE895
                                                                                                                                                                                                            • FreeSid.ADVAPI32(?), ref: 000CE8DC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3429775523-0
                                                                                                                                                                                                            • Opcode ID: 44976fb9cdd092f20e6e6b0fc39a580a523aeb4be6bca759fd8a25db207696d7
                                                                                                                                                                                                            • Instruction ID: 7a8c73461f3bdb291b4493e2205844bb629f619409bb92743cadce3af56c7dc4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44976fb9cdd092f20e6e6b0fc39a580a523aeb4be6bca759fd8a25db207696d7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2C41BCB4915204EFEB04CFA5EC85AB977F4FB08305B40401AE50AD7A60EB3C9945FB16
                                                                                                                                                                                                            Function 000CDE5A Relevance: 3.0, APIs: 2, Instructions: 17memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 906 cde5a-cde88 GetProcessHeap RtlFreeHeap 907 cde9a-cde9b 906->907 908 cde8a-cde94 906->908 908->907
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,000D8109,?,000D8109,00000000), ref: 000CDE6C
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,000D8109,00000000), ref: 000CDE73
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                            • Opcode ID: 125a8eee30b0ad751e47ba119c7fdc67b8f2be73806f61a844f524327122d9a9
                                                                                                                                                                                                            • Instruction ID: ce7721993f9482c97c1c28098c68fa81f67eba1a13371c8e119a1844f3c6d335
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 125a8eee30b0ad751e47ba119c7fdc67b8f2be73806f61a844f524327122d9a9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78E0C232500384DBFE009BD5FC8AB2A3BE8FB61781F148121F905CA930C7299551DA84
                                                                                                                                                                                                            Function 000D5498 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 809 d5498-d54b8 810 d550a-d550c 809->810 811 d54ba-d54d5 809->811 812 d550e-d5529 810->812 813 d552b 810->813 814 d5535-d55d8 call d06af * 2 812->814 813->814 819 d55fd-d5631 CreateProcessA 814->819 820 d55da-d55f6 814->820 822 d5677 819->822 823 d5633-d5643 819->823 820->819 821 d55f8 820->821 821->819 824 d5681-d568e 822->824 825 d564f-d5675 CloseHandle * 2 823->825 826 d5645 823->826 825->824 826->825
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,000CDA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 000D5628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(000CDA33,?,?,?,?,00000000), ref: 000D5652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 000D5665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: cc6ac80bf967af553be75eccbe50e5790dfc2ce2c5553fb6cca33912906ba1f8
                                                                                                                                                                                                            • Instruction ID: d5b3e6c1843abba361c16602d90e655b41a74f7595ed27b0b61c4a50247308e5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cc6ac80bf967af553be75eccbe50e5790dfc2ce2c5553fb6cca33912906ba1f8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 49412432600A409BEB18DF64FC55ABA37B4FB84301B04401FE906CBAB1EB7D8801EB21
                                                                                                                                                                                                            Function 000D54D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 827 d54d8-d54e8 828 d54ea-d550c 827->828 829 d5535-d55d8 call d06af * 2 827->829 830 d550e-d5529 828->830 831 d552b 828->831 836 d55fd-d5631 CreateProcessA 829->836 837 d55da-d55f6 829->837 830->829 831->829 839 d5677 836->839 840 d5633-d5643 836->840 837->836 838 d55f8 837->838 838->836 841 d5681-d568e 839->841 842 d564f-d5675 CloseHandle * 2 840->842 843 d5645 840->843 842->841 843->842
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,000CDA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 000D5628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(000CDA33,?,?,?,?,00000000), ref: 000D5652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 000D5665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 2f409144b995f010346691955483ce284b18c75a58069c1cd4ca8180b7dd9675
                                                                                                                                                                                                            • Instruction ID: acc3cf1c1ebb7c438cf04b9fb0d8ca1000d82c6f5f74c5fdde50227263963d78
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2f409144b995f010346691955483ce284b18c75a58069c1cd4ca8180b7dd9675
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5941C171500A05DBEB18DF65FD999BA37B4FB84701B00401BE9069AE70EB7C9944FF26
                                                                                                                                                                                                            Function 000CC622 Relevance: 4.7, APIs: 3, Instructions: 206fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 844 cc622-cc69d call edfa1 call cb7cd 849 cc69f 844->849 850 cc6a9-cc6b1 844->850 849->850 851 cc6ef-cc709 850->851 852 cc6b3-cc6ea call c4eb1 850->852 854 cc70b-cc71a 851->854 855 cc737-cc75b CreateFileA 851->855 861 cc9b6-cc9b9 852->861 854->855 857 cc71c-cc731 854->857 858 cc75d-cc784 call c4eb1 855->858 859 cc79f-cc7b3 855->859 857->855 868 cc798-cc79a 858->868 869 cc786-cc792 858->869 860 cc7b8-cc7d2 859->860 863 cc7f9-cc7fb 860->863 864 cc7d4-cc7f4 860->864 866 cc7fd-cc819 863->866 867 cc81b-cc82d 863->867 864->863 871 cc837-cc8a2 call d85e7 call e970f 866->871 867->871 870 cc9b5 868->870 869->868 870->861 876 cc8a4-cc8d4 871->876 877 cc8d6-cc8ee 871->877 878 cc8fa-cc948 WriteFile 876->878 877->878 879 cc8f0 877->879 878->860 880 cc94e-cc962 878->880 879->878 881 cc964-cc96e 880->881 882 cc970-cc97c 880->882 883 cc982-cc9b4 CloseHandle call c4eb1 881->883 882->883 883->870
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 000CB7CD: WaitForSingleObject.KERNEL32(000DAEAC,00004E20,00000001,?,000CBFA2,00000001,-AF16B4FB,?,000DAEAC,000C66DE), ref: 000CB81D
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(00000004,40000000,00000000,00000000,00000002,00000000,00000000,?,000C67E3,?,00000004,?,00000000,?), ref: 000CC746
                                                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,?,00000001,00000001,00000000,?,?,?,?,?,00000001), ref: 000CC90B
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000001), ref: 000CC983
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreateHandleObjectSingleWaitWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3361265286-0
                                                                                                                                                                                                            • Opcode ID: cd34f788ce7046903ca61005da043c318bd27d824c0eb75842df243fc03becf6
                                                                                                                                                                                                            • Instruction ID: 6de2c11b9a3003150cc86a3dc9f2f8993ac11691b45fcd18d0010e2a977cf5be
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cd34f788ce7046903ca61005da043c318bd27d824c0eb75842df243fc03becf6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9C91BAB1514601DBF708CF28ED95A7A3BF4FB84311710812AE90ACBAB1EB3D9941EF05
                                                                                                                                                                                                            Function 000D20D8 Relevance: 3.0, APIs: 2, Instructions: 27stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 898 d20d8-d210d lstrlen 899 d210f-d2119 898->899 900 d211b-d2127 898->900 901 d212d-d214f CharLowerBuffA 899->901 900->901
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • lstrlen.KERNEL32(?,?,000D09C2,?,?,?), ref: 000D20F0
                                                                                                                                                                                                            • CharLowerBuffA.USER32(?,00000000,?,000D09C2,?,?,?), ref: 000D2131
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 794975171-0
                                                                                                                                                                                                            • Opcode ID: 65f0a2c710b383e7ace3ccb8feb6b2df6dd4afa094e34cf11d710ca005338817
                                                                                                                                                                                                            • Instruction ID: 204405291c4f83ba75a4cefc070859559669394d06d63a96bc869e2628bed9a0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 65f0a2c710b383e7ace3ccb8feb6b2df6dd4afa094e34cf11d710ca005338817
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43F090315143049BEB05CF05EC4647A37F1FB64740700801AF8068AE30EB3DAD80FB56
                                                                                                                                                                                                            Function 000E23A6 Relevance: 3.0, APIs: 2, Instructions: 23memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 902 e23a6-e23be 903 e23e2-e2404 GetProcessHeap RtlAllocateHeap 902->903 904 e23c0-e23d6 902->904 904->903 905 e23d8 904->905 905->903
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,000EA3A7,?,?,?,000ED0BE), ref: 000E23F6
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,000EA3A7,?,?,?,000ED0BE), ref: 000E23FD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: 8c4021f76e7a15f3e1517669c52a024a7321b4d9a01c00e579ca2fae3402e7cf
                                                                                                                                                                                                            • Instruction ID: 824fbc39bf0ba26bfddefa5d18f38e40aa4c866ccc7da2b69f46131adb7ebfef
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c4021f76e7a15f3e1517669c52a024a7321b4d9a01c00e579ca2fae3402e7cf
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D3F0E5361043419FEB108FA9FC89A7A37A4F304714B240002F449EA4B5C3BCE844DF50
                                                                                                                                                                                                            Function 000D15E5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 909 d15e5-d160d call dbf87 ExitProcess
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: ffede3e330983a38755438b85723dfa9d2767e1827ef164de216c51d5e78bf8b
                                                                                                                                                                                                            • Instruction ID: f9916c16cb986cd92e016800c3f47e219ddf2a3ed9f0a8aef401c50a61c1cc46
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ffede3e330983a38755438b85723dfa9d2767e1827ef164de216c51d5e78bf8b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8CD012A4104344DAAB10AF64DC065753BB5FF487007411021EC44D9931EB79E900FB5B

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 000ED831 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 388pipeprocessfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreatePipe.KERNEL32(00000000,?,?,00000000,?,00000001,?), ref: 000ED98F
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 000ED9F9
                                                                                                                                                                                                            • CreatePipe.KERNEL32(?,?,?,00000000), ref: 000EDA48
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 000EDA7E
                                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 000EDBCC
                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000020,00000020,00000000), ref: 000EDC1C
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 000EDC33
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 000EDC66
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 000EDC89
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00002710), ref: 000EDD4F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 000EDD9F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 000EDDB2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 000EDE41
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000EDE67
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 000EDE7E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 1130065513-2746444292
                                                                                                                                                                                                            • Opcode ID: 7a11729726679cd6e3e5bc3e4f04dc36f0184592ee659b30eb9f623f7c9f16f9
                                                                                                                                                                                                            • Instruction ID: f53b1cee7553d8ad616101223310b5b2f4e9f497fe9c0e5cbcae4754687af883
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7a11729726679cd6e3e5bc3e4f04dc36f0184592ee659b30eb9f623f7c9f16f9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2302C776614640DFEB14DF69EC81ABA7BF4FB08301714811AE806E7A30EB3D9951EF52
                                                                                                                                                                                                            Function 000E84D7 Relevance: 23.4, APIs: 11, Strings: 2, Instructions: 688memorylibraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,000DB7C4,?,?,00000000,00000100), ref: 000E86E1
                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,000DB7C4,?,?,00000000,00000100), ref: 000E876A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 000E8854
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,000DB7C4,?,?,00000000,00000100), ref: 000E8891
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,00000000,00000288,?,?,?,?,?,?,?,?,?,000DB7C4,?,?,00000000), ref: 000E88DD
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,000DB7C4,?,?,00000000,00000100), ref: 000E8908
                                                                                                                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,000DB7C4,?,?,00000000), ref: 000E897A
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,00000000,00000100,?,?,?,?,?,?,?,?,?,000DB7C4,?,?,00000000), ref: 000E89C3
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,000DB7C4,?,?,00000000,00000100), ref: 000E8A10
                                                                                                                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,000DB7C4,?,?,00000000), ref: 000E90B2
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,000DB7C4,?,?,00000000,00000100), ref: 000E90D7
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Free$HeapLibrary$Alloc$AddressLoadProcProcess
                                                                                                                                                                                                            • String ID: Q:3q$SAcA
                                                                                                                                                                                                            • API String ID: 1560921867-494069912
                                                                                                                                                                                                            • Opcode ID: 862ce0fc4df080c7acaad3c4d94b10e3e8387cd43eca8532ba3d2d9fa3ec37fa
                                                                                                                                                                                                            • Instruction ID: 575b7b52360d4766831ea994d0f480e1dc24c6e476fa2783015d4831fb82b6c2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 862ce0fc4df080c7acaad3c4d94b10e3e8387cd43eca8532ba3d2d9fa3ec37fa
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3052DD71614640CFE758CF69EC816B937F4FB48311B14841AE90ADBAB1EB3C9940EB56
                                                                                                                                                                                                            Function 000D8695 Relevance: 22.0, APIs: 10, Strings: 2, Instructions: 1045networkCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 000D9154
                                                                                                                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00001006,00000000,00000004), ref: 000D91DB
                                                                                                                                                                                                            • gethostbyname.WS2_32(?), ref: 000D9261
                                                                                                                                                                                                            • inet_ntoa.WS2_32(?), ref: 000D92CF
                                                                                                                                                                                                            • inet_addr.WS2_32(00000000), ref: 000D92D6
                                                                                                                                                                                                            • htons.WS2_32(00000050), ref: 000D92FB
                                                                                                                                                                                                            • connect.WS2_32(00000000,?,00000010), ref: 000D9316
                                                                                                                                                                                                            • send.WS2_32(00000000,00000000,00000000,00000000), ref: 000D93A1
                                                                                                                                                                                                            • recv.WS2_32(00000000,?,00000400,00000000), ref: 000D947C
                                                                                                                                                                                                            • closesocket.WS2_32(00000000), ref: 000D97C6
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: closesocketconnectgethostbynamehtonsinet_addrinet_ntoarecvsendsetsockoptsocket
                                                                                                                                                                                                            • String ID: /$;$Rb
                                                                                                                                                                                                            • API String ID: 4203722200-1076244922
                                                                                                                                                                                                            • Opcode ID: a611e5471c736219518736169f4de320fcc0f76a2cb4bdfcd95049bff88ecd1a
                                                                                                                                                                                                            • Instruction ID: 42cf90c1e04521ff2d7fcf94789ee76403cf34c3831c7ac92a8983322ba53b06
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a611e5471c736219518736169f4de320fcc0f76a2cb4bdfcd95049bff88ecd1a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0792D2715147008BF718DF64EC92AB937B4FB44711B10801BE90AD7AB1EB7D9981EB61
                                                                                                                                                                                                            Function 000E35AD Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 000E3685
                                                                                                                                                                                                            • CreateServiceA.ADVAPI32(00000000,00930558,00930558,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 000E36D6
                                                                                                                                                                                                            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 000E3728
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 000E374C
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 000E375D
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,00000010), ref: 000E37D1
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 000E3836
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 000E3847
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 000E38B1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                            • String ID: 3ch$qh~B
                                                                                                                                                                                                            • API String ID: 3525021261-274300185
                                                                                                                                                                                                            • Opcode ID: 1a52161b501d93ca1e93a507c07e430d5382a31b2efeaec47b9220703ed6ced2
                                                                                                                                                                                                            • Instruction ID: 4b9a8291ea4e8fbeeb9ed1ba7b88d77f4b96d40ba119549ed9a7a2e346e8acbc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a52161b501d93ca1e93a507c07e430d5382a31b2efeaec47b9220703ed6ced2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E891C8B5614600AFF3088F29ED899793BF4FB49701340400AE902EBE71EB7D9A41FB51
                                                                                                                                                                                                            Function 000C11B7 Relevance: 13.6, Strings: 9, Instructions: 2310COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: "Ib$%$0$c< n$jQn$l$l$o$T8G
                                                                                                                                                                                                            • API String ID: 0-3181560568
                                                                                                                                                                                                            • Opcode ID: da733d93755384a79fad938ffd9bb8eafaf8d109f8cdc662f927e4ce03018115
                                                                                                                                                                                                            • Instruction ID: f06d61fa37b2e299aa78b85b20e8765ed0b9b7bd4250194bb78440689634c5db
                                                                                                                                                                                                            • Opcode Fuzzy Hash: da733d93755384a79fad938ffd9bb8eafaf8d109f8cdc662f927e4ce03018115
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A23CC75A146018BEB18CF68ED91ABD77F0FB59301B14811EE806DBE71E73C9981EB42
                                                                                                                                                                                                            Function 000D1636 Relevance: 10.8, APIs: 7, Instructions: 279processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000D16B2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 000D17BE
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 000D1932
                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 000D1991
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,0000000A), ref: 000D1A6A
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 000D1ACE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000D1AF5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 930127669-0
                                                                                                                                                                                                            • Opcode ID: f3ea9cef5b4728047c6f76dc8683e4f4a1d585120a82042af46159807db0822d
                                                                                                                                                                                                            • Instruction ID: ef4adf7f6c89ed5989a629e8f232f753cee30f7ccafdfaf4a6021420323fd5ab
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f3ea9cef5b4728047c6f76dc8683e4f4a1d585120a82042af46159807db0822d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7AC10276A04600DBF748DF64FC966BA37B4FB05312B00411AE909C6AA1EF7C9981EF55
                                                                                                                                                                                                            Function 000D0806 Relevance: 10.7, APIs: 7, Instructions: 195processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000D08C2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 000D0966
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000D0A15
                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,000000FF), ref: 000D0A64
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000D0A82
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 000D0AD2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000D0B10
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2696918072-0
                                                                                                                                                                                                            • Opcode ID: ff5d335054d8b3bd5fee8368dbed82d60ba4fa4a6922a89660dba498425eb217
                                                                                                                                                                                                            • Instruction ID: 04797fe68755b54e5e6751e5e06ae98a34d9c2a4aa34507db6436a4852ceb174
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ff5d335054d8b3bd5fee8368dbed82d60ba4fa4a6922a89660dba498425eb217
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3881CB725116019BF344DF28FC91ABA37F8FB48712B40411AE90AC6E71EB7C8981EB56
                                                                                                                                                                                                            Function 000D9F24 Relevance: 7.8, APIs: 5, Instructions: 329serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 000D9FF7
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,?), ref: 000DA049
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 000DA061
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 000DA162
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 000DA3B6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1579346331-0
                                                                                                                                                                                                            • Opcode ID: c3a3198d066e795e22a5e782b443dbc09fed017efb09c78c29453ac16f1ea919
                                                                                                                                                                                                            • Instruction ID: 37e3e35f29915d94bc47ddfa905703971ae3018f96b1a9e436870cc1680442b4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c3a3198d066e795e22a5e782b443dbc09fed017efb09c78c29453ac16f1ea919
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A0D1EE76A046009FF708CF68FC85ABA37F4FB44311B15401BE905D7A61EB7C9A81EB62
                                                                                                                                                                                                            Function 000C60AD Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 513COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: $ $-4/
                                                                                                                                                                                                            • API String ID: 0-196967448
                                                                                                                                                                                                            • Opcode ID: f31f9be29c7e3c557d48bcf2dbdb7b5f130c96d1967cb197026c376f31357f3f
                                                                                                                                                                                                            • Instruction ID: 42ef52ad50d7025e1e43928f7197db8956cdb5a72923f5988517479c93506d45
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f31f9be29c7e3c557d48bcf2dbdb7b5f130c96d1967cb197026c376f31357f3f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C8220372608600CFF718DF64ED86AB937F4FB49711B10401EE50AC7AA2EB7D9941EB16
                                                                                                                                                                                                            Function 000C9903 Relevance: 7.3, Strings: 5, Instructions: 1018COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: $5Nv$8%A$L08s$vE{
                                                                                                                                                                                                            • API String ID: 0-1922508855
                                                                                                                                                                                                            • Opcode ID: fd43facd7c70926ab27fa52edf8669260c36e3e72292a5b0cd1dff189cb18260
                                                                                                                                                                                                            • Instruction ID: 60d238a165349b07e7ce8009aeb422b07f60a16f74962a858c56fe1c03fdebc1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fd43facd7c70926ab27fa52edf8669260c36e3e72292a5b0cd1dff189cb18260
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8592F172A04615CFEB18CFA8EC81ABE77F4FB05315714412EE806DBA61EB3D9941EB41
                                                                                                                                                                                                            Function 000D571F Relevance: 6.2, APIs: 4, Instructions: 213processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000D5804
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 000D58E2
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 000D59E8
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000D5A7E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 420147892-0
                                                                                                                                                                                                            • Opcode ID: 95cb47af45acf37140b125ec496ed65d6f0c67fcfa8130873e22786dd098a25e
                                                                                                                                                                                                            • Instruction ID: 8518b606b3c88e75450b8c4b2bc1865d17292a964656e9edcc762d8ccb3a207d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 95cb47af45acf37140b125ec496ed65d6f0c67fcfa8130873e22786dd098a25e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0691DD75605A10CFE758DF28EC9A5BA37F4FB48312B10411AE906C7E60EB3C9942EF52
                                                                                                                                                                                                            Function 000CCFBB Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 675threadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,000E6E81,00000000,00000000,00000000), ref: 000CD636
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000CD65B
                                                                                                                                                                                                              • Part of subcall function 000E4589: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000002,?,000CD583,Function_0000AD87,00000002,00000000), ref: 000E4637
                                                                                                                                                                                                              • Part of subcall function 000E4589: CreateThread.KERNEL32(00000000,00000000,00000002,?,00000000,00000000), ref: 000E4655
                                                                                                                                                                                                              • Part of subcall function 000E4589: CloseHandle.KERNEL32(00000000,?,00000002,?,000CD583,Function_0000AD87,00000002,00000000), ref: 000E468D
                                                                                                                                                                                                              • Part of subcall function 000E4589: WaitForSingleObject.KERNEL32(?,000000FF,?,00000002,?,000CD583,Function_0000AD87,00000002,00000000), ref: 000E46A1
                                                                                                                                                                                                              • Part of subcall function 000E4589: CloseHandle.KERNEL32(?,00000002,?,000CD583,Function_0000AD87,00000002,00000000), ref: 000E4712
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$Thread$EventObjectSingleWait
                                                                                                                                                                                                            • String ID: $}\N
                                                                                                                                                                                                            • API String ID: 784754931-3579273913
                                                                                                                                                                                                            • Opcode ID: 99a1485ea8b4bff1e9c53560b5f6985f4b2ae9fcea95808a106a3b33b85ea7af
                                                                                                                                                                                                            • Instruction ID: f2ecaf2f51c3b3ae74ac300c9171d10a9b759011f3ef4d8f8e630df1b4ea82ff
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 99a1485ea8b4bff1e9c53560b5f6985f4b2ae9fcea95808a106a3b33b85ea7af
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FC52BEB5614600DBE708DF64EC92AB933F5FB48301B14402FE906D6EB2EB7D9941EB51
                                                                                                                                                                                                            Function 000C69A8 Relevance: 5.9, Strings: 4, Instructions: 901COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: :JDX$W/=D$cZ)$vE{
                                                                                                                                                                                                            • API String ID: 0-1531476030
                                                                                                                                                                                                            • Opcode ID: d29ffbb74da2be72beae2fb6c4b9f35328cbf44db3e29b7cb94d9127eb58ec28
                                                                                                                                                                                                            • Instruction ID: d84a7cf3e4af8694ae6ad6d6a417086f813e8741e3163a154a5d5ca4580bc186
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d29ffbb74da2be72beae2fb6c4b9f35328cbf44db3e29b7cb94d9127eb58ec28
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3772CF72904605DFEB18DF68EC81ABE77F4FB44310B10812EE909D7A61EB399A41EF51
                                                                                                                                                                                                            Function 000DB3DB Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 588COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetComputerNameA.KERNEL32(?,?), ref: 000DB528
                                                                                                                                                                                                              • Part of subcall function 000E42B6: lstrlen.KERNEL32(?,?,000C2347,?), ref: 000E4320
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ComputerNamelstrlen
                                                                                                                                                                                                            • String ID: myiW
                                                                                                                                                                                                            • API String ID: 4141851928-4061706148
                                                                                                                                                                                                            • Opcode ID: ea62b910ef29f7e6157fe411a1f15e1e149d38703b36f1bb813e432391cff6a3
                                                                                                                                                                                                            • Instruction ID: c6e97f28017f2679e7e54e7ba6ceb3c9889225e4fd38a19121fdcb4e196d5657
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ea62b910ef29f7e6157fe411a1f15e1e149d38703b36f1bb813e432391cff6a3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5042C371904205CBE714EF64ED92AFE73B8FB14301B10401AE506E7AB2EF399A45EF61
                                                                                                                                                                                                            Function 000ED256 Relevance: 3.1, APIs: 2, Instructions: 88timeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemTime.KERNEL32(000E261C,?,?,000E261C), ref: 000ED2D5
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 000ED37D
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CountSystemTickTime
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2164215191-0
                                                                                                                                                                                                            • Opcode ID: b4f214a24bbe2e8eb2b435ee65f3a50d743c797933454a6b0878cbb05eb097ca
                                                                                                                                                                                                            • Instruction ID: 76fbe1599f8b120bcfccbbd1c92764031d1d398daab2046efe5df98b0185b635
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b4f214a24bbe2e8eb2b435ee65f3a50d743c797933454a6b0878cbb05eb097ca
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F5319C76624610CFF7049B68FC466BA77F4F748721304401AE805C7AB1EB7D8952FB5A
                                                                                                                                                                                                            Function 000D5FBA Relevance: 1.9, Strings: 1, Instructions: 688COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: B&>
                                                                                                                                                                                                            • API String ID: 0-1526646359
                                                                                                                                                                                                            • Opcode ID: 825864b86ccc61672f9430a520d26234d7044cef6e018555c06a65337eb99faa
                                                                                                                                                                                                            • Instruction ID: bc89e831db79a6a9e20350888e1dd47e9ebf23e24dcab94e37372968ac1d9643
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 825864b86ccc61672f9430a520d26234d7044cef6e018555c06a65337eb99faa
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C452DC756047418FF708DF68EC926BA37F4F719701B14401BE949CAB62EB3D9981EB22
                                                                                                                                                                                                            Function 000E24D3 Relevance: 1.8, APIs: 1, Instructions: 520sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3472027048-0
                                                                                                                                                                                                            • Opcode ID: b6c1014346ed44cd36518ae2ebaceca3aac14e7b2e0e5f255aa5f95338840659
                                                                                                                                                                                                            • Instruction ID: d6a614164734eba557c08a0e25e83f2413615a0ec058e316f56011cde244dbfe
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b6c1014346ed44cd36518ae2ebaceca3aac14e7b2e0e5f255aa5f95338840659
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD32CE71904644CFE708DF65ED92ABA77F4FB14301F10401AE50AEBAA1EB3D9945EF11
                                                                                                                                                                                                            Function 000C46CF Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: "d@
                                                                                                                                                                                                            • API String ID: 0-2935523628
                                                                                                                                                                                                            • Opcode ID: 2eb649c41c375fa292f8ba1ef86f4e390be85c014183932eb8320f9c98056b23
                                                                                                                                                                                                            • Instruction ID: 7658c57a38914022eea820d481146f53397390381e0787cd8e688ba01033da8e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2eb649c41c375fa292f8ba1ef86f4e390be85c014183932eb8320f9c98056b23
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 91E18976614651CBF348CF28EC9167A37F0FB59712354811AE809CAE71EB7D9941FB02
                                                                                                                                                                                                            Function 000E74E8 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 000E7525
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CtrlDispatcherServiceStart
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3789849863-0
                                                                                                                                                                                                            • Opcode ID: 0b321e84a6bfce8ba830c26040b5605ef255b76fe5795a64b4a39d879280959b
                                                                                                                                                                                                            • Instruction ID: a52d18fff2259672500030e576d7a4181575b0d82fbc3165b36b37f28aecbf66
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0b321e84a6bfce8ba830c26040b5605ef255b76fe5795a64b4a39d879280959b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 20F03A72D102049BE704DF58E84977977F8F708316F04055ED419D3A20D7799A10DF80
                                                                                                                                                                                                            Function 000D0CE6 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 'S
                                                                                                                                                                                                            • API String ID: 0-46969972
                                                                                                                                                                                                            • Opcode ID: a10e10b229eda817aba11cc5cc11ccd14baf60aa60a525cb60b507c859c39891
                                                                                                                                                                                                            • Instruction ID: abf2754d2949d0c6c401b5d4b50b9537f421b3fa0dbc19629f38718673da1c9d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a10e10b229eda817aba11cc5cc11ccd14baf60aa60a525cb60b507c859c39891
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DFA1BDB1614701CBE758CF28FD916BA77B5FB44311B10851BE80ACAF61EB7C9980EB61
                                                                                                                                                                                                            Function 000E7DC0 Relevance: .4, Instructions: 352COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 37ab9e6ed5a10f51edd541b495c218e6108439b4984ba194224c3e324f95a0b1
                                                                                                                                                                                                            • Instruction ID: d5ea5f311d060f8e743c6bcf4775f529ec538ff864c4f4b71102f8247eb8741e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 37ab9e6ed5a10f51edd541b495c218e6108439b4984ba194224c3e324f95a0b1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F7E1BC716142409FEB18DF29ED92AB937F5FB54300710842AE80ADBA72EB3DD941EB45
                                                                                                                                                                                                            Function 000D0113 Relevance: .3, Instructions: 343COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: df12cbc3776e622afc148e50592fb3ca8300fc77613350aef880e224f0545a7a
                                                                                                                                                                                                            • Instruction ID: bfcc383118492b408f5f9303ad339b6338c0b2ae6dfee758e3124902122e6036
                                                                                                                                                                                                            • Opcode Fuzzy Hash: df12cbc3776e622afc148e50592fb3ca8300fc77613350aef880e224f0545a7a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 45E1A175A102048FE748CF68EC9167A77F1FB98311B14802EE90AD7B61DB3DA940EF55
                                                                                                                                                                                                            Function 000E3025 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 58dece4fac7ff7546780cf248d74d7a49fa1bf17d2da48ae6fee283a038223d9
                                                                                                                                                                                                            • Instruction ID: aa87b2a12194cbab8c9cbf6bbd43d75b1fdc7557292e23f34d7eb3f3ebb62862
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 58dece4fac7ff7546780cf248d74d7a49fa1bf17d2da48ae6fee283a038223d9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 87D1CC76610641CFE348CF69EC856793BF0F784312710802AE856DBEB0EB3D9A41EB45
                                                                                                                                                                                                            Function 000D70E6 Relevance: .3, Instructions: 298COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 83a4334fd4b2e2cc938c74d7e23b40fb8f5ff0eb7b802ed257cc5d050e5bc15b
                                                                                                                                                                                                            • Instruction ID: 8ac066cc20c9a9cb1d467c930c00f3518f1e6bd1475e65f1a96d3627767f417a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 83a4334fd4b2e2cc938c74d7e23b40fb8f5ff0eb7b802ed257cc5d050e5bc15b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1EC1E175A087418FE764CF28EC826BA37F4FB14710B14411BE94AC6A71E77C9980EB66
                                                                                                                                                                                                            Function 000DA805 Relevance: .3, Instructions: 260COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: 1e074014ce38d4921be473b94e3d1359620e9cd240e73641f614d990483b6e1e
                                                                                                                                                                                                            • Instruction ID: bc6bf7891ac4d265c464f52a8531b06dc87e1eea5de7ae3fe032cec67ff4dd24
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e074014ce38d4921be473b94e3d1359620e9cd240e73641f614d990483b6e1e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 32B1AA796142418BE348CF68FCA257677F1FB59312304401AE84AC7E72EB3D9981FB66
                                                                                                                                                                                                            Function 000E5F1E Relevance: .2, Instructions: 244COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: f293d30cb0c9cd84ef5620c37323cc6b9e798329e8403d18e3f46f0159fc0670
                                                                                                                                                                                                            • Instruction ID: 7cf4735b237f5b88b392a263858d572f7da97c55a1e9c26e9b034a15341fb874
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f293d30cb0c9cd84ef5620c37323cc6b9e798329e8403d18e3f46f0159fc0670
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BAB166B26056508FF358CF29FD9053A77F4FB99342314852AE816C6E31E73DA981EB41
                                                                                                                                                                                                            Function 000C774C Relevance: .2, Instructions: 244COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 9d1b7c40aca5e4b21cb2fce41df90a5a3b9fd2dfb0a8fcfb4c70a2cbd479e615
                                                                                                                                                                                                            • Instruction ID: 58a2319b913f81be95daa07733a627de6b62ae624aca650de95fe3eeb167fa2e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9d1b7c40aca5e4b21cb2fce41df90a5a3b9fd2dfb0a8fcfb4c70a2cbd479e615
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 68B10C726196408FF744CF28EC82A797BF0FB65301744811EE949CBA71EB3C9A45EB52
                                                                                                                                                                                                            Function 000CA928 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 015405222a94e8a017db98842f5afd36cfaf456ea4770dafb04abd2d5817a09b
                                                                                                                                                                                                            • Instruction ID: 8f10b3631841bb3235034b7237bae4ca928bb6ac69ac959460b46408cc856d63
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 015405222a94e8a017db98842f5afd36cfaf456ea4770dafb04abd2d5817a09b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D281FF72A152058BF358CF68ED81A7A3BF4FB55311B04451AE809C7A72E77CC941FB46
                                                                                                                                                                                                            Function 000EDFCC Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 438af959dfd8cd4313425da3c2f6630689d1404d045420ab25a3789c4578f5fa
                                                                                                                                                                                                            • Instruction ID: 8fa2f1d4126f39b2b1aa8cdda45c39f7e964a7c6a553d0c96ace3ec4b26a98ce
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 438af959dfd8cd4313425da3c2f6630689d1404d045420ab25a3789c4578f5fa
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A271B9312046818FF348CF29ED956763BF5FB59302714812ED94ACAE71EB3D9981EB02
                                                                                                                                                                                                            Function 000D3285 Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 637e6835dfff7f3cf7b04346372a860d7e438e0f448ae459b498cf93a4beef42
                                                                                                                                                                                                            • Instruction ID: 9789e4d9d858706cbf1da78c157ec5b1f2b6c5d4e1c855362a8863177d721584
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 637e6835dfff7f3cf7b04346372a860d7e438e0f448ae459b498cf93a4beef42
                                                                                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                                                                                            Function 000CC9ED Relevance: 12.2, APIs: 8, Instructions: 196registrysynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(Function_0000BA72), ref: 000CCAF2
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(000FB2DC), ref: 000CCB64
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 000CCB78
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(000FB2DC), ref: 000CCBE5
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00001388), ref: 000CCC62
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(000FB2DC), ref: 000CCCAF
                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 000CCCC5
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(000FB2DC), ref: 000CCD8F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3399922960-0
                                                                                                                                                                                                            • Opcode ID: 324aeba198ad10ffea55526eb4eb62dbedcc2c92a83d3b957d039de272cde8a3
                                                                                                                                                                                                            • Instruction ID: 40162f28cbd0f43fed072c83d7e9d15eba0478c0b0805e0ba5e25ba099c10ecf
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 324aeba198ad10ffea55526eb4eb62dbedcc2c92a83d3b957d039de272cde8a3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0D913E701112028BF758DF28ED99A7A3BF4FB09315310412AE80ACAE70DB7D9886FF45
                                                                                                                                                                                                            Function 000DB046 Relevance: 9.2, APIs: 6, Instructions: 184filetimeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 000DB104
                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 000DB16D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000DB1B2
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000DB25F
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 000DB2AB
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000DB2D8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3236713533-0
                                                                                                                                                                                                            • Opcode ID: c5a24f57f6c0984965800fa3c6362b9071fdca63125732eb7cfe54f43bce9389
                                                                                                                                                                                                            • Instruction ID: 00107956fdde6e92fd02d487df28e396361a2f14da60fb55699cfdad34cf0d5b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c5a24f57f6c0984965800fa3c6362b9071fdca63125732eb7cfe54f43bce9389
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4E71C876600205DBE354DF68ED8297A3BF8F745316715422AE906C6E60E73C9A81FB22
                                                                                                                                                                                                            Function 000E4589 Relevance: 7.6, APIs: 5, Instructions: 104synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000002,?,000CD583,Function_0000AD87,00000002,00000000), ref: 000E4637
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000002,?,00000000,00000000), ref: 000E4655
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000002,?,000CD583,Function_0000AD87,00000002,00000000), ref: 000E468D
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000002,?,000CD583,Function_0000AD87,00000002,00000000), ref: 000E46A1
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,00000002,?,000CD583,Function_0000AD87,00000002,00000000), ref: 000E4712
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1404307249-0
                                                                                                                                                                                                            • Opcode ID: af1a2bfc7a3ea4e8cef43563eb251a0a23b8746b48d5e021b6e450644b679ce5
                                                                                                                                                                                                            • Instruction ID: df6820bacbaaa26fd2395ec20d6bc9c8c45d8deb072c1aa64f466de01895d5f0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: af1a2bfc7a3ea4e8cef43563eb251a0a23b8746b48d5e021b6e450644b679ce5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3C419875115680DFE328DF29EC899363BF5F78A712314442AE94AD6E31E7399801EF12
                                                                                                                                                                                                            Function 000E4927 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323sleepfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 000E4CBC
                                                                                                                                                                                                              • Part of subcall function 000D074E: wvsprintfA.USER32(?,?,?), ref: 000D07C3
                                                                                                                                                                                                            • Sleep.KERNEL32(00015F90), ref: 000E4E60
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 000E4E7F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$DeleteModuleNameSleepwvsprintf
                                                                                                                                                                                                            • String ID: KU
                                                                                                                                                                                                            • API String ID: 4183770253-1793860563
                                                                                                                                                                                                            • Opcode ID: 64b633eb3ba29f7af26f1e976776db87d5114674fdb6a3f23544cf60759f033d
                                                                                                                                                                                                            • Instruction ID: c773bd8461b82435633c4411181a19ba401df00eeb24e7d959bd1123bb1ef88a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 64b633eb3ba29f7af26f1e976776db87d5114674fdb6a3f23544cf60759f033d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 14D103716146448FF718DF64EC92AB637F8FB44311B04401AE90ADBEB2DB3C9981EB52
                                                                                                                                                                                                            Function 000D9B78 Relevance: 6.2, APIs: 4, Instructions: 201fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000D9C43
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 000D9CA8
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 000D9DC7
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 000D9E86
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateRead
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2564258376-0
                                                                                                                                                                                                            • Opcode ID: bf9c47768ae2daaf215fd855f7adfcc0390af7e65a3c8914400ad28718fd4a92
                                                                                                                                                                                                            • Instruction ID: c590a3708b5746c577f4165e4ce6a15269f505cdb5ed2cb347d9c128d3d7e6b4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bf9c47768ae2daaf215fd855f7adfcc0390af7e65a3c8914400ad28718fd4a92
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3781D175614200DBF714DF64EC82ABA37F9FB44711F00041AE90AD6AA1EB7C9981EB66
                                                                                                                                                                                                            Function 000E90F1 Relevance: 6.0, APIs: 4, Instructions: 38memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,000D8146,00000000,?,?,?,?,?,000CF85A,?,?,?,000E9573), ref: 000E9143
                                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,000D8146,00000000), ref: 000E914A
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,000D8146,00000000,?,?,?,?,?,000CF85A,?,?,?,000E9573,?), ref: 000E9174
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,000D8146,00000000,?,?,?,?,?,000CF85A,?,?,?,000E9573,?,00000001), ref: 000E917B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000001.00000002.1517705687.00000000000C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000C0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517689490.00000000000C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517730913.00000000000EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517745310.00000000000F0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517760104.00000000000F3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000001.00000002.1517781625.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_c0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1154092256-0
                                                                                                                                                                                                            • Opcode ID: 2ea3a75f32555cb028c674f5f9fe5643fca41f417d9c876d0d37c535977af1c4
                                                                                                                                                                                                            • Instruction ID: 6ee52a05d3972bcfe3507dd55b3e3c92e587c7d60e1df81b0c729d15dce869c2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2ea3a75f32555cb028c674f5f9fe5643fca41f417d9c876d0d37c535977af1c4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F010476540604DFEB449FA0FC89A793BA4FB08702F844015FA0ACAA62EB7DA450EB41

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:14.2%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:4.2%
                                                                                                                                                                                                            Total number of Nodes:1341
                                                                                                                                                                                                            Total number of Limit Nodes:6
                                                                                                                                                                                                            execution_graph 8485 94d01d 8486 94d03a 8485->8486 8492 945d58 8486->8492 8490 94d067 8491 94d108 ExitProcess 8490->8491 8493 945d93 8492->8493 8503 92565e 8493->8503 8495 945dbb 8496 935d50 8495->8496 8497 935d87 GetStdHandle 8496->8497 8498 935d74 8496->8498 8499 935db3 8497->8499 8500 935dc5 GetStdHandle 8497->8500 8498->8497 8499->8500 8501 935dfa GetStdHandle 8500->8501 8501->8490 8504 9256c5 GetProcessHeap HeapAlloc 8503->8504 8505 925695 8503->8505 8504->8495 8505->8504 8238 935498 8239 9354ba 8238->8239 8240 93550a Mailbox 8238->8240 8241 9355fd CreateProcessA 8240->8241 8242 935633 CloseHandle CloseHandle 8241->8242 8243 935677 8241->8243 8242->8243 8611 92519e 8612 9423a6 Mailbox 2 API calls 8611->8612 8613 9251b3 8612->8613 9193 93af1f 9194 93af3f 9193->9194 9199 93111e 9194->9199 9196 93af7b 9197 9354d8 3 API calls 9196->9197 9198 93afe0 Mailbox 9197->9198 9200 93114d 9199->9200 9201 9311d9 CreateFileA 9200->9201 9202 931219 9201->9202 9203 93124b ReadFile CloseHandle 9202->9203 9205 9315a4 9202->9205 9204 93129d 9203->9204 9206 9312bd GetTickCount 9204->9206 9205->9196 9226 9251ca 9206->9226 9208 9312de 9209 9442b6 lstrlen 9208->9209 9210 931310 9209->9210 9211 93a805 2 API calls 9210->9211 9212 931378 9211->9212 9213 938251 2 API calls 9212->9213 9214 931416 9213->9214 9218 93a805 2 API calls 9214->9218 9225 9314e0 CreateFileA 9214->9225 9216 93154f 9216->9205 9217 931564 WriteFile CloseHandle 9216->9217 9217->9205 9219 93147e 9218->9219 9220 9442b6 lstrlen 9219->9220 9221 9314a0 9220->9221 9222 93074e wvsprintfA 9221->9222 9223 9314a9 9222->9223 9224 938251 2 API calls 9223->9224 9224->9225 9225->9216 9227 9251ea 9226->9227 9228 9442b6 lstrlen 9227->9228 9229 925235 9228->9229 9229->9208 8245 937686 8248 92fc1b 8245->8248 8251 9494b4 8248->8251 8252 9494bd Mailbox 8251->8252 8254 9494e3 8251->8254 8253 92de5a Mailbox 2 API calls 8252->8253 8253->8254 8618 92ad87 8619 92ada3 8618->8619 8674 92501c 8619->8674 8621 92ae0e 8622 94443e 4 API calls 8621->8622 8626 92b26c Mailbox 8621->8626 8623 92aeff 8622->8623 8624 93a805 2 API calls 8623->8624 8625 92af15 8624->8625 8627 92846d 9 API calls 8625->8627 8628 92af2d 8627->8628 8629 938251 2 API calls 8628->8629 8630 92af56 8629->8630 8677 942306 8630->8677 8635 925724 8 API calls 8636 92af88 Mailbox 8635->8636 8637 93a805 2 API calls 8636->8637 8638 92afc5 8637->8638 8639 930b92 9 API calls 8638->8639 8640 92afe2 8639->8640 8641 925724 8 API calls 8640->8641 8642 92afee Mailbox 8641->8642 8643 938251 2 API calls 8642->8643 8644 92b00f 8643->8644 8645 92fe4b 8 API calls 8644->8645 8646 92b02d 8645->8646 8647 925724 8 API calls 8646->8647 8648 92b036 Mailbox 8647->8648 8683 931c14 8648->8683 8650 92b066 8687 9260ad 8650->8687 8652 92b085 Mailbox 8653 935fba 9 API calls 8652->8653 8654 92b0c9 8653->8654 8741 927ef1 8654->8741 8657 93a805 2 API calls 8658 92b0f8 8657->8658 8659 930b92 9 API calls 8658->8659 8660 92b149 8659->8660 8661 925724 8 API calls 8660->8661 8662 92b155 Mailbox 8661->8662 8663 938251 2 API calls 8662->8663 8664 92b174 Mailbox 8663->8664 8665 949883 8 API calls 8664->8665 8666 92b19a 8665->8666 8667 949707 Mailbox 8 API calls 8666->8667 8668 92b1ea 8667->8668 8669 93a805 2 API calls 8668->8669 8670 92b217 8669->8670 8745 938695 8670->8745 8672 92b235 8673 938251 2 API calls 8672->8673 8673->8626 8675 949883 8 API calls 8674->8675 8676 925042 SetEvent 8675->8676 8676->8621 8845 924f0b 8677->8845 8680 931bc3 8681 947848 8 API calls 8680->8681 8682 92af7c 8681->8682 8682->8635 8684 931c36 Mailbox 8683->8684 8685 92bdcb 8 API calls 8684->8685 8686 931ce6 Mailbox 8685->8686 8686->8650 8688 926101 8687->8688 8689 93a805 2 API calls 8688->8689 8694 92623b Mailbox 8688->8694 8690 9261a7 8689->8690 8691 92846d 9 API calls 8690->8691 8692 9261d6 8691->8692 8693 938251 2 API calls 8692->8693 8693->8694 8695 926321 8694->8695 8698 9263fd 8694->8698 8696 93a805 2 API calls 8695->8696 8697 92635d 8696->8697 8699 92846d 9 API calls 8697->8699 8702 93a805 2 API calls 8698->8702 8700 926381 8699->8700 8701 938251 2 API calls 8700->8701 8740 92639c Mailbox 8701->8740 8703 926487 Mailbox 8702->8703 8853 937ab8 8703->8853 8706 938251 2 API calls 8707 9264eb 8706->8707 8708 926598 8707->8708 8709 92651c 8707->8709 8865 928036 8708->8865 8711 93a805 2 API calls 8709->8711 8713 926532 8711->8713 8716 92846d 9 API calls 8713->8716 8714 9265cb 8719 93a805 2 API calls 8714->8719 8715 926668 8718 92ddd3 lstrlen 8715->8718 8717 926548 8716->8717 8720 938251 2 API calls 8717->8720 8721 9266a4 8718->8721 8722 9265f2 8719->8722 8720->8740 8869 93ae3b 8721->8869 8724 92846d 9 API calls 8722->8724 8726 926612 8724->8726 8728 938251 2 API calls 8726->8728 8728->8740 8730 93a805 2 API calls 8731 926718 8730->8731 8732 938251 2 API calls 8731->8732 8733 926775 8732->8733 8734 9442b6 lstrlen 8733->8734 8735 9267c4 8734->8735 8736 92c622 5 API calls 8735->8736 8737 9267e3 8736->8737 8877 94d831 8737->8877 8740->8652 8742 927f14 8741->8742 8743 92dd8f 8 API calls 8742->8743 8744 927f37 8743->8744 8744->8657 8746 9386b6 8745->8746 8747 923e8c GetSystemTimeAsFileTime 8746->8747 8748 938873 8747->8748 8749 9442b6 lstrlen 8748->8749 8754 9388d0 8749->8754 8750 9442b6 lstrlen 8751 938a48 8750->8751 8752 9442b6 lstrlen 8751->8752 8753 938a56 8752->8753 8755 93a805 2 API calls 8753->8755 8837 939185 Mailbox 8753->8837 8754->8750 8754->8837 8756 938ad5 8755->8756 8757 92846d 9 API calls 8756->8757 8758 938b0f 8757->8758 8759 938251 2 API calls 8758->8759 8760 938b3d Mailbox 8759->8760 8761 93a805 2 API calls 8760->8761 8775 938d19 8760->8775 8763 938b9e 8761->8763 8762 930b92 9 API calls 8764 938dbe 8762->8764 8765 9323e9 9 API calls 8763->8765 8766 925724 8 API calls 8764->8766 8768 938bc8 Mailbox 8765->8768 8767 938dca Mailbox 8766->8767 8769 93a805 2 API calls 8767->8769 8771 938251 2 API calls 8768->8771 8770 938ded 8769->8770 8772 930b92 9 API calls 8770->8772 8777 938bf7 8771->8777 8773 938e04 8772->8773 8774 925724 8 API calls 8773->8774 8776 938e10 Mailbox 8774->8776 8775->8762 8779 938251 2 API calls 8776->8779 8777->8775 8778 931c14 8 API calls 8777->8778 8780 938c77 8778->8780 8781 938e3b 8779->8781 8782 93a805 2 API calls 8780->8782 8783 930b92 9 API calls 8781->8783 8784 938cbd 8782->8784 8785 938e8b 8783->8785 8787 92846d 9 API calls 8784->8787 8786 925724 8 API calls 8785->8786 8790 938e9a Mailbox 8786->8790 8788 938cff 8787->8788 8789 938251 2 API calls 8788->8789 8789->8775 8792 93a805 2 API calls 8790->8792 8827 939051 Mailbox 8790->8827 8791 93a805 2 API calls 8793 939087 8791->8793 8794 938f09 8792->8794 8796 930b92 9 API calls 8793->8796 8795 930b92 9 API calls 8794->8795 8797 938f23 8795->8797 8798 9390d7 8796->8798 8799 925724 8 API calls 8797->8799 8800 925724 8 API calls 8798->8800 8801 938f32 Mailbox 8799->8801 8802 9390e3 Mailbox 8800->8802 8803 93a805 2 API calls 8801->8803 8804 938251 2 API calls 8802->8804 8805 938f5b 8803->8805 8806 9390fd 8804->8806 8808 938251 2 API calls 8805->8808 8807 939142 socket 8806->8807 8809 925724 8 API calls 8806->8809 8811 939197 8807->8811 8807->8837 8810 938fbc Mailbox 8808->8810 8809->8807 8814 93074e wvsprintfA 8810->8814 8812 9391f3 gethostbyname 8811->8812 8813 9391bb setsockopt 8811->8813 8817 939289 inet_ntoa inet_addr 8812->8817 8812->8837 8813->8812 8816 938fdd 8814->8816 8818 938251 2 API calls 8816->8818 8821 9392f9 htons connect 8817->8821 8822 9392ef 8817->8822 8820 938ff4 8818->8820 8823 930b92 9 API calls 8820->8823 8825 93932f Mailbox 8821->8825 8821->8837 8822->8821 8824 939042 8823->8824 8826 925724 8 API calls 8824->8826 8828 93939f send 8825->8828 8826->8827 8827->8791 8829 9393bb Mailbox 8828->8829 8830 949707 Mailbox 8 API calls 8829->8830 8829->8837 8844 9393df Mailbox 8830->8844 8831 93946b recv 8831->8844 8832 939784 closesocket 8835 9397e1 8832->8835 8832->8837 8836 931c14 8 API calls 8835->8836 8836->8837 8837->8672 8838 937f29 Mailbox 8 API calls 8838->8844 8839 949883 8 API calls 8839->8844 8840 9323e9 9 API calls 8840->8844 8841 938251 GetProcessHeap RtlFreeHeap 8841->8844 8843 93a805 GetProcessHeap RtlAllocateHeap 8843->8844 8844->8831 8844->8832 8844->8838 8844->8839 8844->8840 8844->8841 8844->8843 9075 94d5e8 8844->9075 9079 92f1bd 8844->9079 8846 924f16 8845->8846 8849 92e739 8846->8849 8850 92e751 8849->8850 8851 92dd8f 8 API calls 8850->8851 8852 924f36 8851->8852 8852->8680 8854 937ae2 8853->8854 8860 9264bc 8854->8860 8906 946c12 8854->8906 8859 937d11 8864 937c94 Mailbox 8859->8864 8916 93bff6 8859->8916 8860->8706 8862 937dab 8923 9370e6 8862->8923 8933 93761b 8864->8933 8866 92804b GetModuleFileNameA 8865->8866 8868 9265c2 8866->8868 8868->8714 8868->8715 8870 93ae5e 8869->8870 8871 92bece 9 API calls 8870->8871 8872 9266de 8870->8872 8871->8872 8873 943ca3 8872->8873 8874 926702 8873->8874 8875 943cd9 8873->8875 8874->8730 8875->8874 8876 93ae3b 9 API calls 8875->8876 8876->8875 8878 94d84e Mailbox 8877->8878 8879 94d94f CreatePipe 8878->8879 8880 94d9ad SetHandleInformation 8879->8880 8881 94d999 8879->8881 8885 94da12 8880->8885 8886 94da3b CreatePipe 8880->8886 8882 949707 Mailbox 8 API calls 8881->8882 8884 926894 DeleteFileA 8881->8884 8882->8884 8884->8740 8885->8886 8887 94da66 SetHandleInformation 8886->8887 8888 94da52 8886->8888 8891 94da9a Mailbox 8887->8891 8889 94de64 CloseHandle 8888->8889 8889->8881 8890 94de7b CloseHandle 8889->8890 8890->8881 8892 94db76 CreateProcessA 8891->8892 8893 94dc04 WriteFile 8892->8893 8894 94dbe0 CloseHandle 8892->8894 8893->8894 8896 94dc3e CloseHandle CloseHandle 8893->8896 8897 94ddd2 CloseHandle 8894->8897 8900 94dca1 8896->8900 8897->8889 9068 944101 8900->9068 8904 94dd6c CloseHandle CloseHandle 8904->8897 8907 946c2d 8906->8907 8908 924088 4 API calls 8907->8908 8909 946cb8 8908->8909 8910 9286e2 4 API calls 8909->8910 8911 937c5d 8909->8911 8910->8911 8911->8864 8912 9286e2 8911->8912 8913 9286f8 8912->8913 8914 924088 4 API calls 8913->8914 8915 92873e Mailbox 8914->8915 8915->8859 8936 927bf8 8916->8936 8920 93c05c 8948 92774c 8920->8948 8922 93c089 Mailbox 8922->8862 8924 9370f3 8923->8924 8930 9371ef 8924->8930 8960 93a4b9 8924->8960 8927 93745e 8929 93a805 2 API calls 8927->8929 8927->8930 8928 93a805 2 API calls 8931 93740b 8928->8931 8929->8930 8930->8864 8931->8930 8932 938251 2 API calls 8931->8932 8932->8927 8934 94572d 2 API calls 8933->8934 8935 937661 8934->8935 8935->8860 8937 927c25 8936->8937 8938 93a805 2 API calls 8937->8938 8939 927c4e Mailbox 8938->8939 8940 938251 2 API calls 8939->8940 8941 927c82 8940->8941 8942 930ce6 8941->8942 8943 930d32 Mailbox 8942->8943 8945 931054 Mailbox 8943->8945 8946 930ecd 8943->8946 8954 930113 8943->8954 8945->8920 8946->8945 8947 930113 4 API calls 8946->8947 8947->8946 8949 9277a8 Mailbox 8948->8949 8950 930ce6 4 API calls 8949->8950 8951 927a60 8950->8951 8952 930ce6 4 API calls 8951->8952 8953 927ab2 8952->8953 8953->8922 8955 930132 Mailbox 8954->8955 8956 93a805 2 API calls 8955->8956 8957 930318 8956->8957 8958 938251 2 API calls 8957->8958 8959 9305f9 8958->8959 8959->8946 8961 93a506 8960->8961 8962 946c12 4 API calls 8961->8962 8964 93a539 8962->8964 8963 94572d 2 API calls 8968 93719b 8963->8968 8965 93a563 8964->8965 8966 93a58e 8964->8966 8970 93a5e4 8964->8970 8967 94572d 2 API calls 8965->8967 8971 9269a8 8966->8971 8967->8968 8968->8927 8968->8928 8968->8930 8970->8963 8972 9269c7 Mailbox 8971->8972 8973 924088 4 API calls 8972->8973 8983 9276f7 8972->8983 8974 926c45 8973->8974 8975 924088 4 API calls 8974->8975 9004 9270f3 8974->9004 8977 926c6a 8975->8977 8976 9276cf 8978 9276e7 8976->8978 8979 9276fc 8976->8979 8984 924088 4 API calls 8977->8984 8977->9004 8982 94572d 2 API calls 8978->8982 8980 94572d 2 API calls 8979->8980 8980->8983 8981 94572d 2 API calls 8981->9004 8982->8983 8983->8970 8985 926c97 8984->8985 8986 9286e2 4 API calls 8985->8986 8996 926cb9 Mailbox 8985->8996 8985->9004 8987 926d18 8986->8987 8987->9004 9006 92dec6 8987->9006 8989 926e4c 8993 9285a4 4 API calls 8989->8993 8990 926e3d 8992 942405 4 API calls 8990->8992 8995 926e47 8992->8995 8993->8995 8997 9285a4 4 API calls 8995->8997 8996->8989 8996->8990 8996->9004 8998 926ec5 8997->8998 8999 924088 4 API calls 8998->8999 8998->9004 9000 926f71 8999->9000 9001 9285a4 4 API calls 9000->9001 9000->9004 9003 926f9e 9001->9003 9002 924088 4 API calls 9002->9003 9003->9002 9003->9004 9005 9285a4 4 API calls 9003->9005 9004->8976 9004->8981 9005->9003 9007 92df1f 9006->9007 9008 924088 4 API calls 9007->9008 9009 926d62 9007->9009 9008->9009 9009->9004 9010 942405 9009->9010 9011 942431 9010->9011 9018 929903 9011->9018 9013 942450 9014 92e4e4 4 API calls 9013->9014 9015 9424b6 9013->9015 9016 94248c 9013->9016 9014->9013 9015->8996 9016->9015 9058 936d72 9016->9058 9019 929924 9018->9019 9020 929a10 9019->9020 9021 9299a4 9019->9021 9024 929952 9019->9024 9025 9285a4 4 API calls 9020->9025 9022 9299c4 9021->9022 9023 9286e2 4 API calls 9021->9023 9022->9024 9026 9285a4 4 API calls 9022->9026 9051 9299ea 9022->9051 9023->9022 9024->9013 9028 929a45 9025->9028 9026->9051 9027 94572d 2 API calls 9027->9024 9029 9285a4 4 API calls 9028->9029 9028->9051 9030 929aaa 9029->9030 9031 924088 4 API calls 9030->9031 9030->9051 9032 929aed 9031->9032 9033 9286e2 4 API calls 9032->9033 9032->9051 9034 929b25 9033->9034 9035 924088 4 API calls 9034->9035 9034->9051 9036 929b46 9035->9036 9037 924088 4 API calls 9036->9037 9036->9051 9038 929b73 9037->9038 9039 92dec6 4 API calls 9038->9039 9041 929c7b 9038->9041 9038->9051 9040 929c56 9039->9040 9043 92dec6 4 API calls 9040->9043 9040->9051 9042 92dec6 4 API calls 9041->9042 9041->9051 9044 929d47 9042->9044 9043->9041 9045 936d72 4 API calls 9044->9045 9056 929e51 9044->9056 9045->9044 9046 92a66b 9047 9285a4 4 API calls 9046->9047 9048 92a6fa 9046->9048 9047->9048 9050 9285a4 4 API calls 9048->9050 9048->9051 9049 9286e2 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9049->9056 9050->9051 9051->9024 9051->9027 9052 92534c GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9052->9056 9053 92dec6 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9053->9056 9054 936d72 4 API calls 9054->9056 9055 9285a4 4 API calls 9055->9056 9056->9046 9056->9049 9056->9051 9056->9052 9056->9053 9056->9054 9056->9055 9057 92e4e4 4 API calls 9056->9057 9057->9056 9059 936d97 9058->9059 9060 936f07 9059->9060 9062 936dd4 9059->9062 9061 92b38e 4 API calls 9060->9061 9067 936e24 9061->9067 9063 936e66 9062->9063 9064 936df4 9062->9064 9066 9458f9 4 API calls 9063->9066 9065 9458f9 4 API calls 9064->9065 9065->9067 9066->9067 9067->9016 9069 94410e 9068->9069 9070 949707 Mailbox 8 API calls 9069->9070 9073 94419c 9070->9073 9071 9441f1 ReadFile 9072 944256 WaitForSingleObject 9071->9072 9071->9073 9072->8904 9073->9071 9073->9072 9074 949883 8 API calls 9073->9074 9074->9073 9076 94d5ff 9075->9076 9077 923e8c GetSystemTimeAsFileTime 9076->9077 9078 94d628 9076->9078 9077->9078 9078->8844 9080 92f206 9079->9080 9081 93a805 2 API calls 9080->9081 9082 92f22f 9081->9082 9083 9323e9 9 API calls 9082->9083 9084 92f250 Mailbox 9083->9084 9085 938251 2 API calls 9084->9085 9086 92f28d 9085->9086 9087 93a805 2 API calls 9086->9087 9092 92f2a5 9086->9092 9088 92f2cb 9087->9088 9089 9323e9 9 API calls 9088->9089 9090 92f2e2 Mailbox 9089->9090 9091 938251 2 API calls 9090->9091 9091->9092 9092->8844 9096 92e9b3 9097 939a0f 8 API calls 9096->9097 9098 92e9e3 9097->9098 9099 925724 8 API calls 9098->9099 9100 92ea10 9099->9100 7628 94cdb7 7629 94ce1b 7628->7629 7632 93ff2a 7629->7632 7721 938251 7632->7721 7636 93ff74 7637 938251 2 API calls 7636->7637 7638 93ff88 7637->7638 7639 93a805 2 API calls 7638->7639 7640 93ffc7 7639->7640 7641 938251 2 API calls 7640->7641 7642 93ffdb 7641->7642 7643 93a805 2 API calls 7642->7643 7644 94001a 7643->7644 7645 938251 2 API calls 7644->7645 7646 94002e 7645->7646 7647 93a805 2 API calls 7646->7647 7648 940063 7647->7648 7649 938251 2 API calls 7648->7649 7650 940077 7649->7650 7651 93a805 2 API calls 7650->7651 7652 9400f0 7651->7652 7653 938251 2 API calls 7652->7653 7654 940126 7653->7654 7655 93a805 2 API calls 7654->7655 7656 9401a6 7655->7656 7657 938251 2 API calls 7656->7657 7658 9401c4 7657->7658 7659 93a805 2 API calls 7658->7659 7660 940238 7659->7660 7661 938251 2 API calls 7660->7661 7662 940252 7661->7662 7663 93a805 2 API calls 7662->7663 7664 940283 7663->7664 7665 938251 2 API calls 7664->7665 7666 9402bf 7665->7666 7667 93a805 2 API calls 7666->7667 7668 940325 7667->7668 7669 938251 2 API calls 7668->7669 7670 940339 7669->7670 7671 93a805 2 API calls 7670->7671 7672 94036a 7671->7672 7673 938251 2 API calls 7672->7673 7674 9403bd 7673->7674 7675 93a805 2 API calls 7674->7675 7676 940402 7675->7676 7677 938251 2 API calls 7676->7677 7678 940422 7677->7678 7679 93a805 2 API calls 7678->7679 7680 940469 7679->7680 7681 938251 2 API calls 7680->7681 7682 9404b2 7681->7682 7683 938251 2 API calls 7682->7683 7684 940503 Mailbox 7683->7684 7728 92de5a GetProcessHeap RtlFreeHeap 7684->7728 7688 94054a 7689 93a805 2 API calls 7688->7689 7690 940560 GetEnvironmentVariableA 7689->7690 7691 9405b2 7690->7691 7692 938251 2 API calls 7691->7692 7693 9405d0 CreateMutexA CreateMutexA CreateMutexA 7692->7693 7694 940665 7693->7694 7695 940809 7694->7695 7696 9406de GetTickCount 7694->7696 7697 9406c9 7694->7697 7735 9288a8 7695->7735 7699 9406f2 7696->7699 7697->7696 7701 93a805 2 API calls 7699->7701 7700 940818 GetCommandLineA 7703 9408a8 7700->7703 7705 940710 7701->7705 7704 93a805 2 API calls 7703->7704 7707 9408c5 7704->7707 7706 938251 2 API calls 7705->7706 7708 9407b7 7706->7708 7709 938251 2 API calls 7707->7709 7708->7695 7710 94092f 7709->7710 7711 93a805 2 API calls 7710->7711 7712 940996 7711->7712 7713 938251 2 API calls 7712->7713 7714 940a10 7713->7714 7838 9315e5 7714->7838 7722 938268 Mailbox 7721->7722 7723 92de5a Mailbox 2 API calls 7722->7723 7724 9382cb 7723->7724 7725 93a805 7724->7725 7841 9423a6 7725->7841 7727 93a878 Mailbox 7727->7636 7729 92de8a 7728->7729 7730 94d256 GetSystemTime 7729->7730 7731 94d2ec 7730->7731 7844 923e8c 7731->7844 7733 94d368 GetTickCount 7734 94d39b 7733->7734 7734->7688 7736 9288cc 7735->7736 7737 9288ea GetVersionExA 7736->7737 7848 92e769 7737->7848 7743 9289fc 7746 928a89 CreateDirectoryA 7743->7746 7744 928b28 7745 93a805 2 API calls 7744->7745 7747 928bc2 7745->7747 7748 93a805 2 API calls 7746->7748 7871 92846d 7747->7871 7750 928ae2 7748->7750 7754 938251 2 API calls 7750->7754 7752 938251 2 API calls 7753 928c06 Mailbox 7752->7753 7875 92c622 7753->7875 7754->7744 7756 928d6f 7758 93c0de 6 API calls 7756->7758 7757 928cfe DeleteFileA 7760 928d2b 7757->7760 7761 928d3d RemoveDirectoryA 7757->7761 7762 928d85 7758->7762 7760->7761 7761->7756 7763 928dc3 CreateDirectoryA 7762->7763 7764 928e00 7763->7764 7891 92f793 7764->7891 7768 93a805 2 API calls 7769 928eb8 7768->7769 7770 93a805 2 API calls 7769->7770 7771 928f10 7770->7771 7772 938251 2 API calls 7771->7772 7773 928f6c 7772->7773 7774 92846d 9 API calls 7773->7774 7775 928f89 7774->7775 7776 938251 2 API calls 7775->7776 7777 928f9b Mailbox 7776->7777 7778 92c622 5 API calls 7777->7778 7779 928fca 7778->7779 7780 929769 7779->7780 7781 92906c 7779->7781 7782 928fec 7779->7782 7783 92f793 lstrlen 7780->7783 7786 93a805 2 API calls 7781->7786 7785 93a805 2 API calls 7782->7785 7784 92977f SetFileAttributesA 7783->7784 7793 9297e1 Mailbox 7784->7793 7787 92900e 7785->7787 7788 929082 7786->7788 7896 93074e 7787->7896 7790 93074e wvsprintfA 7788->7790 7792 9290a0 7790->7792 7791 929034 7794 938251 2 API calls 7791->7794 7795 938251 2 API calls 7792->7795 7793->7700 7796 92905d 7794->7796 7795->7796 7797 929128 7796->7797 7798 929144 CreateDirectoryA 7797->7798 7799 92917e 7798->7799 7800 92f793 lstrlen 7799->7800 7801 9291cd CreateDirectoryA 7800->7801 7802 93a805 2 API calls 7801->7802 7803 929210 7802->7803 7804 93a805 2 API calls 7803->7804 7805 92923f 7804->7805 7806 938251 2 API calls 7805->7806 7807 92927a 7806->7807 7808 92846d 9 API calls 7807->7808 7809 92928f 7808->7809 7810 938251 2 API calls 7809->7810 7811 929307 Mailbox 7810->7811 7812 92c622 5 API calls 7811->7812 7813 929336 7812->7813 7814 929341 GetTempPathA 7813->7814 7815 929716 7813->7815 7899 9442b6 7814->7899 7815->7780 7817 92938b 7818 92f793 lstrlen 7817->7818 7819 9294ae CreateDirectoryA 7818->7819 7820 9294fd 7819->7820 7821 93a805 2 API calls 7820->7821 7822 929519 7821->7822 7823 93a805 2 API calls 7822->7823 7824 929577 7823->7824 7825 938251 2 API calls 7824->7825 7826 9295a4 7825->7826 7827 92846d 9 API calls 7826->7827 7828 9295ba 7827->7828 7829 938251 2 API calls 7828->7829 7830 9295dc Mailbox 7829->7830 7831 92c622 5 API calls 7830->7831 7832 92960b 7831->7832 7832->7815 7833 929633 GetTempPathA 7832->7833 7834 929670 7833->7834 7835 93a805 2 API calls 7834->7835 7836 9296a4 7835->7836 7837 938251 2 API calls 7836->7837 7837->7815 7939 93bf87 7838->7939 7840 931600 ExitProcess 7842 9423c0 7841->7842 7843 9423e2 GetProcessHeap RtlAllocateHeap 7841->7843 7842->7843 7843->7727 7845 923ebf GetSystemTimeAsFileTime 7844->7845 7847 923f11 __aulldiv 7845->7847 7847->7733 7849 92e79e AllocateAndInitializeSid 7848->7849 7851 92e883 CheckTokenMembership 7849->7851 7852 928954 7849->7852 7853 92e8c9 FreeSid 7851->7853 7854 92e89f 7851->7854 7855 92457c 7852->7855 7853->7852 7854->7853 7856 924595 7855->7856 7857 93a805 2 API calls 7856->7857 7858 9245da GetProcAddress 7857->7858 7859 938251 2 API calls 7858->7859 7860 924613 7859->7860 7861 924623 GetCurrentProcess 7860->7861 7862 92463a 7860->7862 7861->7862 7862->7744 7863 93c0de GetWindowsDirectoryA 7862->7863 7864 93c125 7863->7864 7865 93c1b6 7864->7865 7866 93a805 2 API calls 7864->7866 7865->7743 7867 93c164 7866->7867 7868 938251 2 API calls 7867->7868 7869 93c1a4 7868->7869 7870 9442b6 lstrlen 7869->7870 7870->7865 7872 92848a 7871->7872 7902 924f47 7872->7902 7876 92c62f 7875->7876 7931 92b7cd WaitForSingleObject 7876->7931 7879 92c6b3 7881 924eb1 ReleaseMutex 7879->7881 7880 92c6ef CreateFileA 7883 92c75d 7880->7883 7885 92c79f Mailbox 7880->7885 7890 928c6e 7881->7890 7884 924eb1 ReleaseMutex 7883->7884 7884->7890 7886 92c8fa WriteFile 7885->7886 7886->7885 7887 92c94e FindCloseChangeNotification 7886->7887 7933 924eb1 ReleaseMutex 7887->7933 7890->7756 7890->7757 7935 92ddd3 7891->7935 7893 928e64 CreateDirectoryA 7893->7768 7895 9442b6 lstrlen 7895->7893 7897 930764 wvsprintfA 7896->7897 7897->7791 7900 9442cf lstrlen 7899->7900 7900->7817 7903 924f6e 7902->7903 7904 9442b6 lstrlen 7903->7904 7905 924f99 7904->7905 7908 942f94 7905->7908 7907 924fa3 7907->7752 7911 9494ec 7908->7911 7910 942fac Mailbox 7910->7907 7912 949509 Mailbox 7911->7912 7914 94950e Mailbox 7912->7914 7915 92f821 7912->7915 7914->7910 7916 92f845 7915->7916 7918 92f85a Mailbox 7916->7918 7919 937f29 7916->7919 7918->7914 7920 937f48 Mailbox 7919->7920 7921 938135 7920->7921 7922 93802a 7920->7922 7927 938109 Mailbox 7920->7927 7928 9490f1 7921->7928 7924 9423a6 Mailbox 2 API calls 7922->7924 7925 938057 Mailbox 7924->7925 7926 92de5a Mailbox 2 API calls 7925->7926 7926->7927 7927->7918 7929 949152 GetProcessHeap HeapAlloc 7928->7929 7930 94912b GetProcessHeap RtlReAllocateHeap 7928->7930 7929->7927 7930->7927 7932 92b846 7931->7932 7932->7879 7932->7880 7934 924ecb 7933->7934 7934->7890 7936 92de20 7935->7936 7937 9442b6 lstrlen 7936->7937 7938 92de3f 7937->7938 7938->7893 7938->7895 7940 93bfa3 7939->7940 7940->7840 9101 9211b7 9102 921214 9101->9102 9104 92122a Mailbox 9101->9104 9103 9442b6 lstrlen 9103->9104 9104->9102 9104->9103 9105 93074e wvsprintfA 9104->9105 9105->9104 8513 92fa34 8516 927fce 8513->8516 8515 92fa42 8517 9442b6 lstrlen 8516->8517 8518 927fe9 Mailbox 8517->8518 8518->8515 9106 9281b5 9107 9281dc 9106->9107 9112 923b08 9107->9112 9110 93bf07 8 API calls 9111 928276 9110->9111 9113 923b16 9112->9113 9114 92dd8f 8 API calls 9113->9114 9115 923b27 9114->9115 9115->9110 9116 9495bd 9117 9495c3 Mailbox 9116->9117 9118 9490f1 Mailbox 4 API calls 9117->9118 9119 949605 Mailbox 9118->9119 8519 924e3c 8520 924e47 8519->8520 8521 9356c6 8 API calls 8520->8521 8522 924e9b 8521->8522 8258 9440bb 8259 9440c6 8258->8259 8262 92dd8f 8259->8262 8263 92dda0 8262->8263 8264 942f94 8 API calls 8263->8264 8265 92ddad 8264->8265 9126 9259a1 9129 94cf7e 9126->9129 9130 94236a lstrlen 9129->9130 9131 9259af 9130->9131 8178 9435ad 8179 9435f3 OpenSCManagerA 8178->8179 8181 94393f 8179->8181 8182 9436a9 CreateServiceA 8179->8182 8183 943777 OpenServiceA 8182->8183 8184 9436f0 ChangeServiceConfig2A StartServiceA CloseServiceHandle 8182->8184 8188 9437eb 8183->8188 8186 94388e CloseServiceHandle 8184->8186 8191 9438db 8186->8191 8189 943866 8188->8189 8190 943811 StartServiceA CloseServiceHandle 8188->8190 8189->8186 8190->8189 8191->8181 8230 923b2c 8231 92f793 lstrlen 8230->8231 8232 923b68 8231->8232 8233 93a805 2 API calls 8232->8233 8234 923b88 8233->8234 8235 938251 2 API calls 8234->8235 8236 923bc6 CreateFileA 8235->8236 8237 923c14 Mailbox 8236->8237 8527 92f02c 8528 92f065 8527->8528 8529 923e8c GetSystemTimeAsFileTime 8528->8529 8530 92f079 8529->8530 8531 92f15a 8530->8531 8532 923e8c GetSystemTimeAsFileTime 8530->8532 8535 92f104 8532->8535 8533 92f10f Sleep 8534 923e8c GetSystemTimeAsFileTime 8533->8534 8534->8535 8535->8531 8535->8533 9238 92f553 9239 92f5b5 9238->9239 9241 92f567 9238->9241 9240 92f671 ReadFile 9239->9240 9239->9241 9240->9241 9242 92b353 9243 942f94 8 API calls 9242->9243 9244 92b377 9243->9244 8266 9424d3 8267 94250c 8266->8267 8268 94d256 3 API calls 8267->8268 8269 94261c 8268->8269 8295 925c39 8269->8295 8271 942645 8272 92f793 lstrlen 8271->8272 8273 942697 8272->8273 8274 93a805 2 API calls 8273->8274 8275 9426ad 8274->8275 8276 938251 2 API calls 8275->8276 8293 942706 Mailbox 8276->8293 8277 923e8c GetSystemTimeAsFileTime 8277->8293 8278 94473b 13 API calls 8278->8293 8279 949707 Mailbox 8 API calls 8280 942cf0 Sleep 8279->8280 8325 932192 8280->8325 8285 93a805 GetProcessHeap RtlAllocateHeap 8285->8293 8286 938695 21 API calls 8286->8293 8287 938251 GetProcessHeap RtlFreeHeap 8287->8293 8288 947dc0 51 API calls 8288->8293 8289 92846d 9 API calls 8289->8293 8290 92695e 8 API calls 8290->8293 8292 925724 8 API calls 8292->8293 8293->8277 8293->8278 8293->8279 8293->8285 8293->8286 8293->8287 8293->8288 8293->8289 8293->8290 8293->8292 8294 944927 33 API calls 8293->8294 8309 94443e 8293->8309 8321 92fe4b 8293->8321 8334 93571f 8293->8334 8345 9354d8 8293->8345 8294->8293 8296 925c69 8295->8296 8297 9442b6 lstrlen 8296->8297 8304 926052 Mailbox 8296->8304 8298 925dce Sleep 8297->8298 8299 925e25 8298->8299 8300 93a805 2 API calls 8299->8300 8301 925e52 8300->8301 8302 938251 2 API calls 8301->8302 8303 925e87 FindFirstFileA 8302->8303 8303->8304 8305 925ecd 8303->8305 8304->8271 8306 925fdb DeleteFileA 8305->8306 8307 926018 FindNextFileA 8305->8307 8306->8305 8306->8307 8307->8305 8308 92602e FindClose 8307->8308 8308->8304 8310 944470 8309->8310 8311 93a805 2 API calls 8310->8311 8312 9444cd 8311->8312 8313 93a805 2 API calls 8312->8313 8314 9444fc 8313->8314 8352 92a928 8314->8352 8317 938251 2 API calls 8318 944546 8317->8318 8319 938251 2 API calls 8318->8319 8320 94456f 8319->8320 8320->8293 8322 92fe66 Mailbox 8321->8322 8323 949883 8 API calls 8322->8323 8324 92ff60 Mailbox 8322->8324 8323->8324 8324->8293 8326 9321ab 8325->8326 8327 9322b7 DeleteFileA 8326->8327 8329 93233c 8326->8329 8333 9323d9 8326->8333 8358 939ef6 8326->8358 8327->8326 8330 9323c2 8329->8330 8363 92b920 8329->8363 8367 925430 8330->8367 8333->8293 8335 935751 CreateToolhelp32Snapshot 8334->8335 8338 935828 8335->8338 8337 935a95 Mailbox 8337->8293 8338->8337 8339 9358da Process32First 8338->8339 8340 935a6c CloseHandle 8339->8340 8342 93590e 8339->8342 8340->8337 8343 9359c2 Process32Next 8342->8343 8344 935a29 8342->8344 8401 9320d8 lstrlen 8342->8401 8343->8342 8344->8340 8347 9354ea Mailbox 8345->8347 8346 9355fd CreateProcessA 8348 935633 8346->8348 8349 935677 8346->8349 8347->8346 8350 935645 8348->8350 8351 93564f CloseHandle CloseHandle 8348->8351 8349->8293 8350->8351 8351->8349 8353 92a95f Mailbox 8352->8353 8354 93a805 2 API calls 8353->8354 8355 92ac5d 8354->8355 8356 938251 2 API calls 8355->8356 8357 92ac90 8356->8357 8357->8317 8371 935b3e 8358->8371 8360 939f0d 8375 9282bf 8360->8375 8364 92b93a 8363->8364 8365 92b97f 8364->8365 8390 92de9c 8364->8390 8365->8329 8368 925438 8367->8368 8369 9494b4 Mailbox 2 API calls 8368->8369 8370 92fc29 8369->8370 8372 935b5a Mailbox 8371->8372 8373 937f29 Mailbox 8 API calls 8372->8373 8374 935b64 Mailbox 8373->8374 8374->8360 8376 9282cc 8375->8376 8377 9282dc 8376->8377 8379 939a0f 8376->8379 8377->8326 8382 947848 8379->8382 8381 939a1d 8381->8377 8383 94785a Mailbox 8382->8383 8386 944333 8383->8386 8385 947870 Mailbox 8385->8381 8387 94433e 8386->8387 8388 92f821 Mailbox 8 API calls 8387->8388 8389 9443a8 8388->8389 8389->8385 8393 9284ea 8390->8393 8394 928529 8393->8394 8397 92bdcb 8394->8397 8396 92854b 8396->8365 8398 92bde1 Mailbox 8397->8398 8399 937f29 Mailbox 8 API calls 8398->8399 8400 92be04 Mailbox 8399->8400 8400->8396 8402 93210f CharLowerBuffA 8401->8402 8402->8342 7941 93b3db 7942 93b41c 7941->7942 7943 93b4ff GetComputerNameA 7942->7943 7944 93b536 7943->7944 7952 93b59e 7943->7952 7946 93a805 2 API calls 7944->7946 7945 93a805 2 API calls 7947 93b5fa 7945->7947 7948 93b552 7946->7948 7949 938251 2 API calls 7947->7949 7950 938251 2 API calls 7948->7950 7951 93b63d 7949->7951 7950->7952 7953 92846d 9 API calls 7951->7953 7952->7945 7954 93b661 7953->7954 8035 92695e 7954->8035 7956 93b6db Mailbox 8038 9484d7 7956->8038 7959 9442b6 lstrlen 7960 93b7d9 7959->7960 8077 930b92 7960->8077 7964 93b834 Mailbox 7965 92695e 8 API calls 7964->7965 7966 93b891 7965->7966 7967 930b92 9 API calls 7966->7967 7968 93b92e 7967->7968 7969 925724 8 API calls 7968->7969 7970 93b93d Mailbox 7969->7970 7971 92695e 8 API calls 7970->7971 7972 93b964 7971->7972 7973 930b92 9 API calls 7972->7973 7974 93b988 7973->7974 7975 925724 8 API calls 7974->7975 7976 93b997 Mailbox 7975->7976 7977 92695e 8 API calls 7976->7977 7978 93b9cf 7977->7978 7979 930b92 9 API calls 7978->7979 7980 93b9fe 7979->7980 7981 925724 8 API calls 7980->7981 7982 93ba0a Mailbox 7981->7982 7983 92695e 8 API calls 7982->7983 7984 93ba25 7983->7984 7985 930b92 9 API calls 7984->7985 7986 93ba48 7985->7986 7987 925724 8 API calls 7986->7987 7988 93ba57 Mailbox 7987->7988 7989 92695e 8 API calls 7988->7989 7990 93ba79 7989->7990 7991 93a805 2 API calls 7990->7991 7992 93ba95 7991->7992 7993 930b92 9 API calls 7992->7993 7994 93bab9 7993->7994 7995 925724 8 API calls 7994->7995 7996 93bac8 Mailbox 7995->7996 7997 938251 2 API calls 7996->7997 7998 93baf7 7997->7998 7999 92695e 8 API calls 7998->7999 8000 93bb1f 7999->8000 8001 930b92 9 API calls 8000->8001 8002 93bb3d 8001->8002 8003 925724 8 API calls 8002->8003 8004 93bb49 Mailbox 8003->8004 8005 92695e 8 API calls 8004->8005 8006 93bb75 8005->8006 8007 930b92 9 API calls 8006->8007 8008 93bb96 8007->8008 8009 925724 8 API calls 8008->8009 8010 93bba5 Mailbox 8009->8010 8011 92695e 8 API calls 8010->8011 8012 93bbcb 8011->8012 8084 923cdc 8012->8084 8016 93bc06 8017 930b92 9 API calls 8016->8017 8018 93bc12 8017->8018 8019 925724 8 API calls 8018->8019 8020 93bc21 Mailbox 8019->8020 8021 92695e 8 API calls 8020->8021 8022 93bc3f 8021->8022 8023 930b92 9 API calls 8022->8023 8024 93bc85 8023->8024 8025 925724 8 API calls 8024->8025 8026 93bc94 Mailbox 8025->8026 8094 935fba 8026->8094 8028 93bccc 8121 949707 8028->8121 8030 93bd04 Mailbox 8124 949883 8030->8124 8032 93bd30 8128 92ee34 8032->8128 8034 93bd6e Mailbox 8036 949883 8 API calls 8035->8036 8037 926983 8036->8037 8037->7956 8039 948577 8038->8039 8040 93a805 2 API calls 8039->8040 8041 948652 8040->8041 8042 938251 2 API calls 8041->8042 8043 9486d5 GetProcessHeap 8042->8043 8044 948711 8043->8044 8056 93b7c4 8043->8056 8045 93a805 2 API calls 8044->8045 8046 948739 LoadLibraryA 8045->8046 8048 938251 2 API calls 8046->8048 8049 94878f 8048->8049 8050 93a805 2 API calls 8049->8050 8049->8056 8051 948837 GetProcAddress 8050->8051 8052 938251 2 API calls 8051->8052 8053 94886e 8052->8053 8054 948886 FreeLibrary 8053->8054 8055 9488ac HeapAlloc 8053->8055 8054->8056 8057 948926 GetAdaptersInfo 8055->8057 8058 9488fb FreeLibrary 8055->8058 8056->7959 8059 948950 8057->8059 8058->8056 8060 94896c HeapFree 8059->8060 8061 948a39 GetAdaptersInfo 8059->8061 8062 94898e HeapAlloc 8060->8062 8065 948a94 8061->8065 8076 948d26 Mailbox 8061->8076 8066 948a27 8062->8066 8067 9489fb FreeLibrary 8062->8067 8068 93a805 2 API calls 8065->8068 8066->8061 8067->8056 8070 948ac3 8068->8070 8069 949094 HeapFree FreeLibrary 8069->8056 8071 938251 2 API calls 8070->8071 8072 948b17 8071->8072 8073 93a805 2 API calls 8072->8073 8072->8076 8074 948d41 8073->8074 8075 938251 2 API calls 8074->8075 8075->8076 8076->8069 8134 9323e9 8077->8134 8080 925724 8081 92573e Mailbox 8080->8081 8082 949883 8 API calls 8081->8082 8083 925789 8082->8083 8083->7964 8085 923d0f Mailbox 8084->8085 8086 93a805 2 API calls 8085->8086 8087 923d74 8086->8087 8088 938251 2 API calls 8087->8088 8089 923db8 8088->8089 8090 924d07 8089->8090 8091 924d1f 8090->8091 8092 9442b6 lstrlen 8091->8092 8093 924d4c 8092->8093 8093->8016 8095 936020 8094->8095 8096 93a805 2 API calls 8095->8096 8097 93604e 8096->8097 8098 93a805 2 API calls 8097->8098 8099 936067 8098->8099 8100 93a805 2 API calls 8099->8100 8101 9360be 8100->8101 8102 938251 2 API calls 8101->8102 8103 9360d2 8102->8103 8104 93a805 2 API calls 8103->8104 8105 936144 8104->8105 8106 938251 2 API calls 8105->8106 8107 9361a1 8106->8107 8108 938251 2 API calls 8107->8108 8119 93621c 8108->8119 8109 936a70 8110 938251 2 API calls 8109->8110 8113 936b1c Mailbox 8110->8113 8111 9307f5 8 API calls 8120 93664d Mailbox 8111->8120 8113->8028 8114 936983 8114->8109 8116 9307f5 8 API calls 8114->8116 8143 925071 8114->8143 8115 925071 9 API calls 8115->8119 8116->8114 8117 925071 9 API calls 8117->8120 8119->8115 8119->8120 8140 9307f5 8119->8140 8120->8109 8120->8111 8120->8114 8120->8117 8122 9494ec Mailbox 8 API calls 8121->8122 8123 94970e 8122->8123 8123->8030 8125 949898 Mailbox 8124->8125 8126 9494ec Mailbox 8 API calls 8125->8126 8127 9498a3 Mailbox 8126->8127 8127->8032 8129 92ee52 8128->8129 8153 931da2 8129->8153 8131 92ee71 Mailbox 8132 949883 8 API calls 8131->8132 8133 92ef9f 8131->8133 8132->8133 8133->8034 8135 9323f5 8134->8135 8136 9442b6 lstrlen 8135->8136 8137 932488 8136->8137 8138 942f94 8 API calls 8137->8138 8139 930ba0 8138->8139 8139->8080 8149 92ba10 8140->8149 8142 930802 8142->8119 8144 92acbe 8143->8144 8145 9442b6 lstrlen 8144->8145 8146 92ad02 8145->8146 8147 949883 8 API calls 8146->8147 8148 92ad0c 8147->8148 8148->8114 8150 92ba25 Mailbox 8149->8150 8151 9494ec Mailbox 8 API calls 8150->8151 8152 92ba30 Mailbox 8151->8152 8152->8142 8158 92db48 8153->8158 8155 931e43 8155->8131 8157 931db4 8157->8155 8162 92bece 8157->8162 8159 92db9f 8158->8159 8160 92db5b Mailbox 8158->8160 8159->8157 8161 949707 Mailbox 8 API calls 8160->8161 8161->8159 8163 92bf08 8162->8163 8164 92b7cd WaitForSingleObject 8163->8164 8165 92bfa2 8164->8165 8167 93a805 2 API calls 8165->8167 8177 92c09d 8165->8177 8166 92c1c7 CryptGenRandom 8175 92c1dd 8166->8175 8168 92bfe5 GetProcAddress 8167->8168 8169 93a805 2 API calls 8168->8169 8171 92c033 8169->8171 8170 924eb1 ReleaseMutex 8172 92c2bd 8170->8172 8173 938251 2 API calls 8171->8173 8172->8157 8174 92c06d GetProcAddress 8173->8174 8176 938251 2 API calls 8174->8176 8175->8170 8176->8177 8177->8166 8177->8175 8404 92dcdb 8405 92dce6 8404->8405 8408 9356c6 8405->8408 8409 9356e3 Mailbox 8408->8409 8412 93a7bc 8409->8412 8411 92dd12 8413 92f821 Mailbox 8 API calls 8412->8413 8414 93a7d6 Mailbox 8413->8414 8414->8411 8415 92cedb FlushFileBuffers 8416 92cf39 8415->8416 8417 92cf0d GetLastError 8415->8417 8417->8416 9245 942f5d ExitProcess 8192 9320d8 lstrlen 8193 93210f CharLowerBuffA 8192->8193 8195 9354d8 8197 9354ea Mailbox 8195->8197 8196 9355fd CreateProcessA 8198 935633 8196->8198 8199 935677 8196->8199 8197->8196 8200 935645 8198->8200 8201 93564f CloseHandle CloseHandle 8198->8201 8200->8201 8201->8199 8202 94395f 8203 943980 8202->8203 8204 92f793 lstrlen 8203->8204 8205 9439f3 8204->8205 8206 93a805 2 API calls 8205->8206 8211 943a11 Mailbox 8205->8211 8207 943ace 8206->8207 8208 938251 2 API calls 8207->8208 8209 943b0d 8208->8209 8212 939b78 8209->8212 8213 939b85 8212->8213 8214 949707 Mailbox 8 API calls 8213->8214 8215 939c02 8214->8215 8216 92b7cd WaitForSingleObject 8215->8216 8217 939c24 CreateFileA 8216->8217 8218 939c5a 8217->8218 8219 939c78 Mailbox 8217->8219 8221 924eb1 ReleaseMutex 8218->8221 8220 939c8b ReadFile 8219->8220 8223 937f29 Mailbox 8 API calls 8219->8223 8224 939e6a CloseHandle 8219->8224 8225 949883 8 API calls 8219->8225 8226 939dbc CloseHandle 8219->8226 8220->8219 8222 939ea1 Mailbox 8221->8222 8222->8211 8223->8219 8224->8218 8225->8219 8227 939dd9 8226->8227 8228 924eb1 ReleaseMutex 8227->8228 8229 939e2f Mailbox 8228->8229 8229->8222 9132 936bd8 9134 936c36 9132->9134 9133 93a805 2 API calls 9135 936c9d RegOpenKeyA 9133->9135 9134->9133 9136 938251 2 API calls 9135->9136 9137 936ccb 9136->9137 9138 936d31 RegCloseKey 9137->9138 9139 9442b6 lstrlen 9137->9139 9140 936d0f RegSetValueExA 9139->9140 9140->9138 8422 92bcdc 8423 92bcfa 8422->8423 8424 949707 Mailbox 8 API calls 8423->8424 8425 92bd13 8424->8425 8430 92563a 8425->8430 8427 92bd3a Mailbox 8428 949707 Mailbox 8 API calls 8427->8428 8429 92bdb8 8428->8429 8431 925648 8430->8431 8432 92dd8f 8 API calls 8431->8432 8433 925659 8432->8433 8433->8427 8434 9250c3 8435 9250e0 8434->8435 8436 9442b6 lstrlen 8435->8436 8437 92510f Mailbox 8436->8437 8438 937f29 Mailbox 8 API calls 8437->8438 8439 925123 8438->8439 8440 925071 9 API calls 8439->8440 8441 925145 8440->8441 8444 93bf07 8441->8444 8445 93bf15 Mailbox 8444->8445 8446 949883 8 API calls 8445->8446 8447 925183 8446->8447 8536 93b046 8538 93b068 CreateFileA 8536->8538 8539 93b142 GetFileTime 8538->8539 8544 93b11b 8538->8544 8540 93b177 CloseHandle 8539->8540 8542 93b1c7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 8539->8542 8540->8544 8543 93b264 GetFileSize CloseHandle 8542->8543 8543->8544 8448 9484c2 8451 928020 8448->8451 8454 94236a 8451->8454 8453 92802b 8455 9442b6 lstrlen 8454->8455 8456 942378 8455->8456 8456->8453 8545 92444e 8546 92446b 8545->8546 8549 92e4e4 8546->8549 8550 92e513 8549->8550 8551 92e553 8550->8551 8552 92e69a 8550->8552 8554 92e621 8551->8554 8555 92e576 8551->8555 8567 92b38e 8552->8567 8557 9458f9 4 API calls 8554->8557 8559 9458f9 8555->8559 8558 924575 8557->8558 8561 945931 8559->8561 8560 945937 8560->8558 8561->8560 8563 9459a1 8561->8563 8575 9285a4 8561->8575 8564 9285a4 4 API calls 8563->8564 8565 9459f4 8563->8565 8564->8565 8579 94572d 8565->8579 8568 92b3c3 8567->8568 8569 9285a4 4 API calls 8568->8569 8571 92b456 8568->8571 8569->8571 8570 92b7b4 8570->8558 8571->8570 8572 924088 4 API calls 8571->8572 8573 92b4c3 8572->8573 8573->8570 8574 924088 4 API calls 8573->8574 8574->8573 8576 9285be 8575->8576 8578 92860a Mailbox 8576->8578 8583 924088 8576->8583 8578->8563 8581 945761 Mailbox 8579->8581 8580 9458d3 8580->8560 8581->8580 8582 92de5a Mailbox 2 API calls 8581->8582 8582->8581 8584 9240bc 8583->8584 8586 9240d8 8583->8586 8585 9423a6 Mailbox 2 API calls 8584->8585 8587 9240d1 Mailbox 8585->8587 8586->8578 8587->8586 8588 92de5a Mailbox 2 API calls 8587->8588 8588->8586 8457 9398cc 8458 931da2 13 API calls 8457->8458 8459 939900 8458->8459 8460 949883 8 API calls 8459->8460 8461 939994 8460->8461 8589 92ba72 8591 92ba89 8589->8591 8596 92bb03 SetServiceStatus 8589->8596 8591->8596 8597 92baa1 SetServiceStatus 8591->8597 8593 92bb88 SetEvent 8595 92bcd8 8593->8595 8596->8593 8597->8595 8598 92507a 8599 9442b6 lstrlen 8598->8599 8600 9250a9 8599->8600 9155 94cffe 9156 94d050 9155->9156 9157 945d58 2 API calls 9156->9157 9158 94d055 9157->9158 9159 935d50 3 API calls 9158->9159 9160 94d067 9159->9160 9161 94d108 ExitProcess 9160->9161 8466 92e2f9 8467 92e30a 8466->8467 8468 92b7cd WaitForSingleObject 8467->8468 8469 92e324 8468->8469 8470 9315e5 ExitProcess 8469->8470 8471 92e35a 8470->8471 9246 93b360 9247 93b378 9246->9247 9248 9442b6 lstrlen 9247->9248 9249 93b3a5 9248->9249 9252 92fc31 9249->9252 9255 9498df 9252->9255 9254 92fc47 9256 949923 9255->9256 9257 949982 9256->9257 9258 94998f 9256->9258 9259 92bdcb 8 API calls 9257->9259 9260 92dbdf 8 API calls 9258->9260 9261 94998d Mailbox 9258->9261 9259->9261 9260->9261 9261->9254 8472 944ee1 8473 944efa 8472->8473 8476 94d527 8473->8476 8475 944f99 8477 94d544 8476->8477 8480 92dbdf 8477->8480 8479 94d559 Mailbox 8479->8475 8481 92dbf5 Mailbox 8480->8481 8482 92f821 Mailbox 8 API calls 8481->8482 8483 92dc18 8482->8483 8483->8479 8484 9474e8 StartServiceCtrlDispatcherA 9162 92c9ed 9163 92ca6f RegisterServiceCtrlHandlerA 9162->9163 9165 92cb13 SetServiceStatus CreateEventA 9163->9165 9166 92cda7 9163->9166 9168 92cbde SetServiceStatus 9165->9168 9169 92cbcd 9165->9169 9170 92cc00 9168->9170 9169->9168 9171 92cc42 WaitForSingleObject 9170->9171 9171->9171 9172 92cc6f 9171->9172 9173 92b7cd WaitForSingleObject 9172->9173 9174 92cc84 SetServiceStatus CloseHandle 9173->9174 9175 92cd01 SetServiceStatus 9174->9175 9175->9166

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 009288A8 Relevance: 30.6, APIs: 12, Strings: 5, Instructions: 877fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 0 9288a8-9288de call 9257a9 3 9288e0 0->3 4 9288ea-92898e GetVersionExA call 92e769 call 92457c 0->4 3->4 9 928990-92899a 4->9 10 92899c-9289c2 4->10 11 9289d7-9289dd 9->11 10->11 12 9289c4-9289d1 10->12 13 9289e3-928add call 93c0de call 92f38b CreateDirectoryA call 93a805 11->13 14 928b3f-928b5f 11->14 12->11 28 928ae2-928b3d call 92f38b call 938251 13->28 15 928b65-928b77 14->15 17 928ba9-928bb0 15->17 18 928b79-928b93 15->18 20 928bb6-928c17 call 93a805 call 92846d call 938251 17->20 18->20 21 928b95-928ba7 18->21 35 928c19-928c2b 20->35 36 928c2d-928c3f 20->36 21->20 28->15 38 928c4b-928c73 call 92c9ba call 94d492 call 92c622 35->38 36->38 39 928c41 36->39 46 928c79-928ccc 38->46 47 928d6f-928e0c call 93c0de call 92f38b CreateDirectoryA call 945eaf 38->47 39->38 48 928cfe-928d29 DeleteFileA 46->48 49 928cce-928cec 46->49 59 928e1a 47->59 60 928e0e-928e18 47->60 52 928d2b-928d37 48->52 53 928d3d-928d65 RemoveDirectoryA 48->53 49->48 51 928cee-928cf8 49->51 51->48 52->53 53->47 61 928e24-928e26 59->61 60->61 62 928e44 61->62 63 928e28-928e42 61->63 64 928e46-928e73 call 92f793 62->64 63->64 67 928e75-928e87 64->67 68 928e89-928e8e 64->68 69 928e94-928f2f CreateDirectoryA call 93a805 call 92f38b call 93a805 67->69 68->69 76 928f31-928f57 69->76 77 928f64-928fcf call 938251 call 92846d call 938251 call 92c9ba call 94d492 call 92c622 69->77 76->77 78 928f59-928f5e 76->78 91 928fd5-928fe6 77->91 92 929769-9297f8 call 92f793 SetFileAttributesA call 9306af 77->92 78->77 93 92906c-9290da call 93a805 call 93074e call 938251 91->93 94 928fec-92906a call 93a805 call 93074e call 938251 91->94 105 9297fa-929815 92->105 106 92981b-929826 call 925017 92->106 115 9290e0-92910d 93->115 94->115 105->106 116 929132-929192 call 92f38b CreateDirectoryA call 945eaf 115->116 117 92910f-929126 115->117 123 9291c1-929257 call 92f793 CreateDirectoryA call 93a805 call 92f38b call 93a805 116->123 124 929194-9291a0 116->124 117->116 118 929128 117->118 118->116 134 929272-9292a4 call 938251 call 92846d 123->134 135 929259-92926c 123->135 124->123 125 9291a2-9291bb 124->125 125->123 140 9292c0-9292e7 134->140 141 9292a6-9292be 134->141 135->134 142 9292ff-92933b call 938251 call 92c9ba call 94d492 call 92c622 140->142 143 9292e9-9292f9 140->143 141->142 152 929341-9293c2 GetTempPathA call 9442b6 142->152 153 929756-929763 142->153 143->142 156 9293ea-9293ec 152->156 153->92 157 9293c4-9293dd 156->157 158 9293ee 156->158 159 9293f0-929412 157->159 160 9293df-9293e9 157->160 161 92946e-9294fb call 945eaf call 92f793 CreateDirectoryA 158->161 163 929422-929453 159->163 164 929414-92941c 159->164 160->156 169 92950d-929557 call 93a805 call 92f38b 161->169 170 9294fd-929507 161->170 163->161 165 929455-929469 163->165 164->163 165->161 175 92956b-929610 call 93a805 call 938251 call 92846d call 938251 call 92c9ba call 94d492 call 92c622 169->175 176 929559-929565 169->176 170->169 191 929736-929751 175->191 192 929616-929627 175->192 176->175 191->153 193 929633-9296ce GetTempPathA call 945eaf call 93a805 192->193 194 929629 192->194 199 9296d0 193->199 200 9296da-9296fe call 92f38b 193->200 194->193 199->200 203 929700-92970a 200->203 204 92970f-92972a call 938251 200->204 203->204 204->191 207 92972c 204->207 207->191
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersionExA.KERNEL32(0095B028), ref: 0092893E
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00928AB6
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?,00000000), ref: 00928D05
                                                                                                                                                                                                            • RemoveDirectoryA.KERNELBASE(00000000), ref: 00928D5F
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00928DD9
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00928E9C
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00929158
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 009291F4
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?,?,?,?,00000000), ref: 0092936E
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(0000005C,00000000,?,?,?,?,?,?,00000000), ref: 009294DA
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,0000005C,?,?,?,00000000), ref: 0092963F
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 009297B0
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                            • String ID: C:\Users\user$C:\hjflhukc\$\$gKV`$h)N^
                                                                                                                                                                                                            • API String ID: 1691758827-1793791328
                                                                                                                                                                                                            • Opcode ID: 01c0a82bda414126406af9849950415a7e3066d74ce1552f96a92a5c628a16e8
                                                                                                                                                                                                            • Instruction ID: 8c79724b8408aabb7829b235db8c56f66a9055d9a8dd8fe6478979fbcb31eade
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 01c0a82bda414126406af9849950415a7e3066d74ce1552f96a92a5c628a16e8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5682027153D314DBD708DF66FC92AAA77B8FB44303B00412AE506D62B1EB349A85EF15
                                                                                                                                                                                                            Function 009484D7 Relevance: 26.9, APIs: 13, Strings: 2, Instructions: 688memorylibraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 208 9484d7-948575 209 948577-948595 208->209 210 94859b-9485a7 208->210 209->210 211 9485b3-9485e0 210->211 212 9485a9 210->212 213 9485e2-9485ec 211->213 214 948608-948619 211->214 212->211 217 948601-948606 213->217 218 9485ee-9485ff 213->218 215 948628-948670 call 93a805 214->215 216 94861b-948622 214->216 221 948672 215->221 222 94867c-948697 call 945eaf 215->222 216->215 217->215 218->215 221->222 225 9486cd-9486f6 call 938251 GetProcessHeap 222->225 226 948699-9486b2 222->226 230 948711-94871d 225->230 231 9486f8-94870c 225->231 226->225 227 9486b4-9486c6 226->227 227->225 232 94872d-94875c call 93a805 230->232 233 94871f-948727 230->233 234 9490ec-9490f0 231->234 237 94875e 232->237 238 948768-9487aa LoadLibraryA call 938251 232->238 233->232 237->238 241 9487ac-9487cc 238->241 242 9487ce 238->242 243 9487d8-9487da 241->243 242->243 244 9487f5-948805 243->244 245 9487dc-9487f0 243->245 247 948807-948824 244->247 248 94882a-948884 call 93a805 GetProcAddress call 938251 244->248 246 9490eb 245->246 246->234 247->248 253 948886-9488a7 FreeLibrary 248->253 254 9488ac-9488f9 HeapAlloc 248->254 255 948a20-948a22 253->255 256 948926-94894e GetAdaptersInfo 254->256 257 9488fb-948921 FreeLibrary 254->257 260 9490ea 255->260 258 948950-94895d 256->258 259 948963-948966 256->259 257->255 258->259 261 94896c-94898c HeapFree 259->261 262 948a39-948a4b 259->262 260->246 265 94898e-9489a9 261->265 266 9489ab-9489b7 261->266 263 948a4d-948a5c 262->263 264 948a5e-948a6e 262->264 267 948a73-948a8e GetAdaptersInfo 263->267 264->267 268 9489bd-9489f9 HeapAlloc 265->268 266->268 269 948a94-948afb call 93a805 call 945eaf 267->269 270 94906d-94908e 267->270 271 948a27-948a33 268->271 272 9489fb-948a16 FreeLibrary 268->272 278 948afd-948b09 269->278 279 948b0f-948b2d call 938251 269->279 274 949094-9490e7 HeapFree FreeLibrary 270->274 271->262 272->255 274->260 278->279 282 948b2f 279->282 283 948b39-948b59 279->283 282->283 284 948b7f 283->284 285 948b5b-948b65 283->285 288 948b89-948bb1 call 947406 284->288 286 948b67-948b71 285->286 287 948b73-948b7d 285->287 286->288 287->288 291 948ca7-948cbc 288->291 292 948bb7-948bf4 call 947406 288->292 293 948cf4-948d18 291->293 294 948cbe-948cd7 291->294 300 948bf6-948c13 292->300 301 948c22-948c24 292->301 297 948d1e-948d20 293->297 294->293 296 948cd9-948cef 294->296 296->293 297->288 299 948d26 297->299 302 949043-94906b call 9306af 299->302 300->301 303 948c15-948c1b 300->303 304 948c26-948c80 301->304 305 948c9d 301->305 302->274 303->301 307 948c86-948c98 304->307 308 948d2b-948d66 call 93a805 304->308 305->291 307->297 312 948d75-948d86 308->312 313 948d68-948d73 308->313 315 948d94-948da0 312->315 316 948d88-948d92 312->316 314 948da6-948df5 call 945eaf call 938251 313->314 321 948fe2-94903d call 9306af 314->321 322 948dfb-948e22 314->322 315->314 316->314 321->302 324 948e24-948e36 322->324 325 948e38-948e42 322->325 327 948e54-948eab 324->327 325->327 328 948e44-948e4e 325->328 329 948ed2-948ede 327->329 330 948ead-948ed0 327->330 328->327 331 948ee4-948f32 329->331 330->331 332 948f34-948f50 331->332 333 948f55-948f5b 331->333 332->333 334 948f62-948f72 333->334 335 948f5d-948f61 333->335 336 948f74-948f94 334->336 337 948f9a-948fd9 334->337 335->334 336->337 337->322 338 948fdf 337->338 338->321
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0093B7C4,?,?,00000000,00000100), ref: 009486E1
                                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,0093B7C4,?,?,00000000,00000100), ref: 0094876A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00948854
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0093B7C4,?,?,00000000,00000100), ref: 00948891
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,00000000,00000288,?,?,?,?,?,?,?,?,?,0093B7C4,?,?,00000000), ref: 009488DD
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0093B7C4,?,?,00000000,00000100), ref: 00948908
                                                                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00000100,?,?,?,?,?,?,?,?,?,0093B7C4,?,?,00000000,00000100), ref: 00948935
                                                                                                                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,0093B7C4,?,?,00000000), ref: 0094897A
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,00000000,00000100,?,?,?,?,?,?,?,?,?,0093B7C4,?,?,00000000), ref: 009489C3
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0093B7C4,?,?,00000000,00000100), ref: 00948A10
                                                                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00000100,?,?,?,?,?,?,?,?,?,0093B7C4,?,?,00000000,00000100), ref: 00948A78
                                                                                                                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,0093B7C4,?,?,00000000), ref: 009490B2
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0093B7C4,?,?,00000000,00000100), ref: 009490D7
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Free$HeapLibrary$AdaptersAllocInfo$AddressLoadProcProcess
                                                                                                                                                                                                            • String ID: Q:3q$SAcA
                                                                                                                                                                                                            • API String ID: 2633798829-494069912
                                                                                                                                                                                                            • Opcode ID: d107d072fe1058bfc95f24c68753aac4ca31b1e3bf17e1a80b721b3d4b53da2b
                                                                                                                                                                                                            • Instruction ID: a24828422ca9d5900ecf50485fa0838cbc3c0f96437f3371b9e05c97430a7b26
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d107d072fe1058bfc95f24c68753aac4ca31b1e3bf17e1a80b721b3d4b53da2b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D52967653C700CBD748CF6AFC92A6A77B4FB58313B10451AE802DB2B1EB349981EB15
                                                                                                                                                                                                            Function 0093FF2A Relevance: 19.9, APIs: 6, Strings: 5, Instructions: 627COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 339 93ff2a-940108 call 938251 call 93a805 call 938251 call 93a805 call 938251 call 93a805 call 938251 call 93a805 call 938251 call 93a805 367 94011e-9402ab call 938251 call 93a805 call 938251 call 93a805 call 938251 call 93a805 339->367 368 94010a-940117 339->368 388 9402b7-9402d4 call 938251 367->388 389 9402ad 367->389 368->367 392 9402f5-9403a1 call 93a805 call 938251 call 93a805 388->392 393 9402d6-9402ef 388->393 389->388 402 9403b5-940482 call 938251 call 93a805 call 938251 call 93a805 392->402 403 9403a3-9403af 392->403 393->392 414 940484-94049e 402->414 415 9404aa-9404e9 call 938251 402->415 403->402 414->415 416 9404a0 414->416 420 9404fb-9405b0 call 938251 call 9306af call 92de5a call 94d256 call 93a805 GetEnvironmentVariableA 415->420 421 9404eb-9404f5 415->421 416->415 432 9405b2-9405c2 420->432 433 9405c8-9406a1 call 938251 CreateMutexA * 3 call 927ec1 call 92fa1b 420->433 421->420 432->433 442 9406a3 433->442 443 9406ad-9406b4 433->443 442->443 444 940809-940853 call 9288a8 443->444 445 9406ba-9406c7 443->445 454 940855-94085f 444->454 455 940873-940950 GetCommandLineA call 945eaf call 93a805 call 92fdd4 call 938251 444->455 446 9406de-94074a GetTickCount call 9210f7 call 93a805 445->446 447 9406c9-9406d8 445->447 458 94074c-940758 446->458 459 94075e-94077b call 92f38b 446->459 447->446 454->455 477 940952 455->477 478 94095c-9409a8 call 93a805 455->478 458->459 465 94077d-94079e 459->465 466 9407af-9407e4 call 938251 459->466 465->466 466->444 473 9407e6-940802 466->473 473->444 477->478 482 9409e2-942289 call 92fdd4 call 938251 call 9315e5 478->482 483 9409aa-9409d0 478->483 493 94228e-9422d9 call 93a805 call 92e2f8 call 94d1b0 482->493 483->482 484 9409d2-9409dd 483->484 484->482
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 241$C:\Users\user$^d/$hM6$~z0
                                                                                                                                                                                                            • API String ID: 0-2828660445
                                                                                                                                                                                                            • Opcode ID: 604f5e8e86839b08bd1ad4f49d713961ac0eba1796e6ac8ccb42739e3f2d0f86
                                                                                                                                                                                                            • Instruction ID: ef951346ac9d59f61920fcc5e8da0487703fa14ce00c40b0ed5aedde8aa56e93
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 604f5e8e86839b08bd1ad4f49d713961ac0eba1796e6ac8ccb42739e3f2d0f86
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9C42DD7153D300EFE748DF67FC96A363BB4FB84716B10411AE6059A2B1EB708881EB15
                                                                                                                                                                                                            Function 009435AD Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 501 9435ad-9435f1 502 943602-943642 501->502 503 9435f3-9435fd 501->503 504 943644-943654 502->504 505 943681-9436a3 OpenSCManagerA 502->505 503->502 506 943656-943675 504->506 507 943677 504->507 508 94393f-943959 505->508 509 9436a9-9436ea CreateServiceA 505->509 506->505 507->505 510 943777-943786 509->510 511 9436f0-943707 509->511 514 9437b6-9437c2 510->514 515 943788-94379f 510->515 512 943709-943715 511->512 513 94371b-943772 ChangeServiceConfig2A StartServiceA CloseServiceHandle 511->513 512->513 516 94388e-9438d9 CloseServiceHandle 513->516 518 9437c8-9437e9 OpenServiceA 514->518 517 9437a1-9437b4 515->517 515->518 521 943901-94390d 516->521 522 9438db-9438eb 516->522 517->518 519 94380d-94380f 518->519 520 9437eb-943806 518->520 525 943866-943873 519->525 526 943811-943861 StartServiceA CloseServiceHandle 519->526 520->519 523 943935 521->523 524 94390f-943933 521->524 522->508 527 9438ed-9438ff 522->527 523->508 524->508 525->516 528 943875-943889 525->528 526->525 527->508 528->516
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.SECHOST(00000000,00000000,00000002), ref: 00943685
                                                                                                                                                                                                            • CreateServiceA.ADVAPI32(00000000,0165FC78,0165FC78,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 009436D6
                                                                                                                                                                                                            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00943728
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0094374C
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0094375D
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,00000010), ref: 009437D1
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00943836
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00943847
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 009438B1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                            • String ID: 3ch$qh~B
                                                                                                                                                                                                            • API String ID: 3525021261-274300185
                                                                                                                                                                                                            • Opcode ID: 71959f1e12a275422dfba4c3d1235d429a920c0f8f218aee2abac8f4a2a46fab
                                                                                                                                                                                                            • Instruction ID: 8f836497303f5c4b2f2fab2291e8592d7687ba4216f036f4004962b4e8438056
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 71959f1e12a275422dfba4c3d1235d429a920c0f8f218aee2abac8f4a2a46fab
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BC9184B553C700EBD7088F6AFD9693977B8F748303741811AE8029B2B1EB749A81FB54
                                                                                                                                                                                                            Function 0093B3DB Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 588COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 613 93b3db-93b41a 614 93b441-93b4a1 call 92fe2b 613->614 615 93b41c-93b434 613->615 619 93b4a3-93b4ad 614->619 620 93b4b2-93b4e9 call 9257a9 call 927ec1 614->620 615->614 616 93b436-93b43c 615->616 616->614 619->620 625 93b4eb-93b4f7 call 9376a5 620->625 626 93b4f9 620->626 628 93b4ff-93b530 GetComputerNameA 625->628 626->628 630 93b5c2-93b66b call 93a805 call 945eaf call 938251 call 92846d 628->630 631 93b536-93b5bc call 93a805 call 945eaf call 938251 628->631 646 93b6cf-93b715 call 92695e call 945eaf 630->646 647 93b66d-93b688 630->647 631->630 654 93b717-93b736 646->654 655 93b73c-93b776 call 92f38b 646->655 648 93b68a-93b6ad 647->648 649 93b6af-93b6ca 647->649 648->646 649->646 654->655 658 93b787-93b854 call 9306af call 9484d7 call 9442b6 call 930b92 call 925724 call 925017 655->658 659 93b778-93b782 655->659 672 93b856-93b869 658->672 673 93b888-93b8a0 call 92695e 658->673 659->658 672->673 674 93b86b-93b882 672->674 677 93b8a2 673->677 678 93b8ac-93b8d0 673->678 674->673 677->678 679 93b913 678->679 680 93b8d2-93b8fc 678->680 683 93b91d-93b9ae call 930b92 call 925724 call 925017 call 92695e call 930b92 call 925724 call 925017 679->683 681 93b90a-93b911 680->681 682 93b8fe-93b908 680->682 681->683 682->683 698 93b9b0-93b9ba 683->698 699 93b9bc 683->699 700 93b9c6-93b9e4 call 92695e 698->700 699->700 703 93b9f0-93bae3 call 930b92 call 925724 call 925017 call 92695e call 930b92 call 925724 call 925017 call 92695e call 93a805 call 930b92 call 925724 call 925017 700->703 704 93b9e6 700->704 729 93bae5 703->729 730 93baef-93bb0a call 938251 703->730 704->703 729->730 733 93bb16-93bc67 call 92695e call 930b92 call 925724 call 925017 call 92695e call 930b92 call 925724 call 925017 call 92695e call 923cdc call 924d07 call 930b92 call 925724 call 925017 call 92695e call 9252d0 730->733 734 93bb0c 730->734 767 93bc74-93bcdb call 930b92 call 925724 call 925017 call 92c9ba call 94d492 call 935fba 733->767 768 93bc69-93bc6e 733->768 734->733 781 93bcdd-93bcef 767->781 782 93bcfc-93bd69 call 949707 call 92c9ba call 94d492 call 949883 call 939ab1 call 92ee34 767->782 768->767 781->782 783 93bcf1-93bcf6 781->783 795 93bd6e-93bdb7 call 9306af * 2 782->795 783->782 800 93bdd0-93be13 call 9306af call 925017 call 939a04 795->800 801 93bdb9-93bdca 795->801 801->800
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetComputerNameA.KERNEL32(?,?), ref: 0093B528
                                                                                                                                                                                                              • Part of subcall function 009442B6: lstrlen.KERNEL32(?,?,00922347,?), ref: 00944320
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ComputerNamelstrlen
                                                                                                                                                                                                            • String ID: K]g[$myiW
                                                                                                                                                                                                            • API String ID: 4141851928-3148350528
                                                                                                                                                                                                            • Opcode ID: b1fdce82efc8136708ddc4e555edac62f694b3ca6b3ae4e5a27dbce11ce67c22
                                                                                                                                                                                                            • Instruction ID: 65df62d66a2b5a764a2819cea290139b7fde12feb5bfa4040b112504a6a186ad
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b1fdce82efc8136708ddc4e555edac62f694b3ca6b3ae4e5a27dbce11ce67c22
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3142BF71928315CBDB04EFA6FD92ABA73B8FB54306F40011AE506E71B1EB309A45EF51
                                                                                                                                                                                                            Function 0092BECE Relevance: 4.7, APIs: 3, Instructions: 222libraryloaderencryptionCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 808 92bece-92bf06 809 92bf17-92bf60 808->809 810 92bf08-92bf12 808->810 811 92bf62-92bf73 809->811 812 92bf84-92bfb4 call 92b7cd 809->812 810->809 811->812 813 92bf75-92bf7f 811->813 816 92bfba-92c04d call 93a805 GetProcAddress call 93a805 812->816 817 92c1ae-92c1c5 812->817 813->812 833 92c065-92c0b1 call 938251 GetProcAddress call 938251 816->833 834 92c04f-92c059 816->834 818 92c236-92c24c 817->818 819 92c1c7-92c1db CryptGenRandom 817->819 822 92c29e-92c2d7 call 924eb1 818->822 823 92c24e-92c299 call 92ce70 * 4 818->823 819->818 821 92c1dd-92c1fd 819->821 827 92c21a-92c230 821->827 828 92c1ff-92c213 821->828 823->822 827->818 828->827 846 92c0b3-92c0ba 833->846 847 92c0f1-92c132 833->847 834->833 836 92c05b 834->836 836->833 846->847 848 92c0bc-92c0c3 846->848 849 92c172-92c195 847->849 850 92c134-92c166 847->850 853 92c0ca-92c0cc 848->853 849->817 852 92c197-92c1a8 849->852 850->849 851 92c168 850->851 851->849 852->817 853->847 854 92c0ce-92c0ec 853->854 854->849
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0092C004
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0092C080
                                                                                                                                                                                                            • CryptGenRandom.ADVAPI32(00000004,009266DE,-AF16B4FB,?,0093AEAC,009266DE), ref: 0092C1D3
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$CryptRandom
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 646182245-0
                                                                                                                                                                                                            • Opcode ID: 86155718653e45debacc9fc974e7734977ac7d649f7ee83f43d2d2fff4ffb172
                                                                                                                                                                                                            • Instruction ID: d761243f22a95a34a41598a6a40378d8c44458433c6d24b8070be1c72da2dc2f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 86155718653e45debacc9fc974e7734977ac7d649f7ee83f43d2d2fff4ffb172
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1991BA7153C311CBEB18CF66FC56A2A37E5FB48363B50421AE816C66B5EB708980FB45
                                                                                                                                                                                                            Function 00935498 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 529 935498-9354b8 530 93550a-93550c 529->530 531 9354ba-9354d5 529->531 532 93552b 530->532 533 93550e-935529 530->533 534 935535-9355d8 call 9306af * 2 532->534 533->534 539 9355da-9355f6 534->539 540 9355fd-935631 CreateProcessA 534->540 539->540 541 9355f8 539->541 542 935633-935643 540->542 543 935677 540->543 541->540 544 935645 542->544 545 93564f-935675 CloseHandle * 2 542->545 546 935681-93568e 543->546 544->545 545->546
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,0092DA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00935628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(0092DA33,?,?,?,?,00000000), ref: 00935652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00935665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 783f25a9a7523b7a0efb51159080f3854a0831d5adbc09d80aa26060236b52d9
                                                                                                                                                                                                            • Instruction ID: 7759acc9d7cd3876342c915a6269bbe3eefeb451ad76020c8784ce4fc8f184b3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 783f25a9a7523b7a0efb51159080f3854a0831d5adbc09d80aa26060236b52d9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A1411172528740CBC758DFA6FDA6ABA77B8FB88316B10411EE902CB171E7349804FB15
                                                                                                                                                                                                            Function 009354D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 547 9354d8-9354e8 548 935535-9355d8 call 9306af * 2 547->548 549 9354ea-93550c 547->549 556 9355da-9355f6 548->556 557 9355fd-935631 CreateProcessA 548->557 550 93552b 549->550 551 93550e-935529 549->551 550->548 551->548 556->557 558 9355f8 556->558 559 935633-935643 557->559 560 935677 557->560 558->557 561 935645 559->561 562 93564f-935675 CloseHandle * 2 559->562 563 935681-93568e 560->563 561->562 562->563
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,0092DA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00935628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(0092DA33,?,?,?,?,00000000), ref: 00935652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00935665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 2dcd8e6b17485bb3bb65629a73edccfffa977f6b06857966adc6e7585050706d
                                                                                                                                                                                                            • Instruction ID: 6e11bda67059366b22091a31ff7aa94e38defd6627a734f88942a0fe5c35a463
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2dcd8e6b17485bb3bb65629a73edccfffa977f6b06857966adc6e7585050706d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A141017142D704DBDB58DFA7FDAAA7A37B8FB88706B01411AE502961B1EB309840FF15
                                                                                                                                                                                                            Function 00939B78 Relevance: 6.2, APIs: 4, Instructions: 201fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 564 939b78-939ba4 call 94dfa1 567 939ba6-939bb2 564->567 568 939bb8-939bc7 564->568 567->568 569 939be3-939c58 call 949707 call 92b7cd CreateFileA 568->569 570 939bc9-939bde 568->570 575 939c5a-939c73 569->575 576 939c78-939c86 569->576 570->569 577 939e96-939eda call 924eb1 call 9306af 575->577 578 939c8b-939cfa ReadFile call 94970f 576->578 588 939edc-939ee2 577->588 584 939d06-939d28 call 92c9ba call 937f29 578->584 585 939cfc 578->585 592 939d34-939d3d call 938341 584->592 593 939d2a 584->593 585->584 596 939d43-939d54 592->596 597 939e6a-939e8c CloseHandle 592->597 593->592 598 939d60-939d8a call 949883 596->598 599 939d56 596->599 597->577 602 939db2-939db6 598->602 603 939d8c-939da1 598->603 599->598 602->578 605 939dbc-939dd7 CloseHandle 602->605 603->602 604 939da3-939dad 603->604 604->602 606 939e24-939e68 call 924eb1 call 9306af 605->606 607 939dd9-939e0a 605->607 606->588 607->606 609 939e0c-939e1e 607->609 609->606
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00939C43
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00939CA8
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00939DC7
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00939E86
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateRead
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2564258376-0
                                                                                                                                                                                                            • Opcode ID: f91c32ef6332f451924b97e463cfd904fd79034d251c5bd14eaaf80170068f5e
                                                                                                                                                                                                            • Instruction ID: 30a0e3fc86c5048f4b98682c4a114c5623cabd4aa698370ccf0344e3ac09544e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f91c32ef6332f451924b97e463cfd904fd79034d251c5bd14eaaf80170068f5e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E081C875539300CBDB10EF66FC92B7A37B9FB44303F00051AE906C62A1EB748981EB55
                                                                                                                                                                                                            Function 0092C622 Relevance: 4.7, APIs: 3, Instructions: 206fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 855 92c622-92c69d call 94dfa1 call 92b7cd 860 92c6a9-92c6b1 855->860 861 92c69f 855->861 862 92c6b3-92c6ea call 924eb1 860->862 863 92c6ef-92c709 860->863 861->860 871 92c9b6-92c9b9 862->871 865 92c737-92c75b CreateFileA 863->865 866 92c70b-92c71a 863->866 869 92c79f-92c7b3 865->869 870 92c75d-92c784 call 924eb1 865->870 866->865 868 92c71c-92c731 866->868 868->865 873 92c7b8-92c7d2 869->873 879 92c786-92c792 870->879 880 92c798-92c79a 870->880 875 92c7d4-92c7f4 873->875 876 92c7f9-92c7fb 873->876 875->876 877 92c81b-92c82d 876->877 878 92c7fd-92c819 876->878 881 92c837-92c8a2 call 9385e7 call 94970f 877->881 878->881 879->880 882 92c9b5 880->882 887 92c8d6-92c8ee 881->887 888 92c8a4-92c8d4 881->888 882->871 889 92c8fa-92c948 WriteFile 887->889 890 92c8f0 887->890 888->889 889->873 891 92c94e-92c962 889->891 890->889 892 92c970-92c97c 891->892 893 92c964-92c96e 891->893 894 92c982-92c9a2 FindCloseChangeNotification call 924eb1 892->894 893->894 896 92c9a7-92c9b4 894->896 896->882
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0092B7CD: WaitForSingleObject.KERNEL32(0093AEAC,00004E20,00000001,?,0092BFA2,00000001,-AF16B4FB,?,0093AEAC,009266DE), ref: 0092B81D
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(00000004,40000000,00000000,00000000,00000002,00000000,00000000,?,009267E3,?,00000004,?,00000000,?), ref: 0092C746
                                                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,?,00000001,00000001,00000000,?,?,?,?,?,00000001), ref: 0092C90B
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00000001), ref: 0092C983
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$ChangeCloseCreateFindNotificationObjectSingleWaitWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2552625159-0
                                                                                                                                                                                                            • Opcode ID: e197fc8ab820518c91365bdfd9375e5c1b7d4095adedb080de4b87de0d464afb
                                                                                                                                                                                                            • Instruction ID: 76732f4c1c2392b4b30b497b60e02c0e7e17a3b289151b168098e460b1978927
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e197fc8ab820518c91365bdfd9375e5c1b7d4095adedb080de4b87de0d464afb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B491A8B553C301DBD748CF6AFDA592A7BB8FB88316B50811AE406CB2B5E7349941EF04
                                                                                                                                                                                                            Function 0092E769 Relevance: 4.6, APIs: 3, Instructions: 101memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 897 92e769-92e79c 898 92e7b9-92e7ce 897->898 899 92e79e-92e7b7 897->899 900 92e7d4-92e807 898->900 899->900 901 92e81a-92e82f 900->901 902 92e809-92e818 900->902 903 92e83b-92e881 AllocateAndInitializeSid 901->903 904 92e831 901->904 902->903 905 92e883-92e89d CheckTokenMembership 903->905 906 92e8ef-92e908 903->906 904->903 907 92e8c9-92e8e9 FreeSid 905->907 908 92e89f-92e8c2 905->908 907->906 908->907
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(00928954,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00928954), ref: 0092E865
                                                                                                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 0092E895
                                                                                                                                                                                                            • FreeSid.ADVAPI32(?), ref: 0092E8DC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3429775523-0
                                                                                                                                                                                                            • Opcode ID: 1c501299f9deac488f0768493c3805bdedc6a221ad16a70f9ae499d212f9a6f9
                                                                                                                                                                                                            • Instruction ID: 19c934c8f8b77b3e4b23d5bb4ef66904302ec0e60c83cf38f857d69d465db7e0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c501299f9deac488f0768493c3805bdedc6a221ad16a70f9ae499d212f9a6f9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2941657492D304EFDB04CFA7FC9566AB7B8FB08307B80445AE902D7261E7349A80EB55
                                                                                                                                                                                                            Function 009320D8 Relevance: 3.0, APIs: 2, Instructions: 27stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 909 9320d8-93210d lstrlen 910 93211b-932127 909->910 911 93210f-932119 909->911 912 93212d-93214f CharLowerBuffA 910->912 911->912
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • lstrlen.KERNEL32(?,?,009309C2,?,?,?), ref: 009320F0
                                                                                                                                                                                                            • CharLowerBuffA.USER32(?,00000000,?,009309C2,?,?,?), ref: 00932131
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 794975171-0
                                                                                                                                                                                                            • Opcode ID: ad20e0a472b1a464d18d5ca1a52033da6983b036f385cbbeee4a29384c7696c3
                                                                                                                                                                                                            • Instruction ID: b2e7f42002f11081e02e1a79f070d273e3de02f3ed289a92e9703dfb8d4a0390
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ad20e0a472b1a464d18d5ca1a52033da6983b036f385cbbeee4a29384c7696c3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 30F0673153C304DBDB098F87ED464363BF2F7547027504419F9068A670E7349D90BB56
                                                                                                                                                                                                            Function 009423A6 Relevance: 3.0, APIs: 2, Instructions: 23memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 913 9423a6-9423be 914 9423c0-9423d6 913->914 915 9423e2-942404 GetProcessHeap RtlAllocateHeap 913->915 914->915 916 9423d8 914->916 916->915
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,0094A3A7,?,?,?,0094D0BE), ref: 009423F6
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0094A3A7,?,?,?,0094D0BE), ref: 009423FD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: aae9efdeec3abea18ba2e6e6a507d4416d78026b24078caf9edce7cb38c71896
                                                                                                                                                                                                            • Instruction ID: f00eb7d1a84b6d199b28aa83a7db1d31198eb9bca371ffdd7138257dea725af7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: aae9efdeec3abea18ba2e6e6a507d4416d78026b24078caf9edce7cb38c71896
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2AF065365293019FCB108FAAFD5AE5A3774F75575AB640012F009DA0B5D778E844AFA0
                                                                                                                                                                                                            Function 0092DE5A Relevance: 3.0, APIs: 2, Instructions: 17memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 917 92de5a-92de88 GetProcessHeap RtlFreeHeap 918 92de9a-92de9b 917->918 919 92de8a-92de94 917->919 919->918
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00938109,?,00938109,00000000), ref: 0092DE6C
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,00938109,00000000), ref: 0092DE73
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                            • Opcode ID: 238fce795d957242268c7b1034c52ad3b0c718464ec36591456b8981c7c79dcb
                                                                                                                                                                                                            • Instruction ID: c8050f8fa14fdf1c0177c78f3a13ebe97fcf93a42c5335edc7744dbaf78062c8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 238fce795d957242268c7b1034c52ad3b0c718464ec36591456b8981c7c79dcb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6EE08C3256D3449BEE408BE7FC4AA053BE8FB21346F008510F109CA170C7219580AB84
                                                                                                                                                                                                            Function 00923B2C Relevance: 1.6, APIs: 1, Instructions: 104fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 920 923b2c-923c12 call 92f793 call 93a805 call 92f38b call 938251 CreateFileA 929 923c14-923c2f 920->929 930 923c4f-923c67 920->930 931 923c31 929->931 932 923c3b-923c4d 929->932 933 923c79-923c83 930->933 934 923c69-923c73 930->934 931->932 935 923c85-923c91 932->935 933->935 934->933 936 923c93-923caf 935->936 937 923cb5-923cdb call 9306af 935->937 936->937
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00923BF6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                            • Opcode ID: 008d5297080d6932774a5eac6ac76a66027dd2ea3f51a9e0b314f1f68cbb5872
                                                                                                                                                                                                            • Instruction ID: 928b0ec18fb0bbe2b0dca67997e5d3e2ec0884abb9ea317872c985ac906b42d2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 008d5297080d6932774a5eac6ac76a66027dd2ea3f51a9e0b314f1f68cbb5872
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3941C372979304DBC364DF6BFC56AA677B8E744317F04812AEA05D7261DA308A81EF90
                                                                                                                                                                                                            Function 009315E5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: 368187959c17c49147fd308aa256943e53e9b680da9d610695518760cb09aa80
                                                                                                                                                                                                            • Instruction ID: 538020b19e5244ccbd70304e9d18286a50419591057c48f4e0ac7ae757a1d939
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 368187959c17c49147fd308aa256943e53e9b680da9d610695518760cb09aa80
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42D0126442C3549B87107FB7AD064263BB4FF04602B411111E941D9030DB70D900EB5F

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 0094D831 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 388pipeprocessfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreatePipe.KERNEL32(00000000,?,?,00000000,?,00000001,?), ref: 0094D98F
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0094D9F9
                                                                                                                                                                                                            • CreatePipe.KERNEL32(?,?,?,00000000), ref: 0094DA48
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 0094DA7E
                                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 0094DBCC
                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000020,00000020,00000000), ref: 0094DC1C
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0094DC33
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0094DC66
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0094DC89
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00002710), ref: 0094DD4F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0094DD9F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0094DDB2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0094DE41
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0094DE67
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0094DE7E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 1130065513-2746444292
                                                                                                                                                                                                            • Opcode ID: e4a24dc9ec912dd6d86fa682310167e2c9653fe3b93552776f124de6a5b4f3b6
                                                                                                                                                                                                            • Instruction ID: 7b6edcd266032a779d2260ac3cb4451852a7bbc3a04f5cf32d9cfa17bafd6528
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e4a24dc9ec912dd6d86fa682310167e2c9653fe3b93552776f124de6a5b4f3b6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F02867A53E704DBDB04CF6AFC92A6A7BF8FB08306710451AE802D7271E7349981EB55
                                                                                                                                                                                                            Function 0093111E Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 289fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009311F7
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00931267
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0093128B
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 009312D1
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0093153B
                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0093157E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0093158F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                            • String ID: Ra);
                                                                                                                                                                                                            • API String ID: 3478262135-4229484525
                                                                                                                                                                                                            • Opcode ID: ae5a08f46d9ad0b533b7d0bfc872c1c843339ffecb5b6de46710939209491d31
                                                                                                                                                                                                            • Instruction ID: e87c29febbf38ab6df0f2cf05634c472d151b93a035179b6e0a16c8514e065d9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae5a08f46d9ad0b533b7d0bfc872c1c843339ffecb5b6de46710939209491d31
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66B1BCB153D700DBE7188F6AFC96A7A37B8FB48357B50011AF905C62B1EB348941EB19
                                                                                                                                                                                                            Function 00931636 Relevance: 10.8, APIs: 7, Instructions: 279processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009316B2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 009317BE
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00931932
                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00931991
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,0000000A), ref: 00931A6A
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00931ACE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00931AF5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 930127669-0
                                                                                                                                                                                                            • Opcode ID: 08a45d01d67d327062cb0ab2b6ebc62621354c83a2285c3233f521ab1a220aa8
                                                                                                                                                                                                            • Instruction ID: 249b8de77e29de28da7e7993cbb9ac265be6915765f0e29b73911c4e2c62eb45
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08a45d01d67d327062cb0ab2b6ebc62621354c83a2285c3233f521ab1a220aa8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9CC1CD7652D700CBD708DF66FC966AA33B8FB54317F00411AE906C62B1EB749981EF45
                                                                                                                                                                                                            Function 00939F24 Relevance: 7.8, APIs: 5, Instructions: 329serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00939FF7
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,?), ref: 0093A049
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0093A061
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 0093A162
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0093A3B6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1579346331-0
                                                                                                                                                                                                            • Opcode ID: 2df7b6d53438691bc1b90d30fbb38453cfdd5d3abfc28448a3c8c4a54c9c0a5c
                                                                                                                                                                                                            • Instruction ID: 812a67c86106ad5c20a65d0fda30a0dc38e33f3df8e1f6d17181296b0228d20d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2df7b6d53438691bc1b90d30fbb38453cfdd5d3abfc28448a3c8c4a54c9c0a5c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CAD1FD7692C700DFC708CFA6FC95A6A77F4FB54313B15411AE8029B2B0EB349A81EB41
                                                                                                                                                                                                            Function 00925C39 Relevance: 7.7, APIs: 5, Instructions: 247filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 00925DEC
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 00925EB2
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00925FE2
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 00926020
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00926042
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: 24976d42402ea07f7ff60ed4af5345d4f289eac043311aba1282720e03840eac
                                                                                                                                                                                                            • Instruction ID: 548b8e97f91bf05f8f2441fdd70f293373b703242388c29cc6a994760495127b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 24976d42402ea07f7ff60ed4af5345d4f289eac043311aba1282720e03840eac
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 81A1CDB153DB14CBD748CF67FC966A937B8F748303B10011AE906CA6B1EB349981EB85
                                                                                                                                                                                                            Function 0093571F Relevance: 6.2, APIs: 4, Instructions: 213processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00935804
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 009358E2
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 009359E8
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00935A7E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 420147892-0
                                                                                                                                                                                                            • Opcode ID: 66e78881ed29dea81f1b83171c8b8756ac619bac0b17db2e39a0f0522ee8923f
                                                                                                                                                                                                            • Instruction ID: b061db91418efd3e2ef13193e85d73e3be9479326d789ce2700592859f6af383
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 66e78881ed29dea81f1b83171c8b8756ac619bac0b17db2e39a0f0522ee8923f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A91987662D700CBD748DB6BFCAA56A77F8F748313B11451AE906C62B0EB349A41EF01
                                                                                                                                                                                                            Function 0093AE3B Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 23c84360fe667dd33fde9d5f1a61b8b421a18eeb2784db202f526d3433e4e71e
                                                                                                                                                                                                            • Instruction ID: 6583474bfe70aa8df64c7a02effac56954a42181381500c15576bdccf00fbbee
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 23c84360fe667dd33fde9d5f1a61b8b421a18eeb2784db202f526d3433e4e71e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F111971138300CBD359CF6AFD8152437B4B754347B61981AE552DB6B1EB209581EF06
                                                                                                                                                                                                            Function 0092C9ED Relevance: 12.2, APIs: 8, Instructions: 196registrysynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(Function_0000BA72), ref: 0092CAF2
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0095B2DC), ref: 0092CB64
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0092CB78
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0095B2DC), ref: 0092CBE5
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00001388), ref: 0092CC62
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0095B2DC), ref: 0092CCAF
                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 0092CCC5
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0095B2DC), ref: 0092CD8F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3399922960-0
                                                                                                                                                                                                            • Opcode ID: b2f6b2c00370bd64485e742e40b0b6b771bf30321437122fd61d7523716747ec
                                                                                                                                                                                                            • Instruction ID: 92e02a7b656cb0b9639c95d8e7991808c5579047442943740eb03bf32ee89ea5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b2f6b2c00370bd64485e742e40b0b6b771bf30321437122fd61d7523716747ec
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC9131B003D3118BD754CF6BFD9A92A7BF8F71830B740451AE5468A2B1EB309882FB55
                                                                                                                                                                                                            Function 00930806 Relevance: 10.7, APIs: 7, Instructions: 195processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009308C2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00930966
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00930A15
                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,000000FF), ref: 00930A64
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00930A82
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00930AD2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00930B10
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2696918072-0
                                                                                                                                                                                                            • Opcode ID: 869d7122863b514be2ed18c5125d7ebf8fd0487eae603bee152f2b24d36bef96
                                                                                                                                                                                                            • Instruction ID: 9234fa16e5fa372aecf2b804aad149b470eafa9880df069214d860a55a733a62
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 869d7122863b514be2ed18c5125d7ebf8fd0487eae603bee152f2b24d36bef96
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B581B97253C7019BD344CF6BFCA2A7A73B8FB48313B40411AE806D66B1EB348981EB44
                                                                                                                                                                                                            Function 0093B046 Relevance: 9.2, APIs: 6, Instructions: 184filetimeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0093B104
                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 0093B16D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0093B1B2
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0093B25F
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 0093B2AB
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0093B2D8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3236713533-0
                                                                                                                                                                                                            • Opcode ID: 5aa7b0a031f3e3f204a4f3b402cd4cbad387e84a28142ceac36e6d5a5f23a4e7
                                                                                                                                                                                                            • Instruction ID: a46c2b3cf955f9ef332703b35eb8e74120eb3e98b1b363a2d78524ee9ffb76da
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5aa7b0a031f3e3f204a4f3b402cd4cbad387e84a28142ceac36e6d5a5f23a4e7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2471A93163D304CBD744CF6AFD9297A7BB8F708327B50061AE952C76A0E3349A81EB15
                                                                                                                                                                                                            Function 00944589 Relevance: 7.6, APIs: 5, Instructions: 104synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000002,?,0092D583,Function_0000AD87,00000002,00000000), ref: 00944637
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000002,?,00000000,00000000), ref: 00944655
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000002,?,0092D583,Function_0000AD87,00000002,00000000), ref: 0094468D
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000002,?,0092D583,Function_0000AD87,00000002,00000000), ref: 009446A1
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,00000002,?,0092D583,Function_0000AD87,00000002,00000000), ref: 00944712
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1404307249-0
                                                                                                                                                                                                            • Opcode ID: 730a68243a6680daa7bca0f867538d9233e002fca2ebc83a4bd0f411902eefcc
                                                                                                                                                                                                            • Instruction ID: 49858082caec1407205fde7909d0bc4a1bdf036f2838ae0ed376b512d0a755aa
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 730a68243a6680daa7bca0f867538d9233e002fca2ebc83a4bd0f411902eefcc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 54417635439340DFC714CF6AFD85A2A7BF6F7997177A1441AE806C6671E330A842EB11
                                                                                                                                                                                                            Function 00944927 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323sleepfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00944CBC
                                                                                                                                                                                                              • Part of subcall function 0093074E: wvsprintfA.USER32(?,?,?), ref: 009307C3
                                                                                                                                                                                                            • Sleep.KERNEL32(00015F90), ref: 00944E60
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00944E7F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$DeleteModuleNameSleepwvsprintf
                                                                                                                                                                                                            • String ID: KU
                                                                                                                                                                                                            • API String ID: 4183770253-1793860563
                                                                                                                                                                                                            • Opcode ID: afab1c89f7e06779df01518e111bfb301c4f7bde721a179bc4d04ea389b22473
                                                                                                                                                                                                            • Instruction ID: 2c3e6a43b7346ea7d537ed251e0bf10a14ab3b99a3276043862110a6eac1046a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: afab1c89f7e06779df01518e111bfb301c4f7bde721a179bc4d04ea389b22473
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BBD1E07553C704DED708DF66FC92AA677B8FB48302B40050AE906DB2B1EB349A81EB55
                                                                                                                                                                                                            Function 009490F1 Relevance: 6.0, APIs: 4, Instructions: 38memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00938146,00000000,?,?,?,?,?,0092F85A,?,?,?,00949573), ref: 00949143
                                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,00938146,00000000), ref: 0094914A
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,00938146,00000000,?,?,?,?,?,0092F85A,?,?,?,00949573,?), ref: 00949174
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00938146,00000000,?,?,?,?,?,0092F85A,?,?,?,00949573,?,00000001), ref: 0094917B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1501190890.0000000000921000.00000020.00000001.01000000.00000004.sdmp, Offset: 00920000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1500960187.0000000000920000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501214717.000000000094F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501226749.0000000000950000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501242274.0000000000953000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1501255782.000000000095C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_920000_psjpq2i82ktsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1154092256-0
                                                                                                                                                                                                            • Opcode ID: 2b312b86d07a0b5d5020e9604707a9cca724b7293469acdd3e2b8b0e4620316c
                                                                                                                                                                                                            • Instruction ID: 7f87cb442f44dadded5d7e8e0b5699518c8a3eb8fbbbfc20c0340c2a7286f22f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b312b86d07a0b5d5020e9604707a9cca724b7293469acdd3e2b8b0e4620316c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B5014F76568704DFDB049FA6FC69A293BB4FB09302F854015FA1AC7672E775A440EB40

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:19.7%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                            Total number of Nodes:1503
                                                                                                                                                                                                            Total number of Limit Nodes:22
                                                                                                                                                                                                            execution_graph 7966 6ec9ed 7967 6eca6f RegisterServiceCtrlHandlerA 7966->7967 7969 6ecdba 7967->7969 7970 6ecb13 SetServiceStatus CreateEventA 7967->7970 7972 6ecbde SetServiceStatus 7970->7972 7973 6ecbcd 7970->7973 7974 6ecc00 7972->7974 7973->7972 7975 6ecc42 WaitForSingleObject 7974->7975 7975->7975 7976 6ecc6f 7975->7976 7982 6eb7cd WaitForSingleObject 7976->7982 7979 6ecd01 SetServiceStatus 7979->7969 7981 6ecda7 7979->7981 7981->7969 7983 6eb846 SetServiceStatus CloseHandle 7982->7983 7983->7979 9108 6ee266 9111 6f56c6 9108->9111 9112 6f56e3 Mailbox 9111->9112 9115 6fa7bc 9112->9115 9114 6ee28f 9116 6ef821 Mailbox 8 API calls 9115->9116 9117 6fa7d6 Mailbox 9116->9117 9117->9114 9361 70cffe 9362 70d050 9361->9362 9363 705d58 2 API calls 9362->9363 9364 70d055 9363->9364 9365 6f5d50 3 API calls 9364->9365 9366 70d067 9365->9366 9367 70d108 ExitProcess 9366->9367 9309 6fb360 9310 6fb378 9309->9310 9311 7042b6 lstrlen 9310->9311 9312 6fb3a5 9311->9312 9315 6efc31 9312->9315 9318 7098df 9315->9318 9317 6efc47 9319 709923 9318->9319 9320 709982 9319->9320 9321 70998f 9319->9321 9322 6ebdcb 8 API calls 9320->9322 9323 6edbdf 8 API calls 9321->9323 9324 70998d Mailbox 9321->9324 9322->9324 9323->9324 9324->9317 9213 704ee1 9214 704efa 9213->9214 9217 70d527 9214->9217 9216 704f99 9218 70d544 9217->9218 9221 6edbdf 9218->9221 9220 70d559 Mailbox 9220->9216 9222 6edbf5 Mailbox 9221->9222 9223 6ef821 Mailbox 8 API calls 9222->9223 9224 6edc18 Mailbox 9223->9224 9224->9220 9118 6e507a 9119 7042b6 lstrlen 9118->9119 9120 6e50a9 9119->9120 9225 6ee2f9 9226 6ee30a 9225->9226 9227 6eb7cd WaitForSingleObject 9226->9227 9228 6ee324 9227->9228 9229 6f15e5 ExitProcess 9228->9229 9230 6ee35a 9229->9230 9121 6eba72 9122 6ebb03 SetServiceStatus 9121->9122 9126 6eba89 9121->9126 9125 6ebb88 SetEvent 9122->9125 9127 6ebcd8 9125->9127 9126->9122 9129 6ebaa1 SetServiceStatus 9126->9129 9129->9127 9130 6e444e 9131 6e446b 9130->9131 9134 6ee4e4 9131->9134 9135 6ee513 9134->9135 9136 6ee69a 9135->9136 9137 6ee553 9135->9137 9152 6eb38e 9136->9152 9139 6ee576 9137->9139 9140 6ee621 9137->9140 9144 7058f9 9139->9144 9141 7058f9 4 API calls 9140->9141 9143 6e4575 9141->9143 9145 705931 9144->9145 9147 7059a1 9145->9147 9151 705937 9145->9151 9160 6e85a4 9145->9160 9148 6e85a4 4 API calls 9147->9148 9149 7059f4 9147->9149 9148->9149 9164 70572d 9149->9164 9151->9143 9153 6eb3c3 9152->9153 9154 6e85a4 4 API calls 9153->9154 9155 6eb456 9153->9155 9154->9155 9156 6eb7b4 9155->9156 9157 6e4088 4 API calls 9155->9157 9156->9143 9158 6eb4c3 9157->9158 9158->9156 9159 6e4088 4 API calls 9158->9159 9159->9158 9161 6e85be 9160->9161 9163 6e860a Mailbox 9161->9163 9168 6e4088 9161->9168 9163->9147 9166 705761 Mailbox 9164->9166 9165 7058d3 9165->9151 9166->9165 9167 6ede5a Mailbox 2 API calls 9166->9167 9167->9166 9169 6e40bc 9168->9169 9170 6e40d8 9168->9170 9171 7023a6 Mailbox 2 API calls 9169->9171 9170->9163 9172 6e40d1 Mailbox 9171->9172 9172->9170 9173 6ede5a Mailbox 2 API calls 9172->9173 9173->9170 9231 6f98cc 9232 6f1da2 13 API calls 9231->9232 9233 6f9900 9232->9233 9234 709883 8 API calls 9233->9234 9235 6f9994 9234->9235 9240 6e50c3 9241 6e50e0 9240->9241 9242 7042b6 lstrlen 9241->9242 9243 6e510f Mailbox 9242->9243 9244 6f7f29 Mailbox 8 API calls 9243->9244 9245 6e5123 9244->9245 9246 6e5071 9 API calls 9245->9246 9247 6e5145 9246->9247 9250 6fbf07 9247->9250 9251 6fbf15 Mailbox 9250->9251 9252 709883 8 API calls 9251->9252 9253 6e5183 9252->9253 9325 702f5d ExitProcess 9258 6ebcdc 9259 6ebcfa 9258->9259 9260 709707 Mailbox 8 API calls 9259->9260 9261 6ebd13 9260->9261 9266 6e563a 9261->9266 9263 6ebd3a Mailbox 9264 709707 Mailbox 8 API calls 9263->9264 9265 6ebdb8 9264->9265 9267 6e5648 9266->9267 9270 6edd8f 9267->9270 9271 6edda0 9270->9271 9272 702f94 8 API calls 9271->9272 9273 6e5659 9272->9273 9273->9263 9274 7084c2 9277 6e8020 9274->9277 9280 70236a 9277->9280 9279 6e802b 9281 7042b6 lstrlen 9280->9281 9282 702378 9281->9282 9282->9279 9287 6ecedb FlushFileBuffers 9288 6ecf0d GetLastError 9287->9288 9289 6ecf39 9287->9289 9288->9289 9326 6ef553 9327 6ef5b5 9326->9327 9329 6ef567 9326->9329 9328 6ef671 ReadFile 9327->9328 9327->9329 9328->9329 9330 6eb353 9331 702f94 8 API calls 9330->9331 9332 6eb377 9331->9332 9385 7095bd 9386 7095c3 Mailbox 9385->9386 9387 7090f1 Mailbox 4 API calls 9386->9387 9388 709605 Mailbox 9387->9388 7984 70cdbf 7985 70ce1b 7984->7985 7988 6fff2a 7985->7988 7986 70cf4c 8217 6f8251 7988->8217 7992 6fff74 7993 6f8251 2 API calls 7992->7993 7994 6fff88 7993->7994 7995 6fa805 2 API calls 7994->7995 7996 6fffc7 7995->7996 7997 6f8251 2 API calls 7996->7997 7998 6fffdb 7997->7998 7999 6fa805 2 API calls 7998->7999 8000 70001a 7999->8000 8001 6f8251 2 API calls 8000->8001 8002 70002e 8001->8002 8003 6fa805 2 API calls 8002->8003 8004 700063 8003->8004 8005 6f8251 2 API calls 8004->8005 8006 700077 8005->8006 8007 6fa805 2 API calls 8006->8007 8008 7000f0 8007->8008 8009 6f8251 2 API calls 8008->8009 8010 700126 8009->8010 8011 6fa805 2 API calls 8010->8011 8012 7001a6 8011->8012 8013 6f8251 2 API calls 8012->8013 8014 7001c4 8013->8014 8015 6fa805 2 API calls 8014->8015 8016 700238 8015->8016 8017 6f8251 2 API calls 8016->8017 8018 700252 8017->8018 8019 6fa805 2 API calls 8018->8019 8020 700283 8019->8020 8021 6f8251 2 API calls 8020->8021 8022 7002bf 8021->8022 8023 6fa805 2 API calls 8022->8023 8024 700325 8023->8024 8025 6f8251 2 API calls 8024->8025 8026 700339 8025->8026 8027 6fa805 2 API calls 8026->8027 8028 70036a 8027->8028 8029 6f8251 2 API calls 8028->8029 8030 7003bd 8029->8030 8031 6fa805 2 API calls 8030->8031 8032 700402 8031->8032 8033 6f8251 2 API calls 8032->8033 8034 700422 8033->8034 8035 6fa805 2 API calls 8034->8035 8036 700469 8035->8036 8037 6f8251 2 API calls 8036->8037 8038 7004b2 8037->8038 8039 6f8251 2 API calls 8038->8039 8040 700503 Mailbox 8039->8040 8224 6ede5a GetProcessHeap RtlFreeHeap 8040->8224 8044 70054a 8045 6fa805 2 API calls 8044->8045 8046 700560 GetEnvironmentVariableA 8045->8046 8047 7005b2 8046->8047 8048 6f8251 2 API calls 8047->8048 8049 7005d0 CreateMutexA CreateMutexA CreateMutexA 8048->8049 8050 700665 8049->8050 8051 700809 8050->8051 8052 7006c9 8050->8052 8053 7006de GetTickCount 8050->8053 8231 6e88a8 8051->8231 8052->8053 8055 7006f2 8053->8055 8057 6fa805 2 API calls 8055->8057 8056 700818 GetCommandLineA 8059 7008a8 8056->8059 8061 700710 8057->8061 8060 6fa805 2 API calls 8059->8060 8063 7008c5 8060->8063 8062 6f8251 2 API calls 8061->8062 8064 7007b7 8062->8064 8065 6f8251 2 API calls 8063->8065 8064->8051 8066 70092f 8065->8066 8067 700964 8066->8067 8068 701311 GetCommandLineA 8066->8068 8069 6fa805 2 API calls 8067->8069 8334 703e09 8068->8334 8073 700996 8069->8073 8072 7013a1 8337 7042b6 8072->8337 8074 6f8251 2 API calls 8073->8074 8076 700a10 8074->8076 8078 700a21 8076->8078 8079 6fa805 2 API calls 8076->8079 8077 7013dc GetModuleFileNameA 8340 6f20d8 lstrlen 8077->8340 8091 700a37 8078->8091 8083 700ac3 8079->8083 8085 6f8251 2 API calls 8083->8085 8084 70145c 8090 6f20d8 2 API calls 8084->8090 8087 700b1f 8085->8087 8086 6fa805 2 API calls 8088 7022a4 8086->8088 8087->8091 8092 6ef793 lstrlen 8087->8092 8593 6ee2f8 8088->8593 8093 701510 8090->8093 8590 6f15e5 8091->8590 8094 700b80 8092->8094 8095 6f20d8 2 API calls 8093->8095 8096 6fa805 2 API calls 8094->8096 8105 701523 8095->8105 8101 700ba4 8096->8101 8097 7022c9 8097->7986 8098 701785 8343 6e3b2c 8098->8343 8100 7017c8 8100->8091 8351 6fb3db 8100->8351 8103 6f8251 2 API calls 8101->8103 8121 700be7 8103->8121 8104 7017ed 8445 6e3e8c 8104->8445 8105->8098 8109 7015b0 8105->8109 8107 701806 8449 6eddd3 8107->8449 8108 6f571f 6 API calls 8108->8121 8529 6faf1f 8109->8529 8113 7015e1 8535 6e5c39 8113->8535 8115 6e3e8c GetSystemTimeAsFileTime 8115->8121 8116 700d00 Sleep 8117 6fb046 5 API calls 8116->8117 8118 700cea 8117->8118 8118->8116 8118->8121 8507 6fb046 8118->8507 8119 6fa805 2 API calls 8123 701680 8119->8123 8120 700dd2 Sleep 8120->8121 8121->8108 8121->8115 8121->8118 8121->8120 8127 700dfe 8121->8127 8122 7015fa 8122->8091 8122->8119 8126 7042b6 lstrlen 8123->8126 8124 70186d 8129 7018fb WSAStartup 8124->8129 8125 6f571f 6 API calls 8125->8127 8128 701695 MessageBoxA 8126->8128 8127->8125 8130 700ee5 8127->8130 8141 700e49 8127->8141 8136 701738 8128->8136 8132 701928 8129->8132 8140 70197d 8129->8140 8131 6fb046 5 API calls 8130->8131 8134 700ef9 8131->8134 8132->8086 8137 700f60 GetModuleFileNameA SetFileAttributesA 8134->8137 8183 70126d 8134->8183 8138 6f8251 2 API calls 8136->8138 8144 700fcc CopyFileA 8137->8144 8138->8091 8139 701a53 8148 701a8c CloseHandle SetFileAttributesA 8139->8148 8159 701d7e 8139->8159 8140->8139 8549 70395f 8140->8549 8141->8127 8141->8130 8143 700ea2 Sleep 8141->8143 8516 6f0806 8141->8516 8142 6f54d8 3 API calls 8142->8091 8143->8141 8149 6fa805 2 API calls 8144->8149 8147 7019d7 8147->8091 8153 701a29 8147->8153 8150 701b05 CopyFileA 8148->8150 8151 701ae9 8148->8151 8152 701044 8149->8152 8155 701b22 SetFileAttributesA 8150->8155 8156 701c76 8150->8156 8151->8150 8162 6f8251 2 API calls 8152->8162 8559 6ef02c 8153->8559 8160 701b79 8155->8160 8161 701b5b 8155->8161 8167 6eb7cd WaitForSingleObject 8156->8167 8164 701e3f SetFileAttributesA CopyFileA SetFileAttributesA 8159->8164 8176 701db5 8159->8176 8453 6f571f 8159->8453 8170 701c27 Sleep 8160->8170 8581 6f6bd8 8160->8581 8568 7035ad 8161->8568 8166 701077 8162->8166 8464 6ef793 8164->8464 8179 6fa805 2 API calls 8166->8179 8190 70111d 8166->8190 8167->8091 8168 6f0806 9 API calls 8172 701dcb Sleep 8168->8172 8175 6f54d8 3 API calls 8170->8175 8172->8176 8174 701bef 8174->8170 8175->8156 8176->8159 8176->8164 8176->8168 8177 701195 SetFileAttributesA 8177->8183 8178 701206 SetFileAttributesA 8178->8183 8186 7010ce 8179->8186 8182 6fa805 2 API calls 8185 701ee6 8182->8185 8183->8142 8187 6fa805 2 API calls 8185->8187 8188 6f8251 2 API calls 8186->8188 8189 701f29 8187->8189 8188->8190 8191 6f8251 2 API calls 8189->8191 8190->8177 8190->8178 8192 701f4e 8191->8192 8469 7075ce 8192->8469 8194 701f65 8195 6f8251 2 API calls 8194->8195 8196 701fc0 8195->8196 8473 70473b 8196->8473 8199 6fa805 2 API calls 8200 702012 8199->8200 8201 6fa805 2 API calls 8200->8201 8202 702031 8201->8202 8496 6f074e 8202->8496 8204 702063 8205 6f8251 2 API calls 8204->8205 8206 702079 8205->8206 8207 6f8251 2 API calls 8206->8207 8208 702092 8207->8208 8499 6f54d8 8208->8499 8210 7020d2 Mailbox 8211 702140 CreateThread 8210->8211 8213 702179 8211->8213 8875 7024d3 8211->8875 8212 7021c3 Sleep 8213->8212 8506 7074e8 StartServiceCtrlDispatcherA 8213->8506 8218 6f8268 Mailbox 8217->8218 8219 6ede5a Mailbox 2 API calls 8218->8219 8220 6f82cb 8219->8220 8221 6fa805 8220->8221 8599 7023a6 8221->8599 8223 6fa878 Mailbox 8223->7992 8225 6ede8a 8224->8225 8226 70d256 GetSystemTime 8225->8226 8227 70d2ec 8226->8227 8228 6e3e8c GetSystemTimeAsFileTime 8227->8228 8229 70d368 GetTickCount 8228->8229 8230 70d39b 8229->8230 8230->8044 8232 6e88cc 8231->8232 8233 6e88ea GetVersionExA 8232->8233 8602 6ee769 8233->8602 8239 6e89fc 8242 6e8a89 CreateDirectoryA 8239->8242 8240 6e8b28 8241 6fa805 2 API calls 8240->8241 8244 6e8bc2 8241->8244 8243 6fa805 2 API calls 8242->8243 8245 6e8ae2 8243->8245 8625 6e846d 8244->8625 8249 6f8251 2 API calls 8245->8249 8248 6f8251 2 API calls 8250 6e8c06 Mailbox 8248->8250 8249->8240 8629 6ec622 8250->8629 8252 6e8d6f 8253 6fc0de 6 API calls 8252->8253 8257 6e8d85 8253->8257 8254 6e8cfe DeleteFileA 8255 6e8d3d RemoveDirectoryA 8254->8255 8256 6e8d2b 8254->8256 8255->8252 8256->8255 8259 6e8dc3 CreateDirectoryA 8257->8259 8260 6e8e00 8259->8260 8261 6ef793 lstrlen 8260->8261 8262 6e8e64 CreateDirectoryA 8261->8262 8264 6fa805 2 API calls 8262->8264 8265 6e8eb8 8264->8265 8266 6fa805 2 API calls 8265->8266 8267 6e8f10 8266->8267 8268 6f8251 2 API calls 8267->8268 8269 6e8f6c 8268->8269 8270 6e846d 9 API calls 8269->8270 8271 6e8f89 8270->8271 8272 6f8251 2 API calls 8271->8272 8273 6e8f9b Mailbox 8272->8273 8274 6ec622 5 API calls 8273->8274 8275 6e8fca 8274->8275 8276 6e9769 8275->8276 8278 6e906c 8275->8278 8279 6e8fec 8275->8279 8277 6ef793 lstrlen 8276->8277 8281 6e977f SetFileAttributesA 8277->8281 8280 6fa805 2 API calls 8278->8280 8282 6fa805 2 API calls 8279->8282 8283 6e9082 8280->8283 8290 6e97e1 Mailbox 8281->8290 8284 6e900e 8282->8284 8285 6f074e wvsprintfA 8283->8285 8286 6f074e wvsprintfA 8284->8286 8287 6e90a0 8285->8287 8288 6e9034 8286->8288 8289 6f8251 2 API calls 8287->8289 8291 6f8251 2 API calls 8288->8291 8292 6e905d 8289->8292 8290->8056 8291->8292 8293 6e9128 8292->8293 8294 6e9144 CreateDirectoryA 8293->8294 8295 6e917e 8294->8295 8296 6ef793 lstrlen 8295->8296 8297 6e91cd CreateDirectoryA 8296->8297 8298 6fa805 2 API calls 8297->8298 8299 6e9210 8298->8299 8300 6fa805 2 API calls 8299->8300 8301 6e923f 8300->8301 8302 6f8251 2 API calls 8301->8302 8303 6e927a 8302->8303 8304 6e846d 9 API calls 8303->8304 8305 6e928f 8304->8305 8306 6f8251 2 API calls 8305->8306 8307 6e9307 Mailbox 8306->8307 8308 6ec622 5 API calls 8307->8308 8309 6e9336 8308->8309 8310 6e9341 GetTempPathA 8309->8310 8328 6e9716 8309->8328 8311 7042b6 lstrlen 8310->8311 8312 6e938b 8311->8312 8313 6ef793 lstrlen 8312->8313 8314 6e94ae CreateDirectoryA 8313->8314 8315 6e94fd 8314->8315 8316 6fa805 2 API calls 8315->8316 8317 6e9519 8316->8317 8318 6fa805 2 API calls 8317->8318 8319 6e9577 8318->8319 8320 6f8251 2 API calls 8319->8320 8321 6e95a4 8320->8321 8322 6e846d 9 API calls 8321->8322 8323 6e95ba 8322->8323 8324 6f8251 2 API calls 8323->8324 8325 6e95dc Mailbox 8324->8325 8326 6ec622 5 API calls 8325->8326 8327 6e960b 8326->8327 8327->8328 8329 6e9633 GetTempPathA 8327->8329 8328->8276 8330 6e9670 8329->8330 8331 6fa805 2 API calls 8330->8331 8332 6e96a4 8331->8332 8333 6f8251 2 API calls 8332->8333 8333->8328 8335 7042b6 lstrlen 8334->8335 8336 703e48 8335->8336 8336->8072 8338 7042cf lstrlen 8337->8338 8338->8077 8341 6f210f CharLowerBuffA 8340->8341 8341->8084 8344 6ef793 lstrlen 8343->8344 8345 6e3b68 8344->8345 8346 6fa805 2 API calls 8345->8346 8347 6e3b88 8346->8347 8348 6f8251 2 API calls 8347->8348 8349 6e3bc6 CreateFileA 8348->8349 8350 6e3c14 Mailbox 8349->8350 8350->8100 8352 6fb41c 8351->8352 8353 6fb4ff GetComputerNameA 8352->8353 8354 6fb536 8353->8354 8355 6fb59e 8353->8355 8357 6fa805 2 API calls 8354->8357 8356 6fa805 2 API calls 8355->8356 8358 6fb5fa 8356->8358 8359 6fb552 8357->8359 8361 6f8251 2 API calls 8358->8361 8360 6f8251 2 API calls 8359->8360 8360->8355 8362 6fb63d 8361->8362 8363 6e846d 9 API calls 8362->8363 8364 6fb661 8363->8364 8676 6e695e 8364->8676 8366 6fb6db Mailbox 8679 7084d7 8366->8679 8369 7042b6 lstrlen 8370 6fb7d9 8369->8370 8718 6f0b92 8370->8718 8374 6fb834 Mailbox 8375 6e695e 8 API calls 8374->8375 8376 6fb891 8375->8376 8377 6f0b92 9 API calls 8376->8377 8378 6fb92e 8377->8378 8379 6e5724 8 API calls 8378->8379 8380 6fb93d Mailbox 8379->8380 8381 6e695e 8 API calls 8380->8381 8382 6fb964 8381->8382 8383 6f0b92 9 API calls 8382->8383 8384 6fb988 8383->8384 8385 6e5724 8 API calls 8384->8385 8386 6fb997 Mailbox 8385->8386 8387 6e695e 8 API calls 8386->8387 8388 6fb9cf 8387->8388 8389 6f0b92 9 API calls 8388->8389 8390 6fb9fe 8389->8390 8391 6e5724 8 API calls 8390->8391 8392 6fba0a Mailbox 8391->8392 8393 6e695e 8 API calls 8392->8393 8394 6fba25 8393->8394 8395 6f0b92 9 API calls 8394->8395 8396 6fba48 8395->8396 8397 6e5724 8 API calls 8396->8397 8398 6fba57 Mailbox 8397->8398 8399 6e695e 8 API calls 8398->8399 8400 6fba79 8399->8400 8401 6fa805 2 API calls 8400->8401 8402 6fba95 8401->8402 8403 6f0b92 9 API calls 8402->8403 8404 6fbab9 8403->8404 8405 6e5724 8 API calls 8404->8405 8406 6fbac8 Mailbox 8405->8406 8407 6f8251 2 API calls 8406->8407 8408 6fbaf7 8407->8408 8409 6e695e 8 API calls 8408->8409 8410 6fbb1f 8409->8410 8411 6f0b92 9 API calls 8410->8411 8412 6fbb3d 8411->8412 8413 6e5724 8 API calls 8412->8413 8414 6fbb49 Mailbox 8413->8414 8415 6e695e 8 API calls 8414->8415 8416 6fbb75 8415->8416 8417 6f0b92 9 API calls 8416->8417 8418 6fbb96 8417->8418 8419 6e5724 8 API calls 8418->8419 8420 6fbba5 Mailbox 8419->8420 8421 6e695e 8 API calls 8420->8421 8422 6fbbcb 8421->8422 8725 6e3cdc 8422->8725 8426 6fbc06 8427 6f0b92 9 API calls 8426->8427 8428 6fbc12 8427->8428 8429 6e5724 8 API calls 8428->8429 8430 6fbc21 Mailbox 8429->8430 8431 6e695e 8 API calls 8430->8431 8432 6fbc3f 8431->8432 8433 6f0b92 9 API calls 8432->8433 8434 6fbc85 8433->8434 8435 6e5724 8 API calls 8434->8435 8436 6fbc94 Mailbox 8435->8436 8735 6f5fba 8436->8735 8438 6fbccc 8762 709707 8438->8762 8440 6fbd04 Mailbox 8765 709883 8440->8765 8442 6fbd30 8769 6eee34 8442->8769 8444 6fbd6e Mailbox 8444->8104 8446 6e3ebf GetSystemTimeAsFileTime 8445->8446 8448 6e3f11 __aulldiv 8446->8448 8448->8107 8450 6ede20 8449->8450 8451 7042b6 lstrlen 8450->8451 8452 6ede3f 8451->8452 8452->8124 8454 6f5751 CreateToolhelp32Snapshot 8453->8454 8458 6f5828 8454->8458 8456 6f5a95 Mailbox 8456->8159 8457 6f58da Process32First 8459 6f5a6c FindCloseChangeNotification 8457->8459 8460 6f590e 8457->8460 8458->8456 8458->8457 8459->8456 8461 6f20d8 2 API calls 8460->8461 8462 6f59c2 Process32Next 8460->8462 8463 6f5a29 8460->8463 8461->8460 8462->8460 8463->8459 8465 6eddd3 lstrlen 8464->8465 8466 6ef7bd 8465->8466 8467 7042b6 lstrlen 8466->8467 8468 6ef80a 8466->8468 8467->8468 8468->8182 8470 7075f4 8469->8470 8471 7076ef CreateFileA 8470->8471 8472 707732 Mailbox 8471->8472 8472->8194 8474 704771 8473->8474 8478 704797 8473->8478 8476 6ebece 9 API calls 8474->8476 8475 6fa805 2 API calls 8477 7047be 8475->8477 8476->8478 8479 7075ce CreateFileA 8477->8479 8478->8475 8480 7047e5 8479->8480 8481 6f8251 2 API calls 8480->8481 8482 704803 8481->8482 8483 704835 Sleep 8482->8483 8484 7048af 8482->8484 8485 6fa805 2 API calls 8483->8485 8486 701fe7 8484->8486 8487 7048cd 8484->8487 8488 704886 8485->8488 8486->8199 8819 7091aa 8487->8819 8490 7075ce CreateFileA 8488->8490 8492 70489b 8490->8492 8494 6f8251 2 API calls 8492->8494 8494->8484 8495 7048f6 8495->8486 8497 6f0764 wvsprintfA 8496->8497 8497->8204 8500 6f54ea Mailbox 8499->8500 8501 6f55fd CreateProcessA 8500->8501 8502 6f5677 8501->8502 8503 6f5633 8501->8503 8502->8210 8504 6f564f CloseHandle CloseHandle 8503->8504 8505 6f5645 8503->8505 8504->8502 8505->8504 8506->8212 8508 6fb068 CreateFileA 8507->8508 8510 6fb11b 8508->8510 8511 6fb142 GetFileTime 8508->8511 8510->8118 8512 6fb177 CloseHandle 8511->8512 8514 6fb1c7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 8511->8514 8512->8510 8515 6fb264 GetFileSize CloseHandle 8514->8515 8515->8510 8518 6f084d CreateToolhelp32Snapshot 8516->8518 8519 6f08ee Process32First 8518->8519 8520 6f0b20 Mailbox 8518->8520 8526 6f0aea CloseHandle 8519->8526 8527 6f0988 8519->8527 8520->8141 8523 6f20d8 2 API calls 8523->8527 8524 6f09f5 OpenProcess 8524->8527 8525 6f0aa4 Process32Next 8525->8526 8525->8527 8526->8520 8527->8523 8527->8524 8527->8525 8528 6f0a61 TerminateProcess CloseHandle 8527->8528 8528->8527 8530 6faf3f 8529->8530 8825 6f111e 8530->8825 8532 6faf7b 8533 6f54d8 3 API calls 8532->8533 8534 6fafe0 Mailbox 8533->8534 8534->8113 8536 6e5c69 8535->8536 8537 7042b6 lstrlen 8536->8537 8544 6e6052 Mailbox 8536->8544 8538 6e5dce Sleep 8537->8538 8539 6e5e25 8538->8539 8540 6fa805 2 API calls 8539->8540 8541 6e5e52 8540->8541 8542 6f8251 2 API calls 8541->8542 8543 6e5e87 FindFirstFileA 8542->8543 8543->8544 8546 6e5ecd 8543->8546 8544->8122 8545 6e5fdb DeleteFileA 8545->8546 8547 6e6018 FindNextFileA 8545->8547 8546->8545 8546->8547 8547->8546 8548 6e602e FindClose 8547->8548 8548->8544 8550 703980 8549->8550 8551 6ef793 lstrlen 8550->8551 8552 7039f3 8551->8552 8553 6fa805 2 API calls 8552->8553 8558 703a11 Mailbox 8552->8558 8554 703ace 8553->8554 8555 6f8251 2 API calls 8554->8555 8556 703b0d 8555->8556 8856 6f9b78 8556->8856 8558->8147 8560 6ef065 8559->8560 8561 6e3e8c GetSystemTimeAsFileTime 8560->8561 8563 6ef079 8561->8563 8562 6ef15a 8562->8139 8563->8562 8564 6e3e8c GetSystemTimeAsFileTime 8563->8564 8567 6ef104 8564->8567 8565 6ef10f Sleep 8566 6e3e8c GetSystemTimeAsFileTime 8565->8566 8566->8567 8567->8562 8567->8565 8569 7035f3 OpenSCManagerA 8568->8569 8571 7036a9 CreateServiceA 8569->8571 8572 7038db 8569->8572 8573 7036f0 ChangeServiceConfig2A StartServiceA CloseServiceHandle 8571->8573 8574 703777 OpenServiceA 8571->8574 8572->8160 8576 70388e CloseServiceHandle 8573->8576 8578 7037eb 8574->8578 8576->8572 8579 703811 StartServiceA CloseServiceHandle 8578->8579 8580 703866 8578->8580 8579->8580 8580->8576 8583 6f6c36 8581->8583 8582 6fa805 2 API calls 8584 6f6c9d RegOpenKeyA 8582->8584 8583->8582 8585 6f8251 2 API calls 8584->8585 8586 6f6ccb 8585->8586 8587 6f6d31 RegCloseKey 8586->8587 8588 7042b6 lstrlen 8586->8588 8587->8174 8589 6f6d0f RegSetValueExA 8588->8589 8589->8587 8873 6fbf87 8590->8873 8592 6f1600 ExitProcess 8594 6ee30a 8593->8594 8595 6eb7cd WaitForSingleObject 8594->8595 8596 6ee324 8595->8596 8597 6f15e5 ExitProcess 8596->8597 8598 6ee35a 8597->8598 8598->8097 8600 7023e2 GetProcessHeap RtlAllocateHeap 8599->8600 8601 7023c0 8599->8601 8600->8223 8601->8600 8604 6ee79e AllocateAndInitializeSid 8602->8604 8605 6e8954 8604->8605 8606 6ee883 CheckTokenMembership 8604->8606 8609 6e457c 8605->8609 8607 6ee89f 8606->8607 8608 6ee8c9 FreeSid 8606->8608 8607->8608 8608->8605 8610 6e4595 8609->8610 8611 6fa805 2 API calls 8610->8611 8612 6e45da GetProcAddress 8611->8612 8613 6f8251 2 API calls 8612->8613 8614 6e4613 8613->8614 8615 6e463a 8614->8615 8616 6e4623 GetCurrentProcess 8614->8616 8615->8240 8617 6fc0de GetWindowsDirectoryA 8615->8617 8616->8615 8618 6fc125 8617->8618 8619 6fa805 2 API calls 8618->8619 8624 6fc1b6 8618->8624 8620 6fc164 8619->8620 8621 6f8251 2 API calls 8620->8621 8622 6fc1a4 8621->8622 8623 7042b6 lstrlen 8622->8623 8623->8624 8624->8239 8626 6e848a 8625->8626 8645 6e4f47 8626->8645 8630 6ec62f 8629->8630 8631 6eb7cd WaitForSingleObject 8630->8631 8632 6ec686 8631->8632 8633 6ec6ef CreateFileA 8632->8633 8634 6ec6b3 8632->8634 8638 6ec75d 8633->8638 8640 6ec79f Mailbox 8633->8640 8635 6e4eb1 ReleaseMutex 8634->8635 8637 6e8c6e 8635->8637 8637->8252 8637->8254 8639 6e4eb1 ReleaseMutex 8638->8639 8639->8637 8641 6ec8fa WriteFile 8640->8641 8641->8640 8642 6ec94e FindCloseChangeNotification 8641->8642 8674 6e4eb1 ReleaseMutex 8642->8674 8646 6e4f6e 8645->8646 8647 7042b6 lstrlen 8646->8647 8648 6e4f99 8647->8648 8651 702f94 8648->8651 8650 6e4fa3 8650->8248 8654 7094ec 8651->8654 8653 702fac Mailbox 8653->8650 8655 709509 Mailbox 8654->8655 8656 70950e Mailbox 8655->8656 8658 6ef821 8655->8658 8656->8653 8659 6ef845 8658->8659 8661 6ef85a Mailbox 8659->8661 8662 6f7f29 8659->8662 8661->8656 8664 6f7f48 Mailbox 8662->8664 8663 6f8135 8671 7090f1 8663->8671 8664->8663 8666 6f802a 8664->8666 8668 6f8109 Mailbox 8664->8668 8667 7023a6 Mailbox 2 API calls 8666->8667 8669 6f8057 Mailbox 8667->8669 8668->8661 8670 6ede5a Mailbox 2 API calls 8669->8670 8670->8668 8672 709152 GetProcessHeap HeapAlloc 8671->8672 8673 70912b GetProcessHeap RtlReAllocateHeap 8671->8673 8672->8668 8673->8668 8675 6e4ecb 8674->8675 8675->8637 8677 709883 8 API calls 8676->8677 8678 6e6983 8677->8678 8678->8366 8680 708577 8679->8680 8681 6fa805 2 API calls 8680->8681 8682 708652 8681->8682 8683 6f8251 2 API calls 8682->8683 8684 7086d5 GetProcessHeap 8683->8684 8685 708711 8684->8685 8697 6fb7c4 8684->8697 8686 6fa805 2 API calls 8685->8686 8687 708739 LoadLibraryA 8686->8687 8689 6f8251 2 API calls 8687->8689 8690 70878f 8689->8690 8691 6fa805 2 API calls 8690->8691 8690->8697 8692 708837 GetProcAddress 8691->8692 8693 6f8251 2 API calls 8692->8693 8694 70886e 8693->8694 8695 708886 FreeLibrary 8694->8695 8696 7088ac HeapAlloc 8694->8696 8695->8697 8698 708926 GetAdaptersInfo 8696->8698 8699 7088fb FreeLibrary 8696->8699 8697->8369 8700 708950 8698->8700 8699->8697 8701 708a39 GetAdaptersInfo 8700->8701 8702 70896c HeapFree 8700->8702 8706 708a94 8701->8706 8717 708d26 Mailbox 8701->8717 8703 70898e HeapAlloc 8702->8703 8707 708a27 8703->8707 8708 7089fb FreeLibrary 8703->8708 8709 6fa805 2 API calls 8706->8709 8707->8701 8708->8697 8711 708ac3 8709->8711 8710 709094 HeapFree FreeLibrary 8710->8697 8712 6f8251 2 API calls 8711->8712 8713 708b17 8712->8713 8714 6fa805 2 API calls 8713->8714 8713->8717 8715 708d41 8714->8715 8716 6f8251 2 API calls 8715->8716 8716->8717 8717->8710 8775 6f23e9 8718->8775 8721 6e5724 8722 6e573e Mailbox 8721->8722 8723 709883 8 API calls 8722->8723 8724 6e5789 8723->8724 8724->8374 8726 6e3d0f Mailbox 8725->8726 8727 6fa805 2 API calls 8726->8727 8728 6e3d74 8727->8728 8729 6f8251 2 API calls 8728->8729 8730 6e3db8 8729->8730 8731 6e4d07 8730->8731 8732 6e4d1f 8731->8732 8733 7042b6 lstrlen 8732->8733 8734 6e4d4c 8733->8734 8734->8426 8736 6f6020 8735->8736 8737 6fa805 2 API calls 8736->8737 8738 6f604e 8737->8738 8739 6fa805 2 API calls 8738->8739 8740 6f6067 8739->8740 8741 6fa805 2 API calls 8740->8741 8742 6f60be 8741->8742 8743 6f8251 2 API calls 8742->8743 8744 6f60d2 8743->8744 8745 6fa805 2 API calls 8744->8745 8746 6f6144 8745->8746 8747 6f8251 2 API calls 8746->8747 8748 6f61a1 8747->8748 8749 6f8251 2 API calls 8748->8749 8760 6f621c 8749->8760 8750 6f6a70 8751 6f8251 2 API calls 8750->8751 8752 6f6b1c Mailbox 8751->8752 8752->8438 8753 6f07f5 8 API calls 8759 6f664d Mailbox 8753->8759 8755 6e5071 9 API calls 8755->8759 8756 6f6983 8756->8750 8758 6f07f5 8 API calls 8756->8758 8784 6e5071 8756->8784 8757 6e5071 9 API calls 8757->8760 8758->8756 8759->8750 8759->8753 8759->8755 8759->8756 8760->8757 8760->8759 8781 6f07f5 8760->8781 8763 7094ec Mailbox 8 API calls 8762->8763 8764 70970e 8763->8764 8764->8440 8766 709898 Mailbox 8765->8766 8767 7094ec Mailbox 8 API calls 8766->8767 8768 7098a3 Mailbox 8767->8768 8768->8442 8770 6eee52 8769->8770 8794 6f1da2 8770->8794 8772 6eee71 Mailbox 8773 709883 8 API calls 8772->8773 8774 6eef9f 8772->8774 8773->8774 8774->8444 8776 6f23f5 8775->8776 8777 7042b6 lstrlen 8776->8777 8778 6f2488 8777->8778 8779 702f94 8 API calls 8778->8779 8780 6f0ba0 8779->8780 8780->8721 8790 6eba10 8781->8790 8783 6f0802 8783->8760 8785 6eacbe 8784->8785 8786 7042b6 lstrlen 8785->8786 8787 6ead02 8786->8787 8788 709883 8 API calls 8787->8788 8789 6ead0c 8788->8789 8789->8756 8791 6eba25 Mailbox 8790->8791 8792 7094ec Mailbox 8 API calls 8791->8792 8793 6eba30 Mailbox 8792->8793 8793->8783 8799 6edb48 8794->8799 8796 6f1e43 8796->8772 8798 6f1db4 8798->8796 8803 6ebece 8798->8803 8800 6edb5b Mailbox 8799->8800 8801 6edb9f 8799->8801 8802 709707 Mailbox 8 API calls 8800->8802 8801->8798 8802->8801 8804 6ebf08 8803->8804 8805 6eb7cd WaitForSingleObject 8804->8805 8806 6ebfa2 8805->8806 8807 6fa805 2 API calls 8806->8807 8818 6ec09d 8806->8818 8810 6ebfe5 GetProcAddress 8807->8810 8808 6ec1dd 8812 6e4eb1 ReleaseMutex 8808->8812 8809 6ec1c7 CryptGenRandom 8809->8808 8811 6fa805 2 API calls 8810->8811 8814 6ec033 8811->8814 8813 6ec2bd 8812->8813 8813->8798 8815 6f8251 2 API calls 8814->8815 8816 6ec06d GetProcAddress 8815->8816 8817 6f8251 2 API calls 8816->8817 8817->8818 8818->8808 8818->8809 8820 7091e0 8819->8820 8821 7048e6 8820->8821 8822 7092ba WriteFile 8820->8822 8823 6eea59 CloseHandle 8821->8823 8822->8821 8824 6eea8e 8823->8824 8824->8495 8826 6f114d 8825->8826 8827 6f11d9 CreateFileA 8826->8827 8828 6f1219 8827->8828 8829 6f124b ReadFile CloseHandle 8828->8829 8830 6f15a4 8828->8830 8831 6f129d 8829->8831 8830->8532 8832 6f12bd GetTickCount 8831->8832 8852 6e51ca 8832->8852 8834 6f12de 8835 7042b6 lstrlen 8834->8835 8836 6f1310 8835->8836 8837 6fa805 2 API calls 8836->8837 8838 6f1378 8837->8838 8839 6f8251 2 API calls 8838->8839 8843 6f1416 8839->8843 8840 6f14e0 CreateFileA 8842 6f154f 8840->8842 8842->8830 8844 6f1564 WriteFile CloseHandle 8842->8844 8843->8840 8845 6fa805 2 API calls 8843->8845 8844->8830 8846 6f147e 8845->8846 8847 7042b6 lstrlen 8846->8847 8848 6f14a0 8847->8848 8849 6f074e wvsprintfA 8848->8849 8850 6f14a9 8849->8850 8851 6f8251 2 API calls 8850->8851 8851->8840 8853 6e51ea 8852->8853 8854 7042b6 lstrlen 8853->8854 8855 6e5235 8854->8855 8855->8834 8857 6f9b85 8856->8857 8858 709707 Mailbox 8 API calls 8857->8858 8859 6f9c02 8858->8859 8860 6eb7cd WaitForSingleObject 8859->8860 8861 6f9c24 CreateFileA 8860->8861 8862 6f9c5a 8861->8862 8863 6f9c78 Mailbox 8861->8863 8865 6e4eb1 ReleaseMutex 8862->8865 8864 6f9c8b ReadFile 8863->8864 8866 6f7f29 Mailbox 8 API calls 8863->8866 8867 6f9e6a CloseHandle 8863->8867 8868 709883 8 API calls 8863->8868 8869 6f9dbc CloseHandle 8863->8869 8864->8863 8872 6f9e2f Mailbox 8865->8872 8866->8863 8867->8862 8868->8863 8870 6f9dd9 8869->8870 8871 6e4eb1 ReleaseMutex 8870->8871 8871->8872 8872->8558 8874 6fbfa3 8873->8874 8874->8592 8876 70250c 8875->8876 8877 70d256 3 API calls 8876->8877 8878 70261c 8877->8878 8879 6e5c39 10 API calls 8878->8879 8880 702645 8879->8880 8881 6ef793 lstrlen 8880->8881 8882 702697 8881->8882 8883 6fa805 2 API calls 8882->8883 8884 7026ad 8883->8884 8885 6f8251 2 API calls 8884->8885 8893 702706 Mailbox 8885->8893 8886 709707 Mailbox 8 API calls 8887 702cf0 Sleep 8886->8887 9019 6f2192 8887->9019 8889 6f571f 6 API calls 8889->8893 8890 6e3e8c GetSystemTimeAsFileTime 8890->8893 8891 6f54d8 3 API calls 8891->8893 8893->8886 8893->8889 8893->8890 8893->8891 8894 70473b 13 API calls 8893->8894 8895 6fa805 2 API calls 8893->8895 8907 70443e 8893->8907 8919 6f8695 8893->8919 8894->8893 8895->8893 8897 6fa805 GetProcessHeap RtlAllocateHeap 8904 7029d3 Mailbox 8897->8904 8898 6e846d 9 API calls 8898->8904 8899 6e695e 8 API calls 8899->8904 8901 6e5724 8 API calls 8901->8904 8902 6f8695 21 API calls 8902->8904 8903 6f8251 GetProcessHeap RtlFreeHeap 8903->8904 8904->8893 8904->8897 8904->8898 8904->8899 8904->8901 8904->8902 8904->8903 8905 707dc0 51 API calls 8904->8905 8906 704927 33 API calls 8904->8906 9029 6efe4b 8904->9029 8905->8904 8906->8904 8908 704470 8907->8908 8909 6fa805 2 API calls 8908->8909 8910 7044cd 8909->8910 8911 6fa805 2 API calls 8910->8911 8912 7044fc 8911->8912 9033 6ea928 8912->9033 8915 6f8251 2 API calls 8916 704546 8915->8916 8917 6f8251 2 API calls 8916->8917 8918 70456f 8917->8918 8918->8893 8920 6f86b6 8919->8920 8921 6e3e8c GetSystemTimeAsFileTime 8920->8921 8922 6f8873 8921->8922 8923 7042b6 lstrlen 8922->8923 8928 6f88d0 8923->8928 8924 7042b6 lstrlen 8926 6f8a48 8924->8926 8925 6f9185 Mailbox 8925->8904 8927 7042b6 lstrlen 8926->8927 8929 6f8a56 8927->8929 8928->8924 8928->8925 8929->8925 8930 6fa805 2 API calls 8929->8930 8931 6f8ad5 8930->8931 8932 6e846d 9 API calls 8931->8932 8933 6f8b0f 8932->8933 8934 6f8251 2 API calls 8933->8934 8935 6f8b3d Mailbox 8934->8935 8937 6fa805 2 API calls 8935->8937 8949 6f8d19 8935->8949 8936 6f0b92 9 API calls 8938 6f8dbe 8936->8938 8939 6f8b9e 8937->8939 8941 6e5724 8 API calls 8938->8941 8940 6f23e9 9 API calls 8939->8940 8943 6f8bc8 Mailbox 8940->8943 8942 6f8dca Mailbox 8941->8942 8944 6fa805 2 API calls 8942->8944 8946 6f8251 2 API calls 8943->8946 8945 6f8ded 8944->8945 8947 6f0b92 9 API calls 8945->8947 8952 6f8bf7 8946->8952 8948 6f8e04 8947->8948 8950 6e5724 8 API calls 8948->8950 8949->8936 8951 6f8e10 Mailbox 8950->8951 8954 6f8251 2 API calls 8951->8954 8952->8949 9039 6f1c14 8952->9039 8956 6f8e3b 8954->8956 8955 6f8c77 8957 6fa805 2 API calls 8955->8957 8958 6f0b92 9 API calls 8956->8958 8959 6f8cbd 8957->8959 8960 6f8e8b 8958->8960 8962 6e846d 9 API calls 8959->8962 8961 6e5724 8 API calls 8960->8961 8965 6f8e9a Mailbox 8961->8965 8963 6f8cff 8962->8963 8964 6f8251 2 API calls 8963->8964 8964->8949 8966 6f9051 Mailbox 8965->8966 8968 6fa805 2 API calls 8965->8968 8967 6fa805 2 API calls 8966->8967 8969 6f9087 8967->8969 8970 6f8f09 8968->8970 8972 6f0b92 9 API calls 8969->8972 8971 6f0b92 9 API calls 8970->8971 8974 6f8f23 8971->8974 8973 6f90d7 8972->8973 8976 6e5724 8 API calls 8973->8976 8975 6e5724 8 API calls 8974->8975 8977 6f8f32 Mailbox 8975->8977 8978 6f90e3 Mailbox 8976->8978 8979 6fa805 2 API calls 8977->8979 8980 6f8251 2 API calls 8978->8980 8981 6f8f5b 8979->8981 8982 6f90fd 8980->8982 8984 6f8251 2 API calls 8981->8984 8983 6f9142 socket 8982->8983 8985 6e5724 8 API calls 8982->8985 8983->8925 8987 6f9197 8983->8987 8986 6f8fbc Mailbox 8984->8986 8985->8983 8991 6f074e wvsprintfA 8986->8991 8988 6f91bb setsockopt 8987->8988 8989 6f91f3 gethostbyname 8987->8989 8988->8989 8989->8925 8992 6f9289 inet_ntoa inet_addr 8989->8992 8993 6f8fdd 8991->8993 8997 6f92ef 8992->8997 8998 6f92f9 htons connect 8992->8998 8994 6f8251 2 API calls 8993->8994 8996 6f8ff4 8994->8996 8999 6f0b92 9 API calls 8996->8999 8997->8998 8998->8925 9001 6f932f Mailbox 8998->9001 9000 6f9042 8999->9000 9002 6e5724 8 API calls 9000->9002 9003 6f939f send 9001->9003 9002->8966 9004 6f93bb Mailbox 9003->9004 9004->8925 9005 709707 Mailbox 8 API calls 9004->9005 9018 6f93df Mailbox 9005->9018 9006 6f946b recv 9006->9018 9007 6f9784 closesocket 9007->8925 9010 6f97e1 9007->9010 9011 6f1c14 8 API calls 9010->9011 9011->8925 9012 6f7f29 Mailbox 8 API calls 9012->9018 9013 709883 8 API calls 9013->9018 9014 6f23e9 9 API calls 9014->9018 9015 6f8251 GetProcessHeap RtlFreeHeap 9015->9018 9017 6fa805 GetProcessHeap RtlAllocateHeap 9017->9018 9018->9006 9018->9007 9018->9012 9018->9013 9018->9014 9018->9015 9018->9017 9043 70d5e8 9018->9043 9047 6ef1bd 9018->9047 9021 6f21ab 9019->9021 9020 6f23d9 9020->8893 9021->9020 9024 6f2298 9021->9024 9025 6f233c 9021->9025 9022 6f22b7 DeleteFileA 9022->9024 9024->9021 9024->9022 9065 6f9ef6 9024->9065 9026 6f23c2 9025->9026 9070 6eb920 9025->9070 9074 6e5430 9026->9074 9031 6efe66 Mailbox 9029->9031 9030 6eff60 Mailbox 9030->8904 9031->9030 9032 709883 8 API calls 9031->9032 9032->9030 9034 6ea95f Mailbox 9033->9034 9035 6fa805 2 API calls 9034->9035 9036 6eac5d 9035->9036 9037 6f8251 2 API calls 9036->9037 9038 6eac90 9037->9038 9038->8915 9040 6f1c36 Mailbox 9039->9040 9061 6ebdcb 9040->9061 9042 6f1ce6 Mailbox 9042->8955 9044 70d5ff 9043->9044 9045 6e3e8c GetSystemTimeAsFileTime 9044->9045 9046 70d628 9044->9046 9045->9046 9046->9018 9048 6ef206 9047->9048 9049 6fa805 2 API calls 9048->9049 9050 6ef22f 9049->9050 9051 6f23e9 9 API calls 9050->9051 9052 6ef250 Mailbox 9051->9052 9053 6f8251 2 API calls 9052->9053 9054 6ef28d 9053->9054 9055 6fa805 2 API calls 9054->9055 9060 6ef2a5 9054->9060 9056 6ef2cb 9055->9056 9057 6f23e9 9 API calls 9056->9057 9058 6ef2e2 Mailbox 9057->9058 9059 6f8251 2 API calls 9058->9059 9059->9060 9060->9018 9062 6ebde1 Mailbox 9061->9062 9063 6f7f29 Mailbox 8 API calls 9062->9063 9064 6ebe04 Mailbox 9063->9064 9064->9042 9078 6f5b3e 9065->9078 9067 6f9f0d 9082 6e82bf 9067->9082 9071 6eb93a 9070->9071 9073 6eb97f 9071->9073 9097 6ede9c 9071->9097 9073->9025 9075 6e5438 9074->9075 9104 7094b4 9075->9104 9079 6f5b5a Mailbox 9078->9079 9080 6f7f29 Mailbox 8 API calls 9079->9080 9081 6f5b64 Mailbox 9080->9081 9081->9067 9084 6e82cc 9082->9084 9083 6e82dc 9083->9024 9084->9083 9086 6f9a0f 9084->9086 9089 707848 9086->9089 9088 6f9a1d 9088->9083 9090 70785a Mailbox 9089->9090 9093 704333 9090->9093 9092 707870 Mailbox 9092->9088 9094 70433e 9093->9094 9095 6ef821 Mailbox 8 API calls 9094->9095 9096 7043a8 9095->9096 9096->9092 9100 6e84ea 9097->9100 9101 6e8529 9100->9101 9102 6ebdcb 8 API calls 9101->9102 9103 6e854b 9102->9103 9103->9073 9105 7094bd Mailbox 9104->9105 9107 7094e3 9104->9107 9106 6ede5a Mailbox 2 API calls 9105->9106 9106->9107 9389 6e59a1 9392 70cf7e 9389->9392 9393 70236a lstrlen 9392->9393 9394 6e59af 9393->9394 9174 6e4e3c 9175 6e4e47 9174->9175 9176 6f56c6 8 API calls 9175->9176 9177 6e4e9b 9176->9177 9398 6e11b7 9399 6e1214 9398->9399 9402 6e122a Mailbox 9398->9402 9400 7042b6 lstrlen 9400->9402 9401 6f074e wvsprintfA 9401->9402 9402->9399 9402->9400 9402->9401 9182 6efa34 9185 6e7fce 9182->9185 9184 6efa42 9186 7042b6 lstrlen 9185->9186 9187 6e7fe9 Mailbox 9186->9187 9187->9184 9403 6e81b5 9404 6e81dc 9403->9404 9405 6e3b08 8 API calls 9404->9405 9406 6e823c 9405->9406 9407 6fbf07 8 API calls 9406->9407 9408 6e8276 9407->9408 9409 6ee9b3 9410 6f9a0f 8 API calls 9409->9410 9411 6ee9e3 9410->9411 9412 6e5724 8 API calls 9411->9412 9413 6eea10 9412->9413 9341 70df16 9346 6f6bb9 9341->9346 9353 7092e8 9346->9353 9354 7092fe 9353->9354 9355 6edb48 Mailbox 8 API calls 9354->9355 9356 709338 9355->9356 9297 6f7686 9300 6efc1b 9297->9300 9301 7094b4 Mailbox 2 API calls 9300->9301 9302 6efc29 9301->9302 9420 6ead87 9421 6eada3 9420->9421 9476 6e501c 9421->9476 9423 6eae0e 9424 70443e 4 API calls 9423->9424 9429 6eb26c Mailbox 9423->9429 9425 6eaeff 9424->9425 9426 6fa805 2 API calls 9425->9426 9427 6eaf15 9426->9427 9428 6e846d 9 API calls 9427->9428 9430 6eaf2d 9428->9430 9431 6f8251 2 API calls 9430->9431 9432 6eaf56 9431->9432 9479 702306 9432->9479 9437 6e5724 8 API calls 9438 6eaf88 Mailbox 9437->9438 9439 6fa805 2 API calls 9438->9439 9440 6eafc5 9439->9440 9441 6f0b92 9 API calls 9440->9441 9442 6eafe2 9441->9442 9443 6e5724 8 API calls 9442->9443 9444 6eafee Mailbox 9443->9444 9445 6f8251 2 API calls 9444->9445 9446 6eb00f 9445->9446 9447 6efe4b 8 API calls 9446->9447 9448 6eb02d 9447->9448 9449 6e5724 8 API calls 9448->9449 9450 6eb036 Mailbox 9449->9450 9451 6f1c14 8 API calls 9450->9451 9452 6eb066 9451->9452 9485 6e60ad 9452->9485 9454 6eb085 Mailbox 9455 6f5fba 9 API calls 9454->9455 9456 6eb0c9 9455->9456 9539 6e7ef1 9456->9539 9459 6fa805 2 API calls 9460 6eb0f8 9459->9460 9461 6f0b92 9 API calls 9460->9461 9462 6eb149 9461->9462 9463 6e5724 8 API calls 9462->9463 9464 6eb155 Mailbox 9463->9464 9465 6f8251 2 API calls 9464->9465 9466 6eb174 Mailbox 9465->9466 9467 709883 8 API calls 9466->9467 9468 6eb19a 9467->9468 9469 709707 Mailbox 8 API calls 9468->9469 9470 6eb1ea 9469->9470 9471 6fa805 2 API calls 9470->9471 9472 6eb217 9471->9472 9473 6f8695 21 API calls 9472->9473 9474 6eb235 9473->9474 9475 6f8251 2 API calls 9474->9475 9475->9429 9477 709883 8 API calls 9476->9477 9478 6e5042 SetEvent 9477->9478 9478->9423 9543 6e4f0b 9479->9543 9482 6f1bc3 9483 707848 8 API calls 9482->9483 9484 6eaf7c 9483->9484 9484->9437 9486 6e6101 9485->9486 9487 6fa805 2 API calls 9486->9487 9492 6e623b Mailbox 9486->9492 9488 6e61a7 9487->9488 9489 6e846d 9 API calls 9488->9489 9490 6e61d6 9489->9490 9491 6f8251 2 API calls 9490->9491 9491->9492 9493 6e6321 9492->9493 9496 6e63fd 9492->9496 9494 6fa805 2 API calls 9493->9494 9495 6e635d 9494->9495 9497 6e846d 9 API calls 9495->9497 9499 6fa805 2 API calls 9496->9499 9498 6e6381 9497->9498 9500 6f8251 2 API calls 9498->9500 9501 6e6487 Mailbox 9499->9501 9538 6e639c Mailbox 9500->9538 9551 6f7ab8 9501->9551 9504 6f8251 2 API calls 9505 6e64eb 9504->9505 9506 6e651c 9505->9506 9507 6e6598 9505->9507 9508 6fa805 2 API calls 9506->9508 9563 6e8036 9507->9563 9510 6e6532 9508->9510 9512 6e846d 9 API calls 9510->9512 9515 6e6548 9512->9515 9513 6e65cb 9519 6fa805 2 API calls 9513->9519 9514 6e6668 9516 6eddd3 lstrlen 9514->9516 9517 6f8251 2 API calls 9515->9517 9518 6e66a4 9516->9518 9517->9538 9567 6fae3b 9518->9567 9520 6e65f2 9519->9520 9522 6e846d 9 API calls 9520->9522 9523 6e6612 9522->9523 9525 6f8251 2 API calls 9523->9525 9525->9538 9528 6fa805 2 API calls 9529 6e6718 9528->9529 9530 6f8251 2 API calls 9529->9530 9531 6e6775 9530->9531 9532 7042b6 lstrlen 9531->9532 9533 6e67c4 9532->9533 9534 6ec622 5 API calls 9533->9534 9535 6e67e3 9534->9535 9575 70d831 9535->9575 9538->9454 9540 6e7f14 9539->9540 9541 6edd8f 8 API calls 9540->9541 9542 6e7f37 9541->9542 9542->9459 9544 6e4f16 9543->9544 9547 6ee739 9544->9547 9548 6ee751 9547->9548 9549 6edd8f 8 API calls 9548->9549 9550 6e4f36 9549->9550 9550->9482 9553 6f7ae2 9551->9553 9552 6e64bc 9552->9504 9553->9552 9604 706c12 9553->9604 9558 6f7d11 9562 6f7c94 Mailbox 9558->9562 9614 6fbff6 9558->9614 9560 6f7dab 9621 6f70e6 9560->9621 9631 6f761b 9562->9631 9564 6e804b GetModuleFileNameA 9563->9564 9566 6e65c2 9564->9566 9566->9513 9566->9514 9568 6fae5e 9567->9568 9569 6ebece 9 API calls 9568->9569 9570 6e66de 9568->9570 9569->9570 9571 703ca3 9570->9571 9573 6e6702 9571->9573 9574 703cd9 9571->9574 9572 6fae3b 9 API calls 9572->9574 9573->9528 9574->9572 9574->9573 9576 70d84e Mailbox 9575->9576 9577 70d94f CreatePipe 9576->9577 9578 70d9ad SetHandleInformation 9577->9578 9587 70d999 9577->9587 9582 70da12 9578->9582 9583 70da3b CreatePipe 9578->9583 9580 709707 Mailbox 8 API calls 9581 6e6894 DeleteFileA 9580->9581 9581->9538 9582->9583 9584 70da52 9583->9584 9585 70da66 SetHandleInformation 9583->9585 9586 70de64 CloseHandle 9584->9586 9589 70da9a Mailbox 9585->9589 9586->9587 9588 70de7b CloseHandle 9586->9588 9587->9580 9587->9581 9588->9587 9590 70db76 CreateProcessA 9589->9590 9591 70dbe0 CloseHandle 9590->9591 9592 70dc04 WriteFile 9590->9592 9595 70ddd2 CloseHandle 9591->9595 9592->9591 9594 70dc3e CloseHandle CloseHandle 9592->9594 9598 70dca1 9594->9598 9595->9586 9766 704101 9598->9766 9602 70dd6c CloseHandle CloseHandle 9602->9595 9605 706c2d 9604->9605 9606 6e4088 4 API calls 9605->9606 9607 706cb8 9606->9607 9608 6e86e2 4 API calls 9607->9608 9609 6f7c5d 9607->9609 9608->9609 9609->9562 9610 6e86e2 9609->9610 9611 6e86f8 9610->9611 9612 6e4088 4 API calls 9611->9612 9613 6e873e Mailbox 9612->9613 9613->9558 9634 6e7bf8 9614->9634 9618 6fc05c 9646 6e774c 9618->9646 9620 6fc089 Mailbox 9620->9560 9622 6f70f3 9621->9622 9624 6f71ef 9622->9624 9658 6fa4b9 9622->9658 9624->9562 9626 6fa805 2 API calls 9628 6f740b 9626->9628 9627 6fa805 2 API calls 9627->9624 9628->9624 9629 6f8251 2 API calls 9628->9629 9630 6f745e 9629->9630 9630->9624 9630->9627 9632 70572d 2 API calls 9631->9632 9633 6f7661 9632->9633 9633->9552 9635 6e7c25 9634->9635 9636 6fa805 2 API calls 9635->9636 9637 6e7c4e Mailbox 9636->9637 9638 6f8251 2 API calls 9637->9638 9639 6e7c82 9638->9639 9640 6f0ce6 9639->9640 9642 6f0d32 Mailbox 9640->9642 9641 6f0ecd 9644 6f1054 Mailbox 9641->9644 9645 6f0113 4 API calls 9641->9645 9642->9641 9642->9644 9652 6f0113 9642->9652 9644->9618 9645->9641 9647 6e77a8 Mailbox 9646->9647 9648 6f0ce6 4 API calls 9647->9648 9649 6e7a60 9648->9649 9650 6f0ce6 4 API calls 9649->9650 9651 6e7ab2 9650->9651 9651->9620 9653 6f0132 Mailbox 9652->9653 9654 6fa805 2 API calls 9653->9654 9655 6f0318 9654->9655 9656 6f8251 2 API calls 9655->9656 9657 6f05f9 9656->9657 9657->9641 9659 6fa506 9658->9659 9660 706c12 4 API calls 9659->9660 9662 6fa539 9660->9662 9661 70572d 2 API calls 9666 6f719b 9661->9666 9663 6fa58e 9662->9663 9664 6fa563 9662->9664 9668 6fa5e4 9662->9668 9669 6e69a8 9663->9669 9665 70572d 2 API calls 9664->9665 9665->9666 9666->9624 9666->9626 9666->9630 9668->9661 9670 6e69c7 Mailbox 9669->9670 9671 6e4088 4 API calls 9670->9671 9681 6e76f7 9670->9681 9672 6e6c45 9671->9672 9673 6e4088 4 API calls 9672->9673 9703 6e70f3 9672->9703 9675 6e6c6a 9673->9675 9674 6e76cf 9676 6e76fc 9674->9676 9677 6e76e7 9674->9677 9682 6e4088 4 API calls 9675->9682 9675->9703 9680 70572d 2 API calls 9676->9680 9679 70572d 2 API calls 9677->9679 9678 70572d 2 API calls 9678->9703 9679->9681 9680->9681 9681->9668 9683 6e6c97 9682->9683 9684 6e86e2 4 API calls 9683->9684 9694 6e6cb9 Mailbox 9683->9694 9683->9703 9685 6e6d18 9684->9685 9685->9703 9704 6edec6 9685->9704 9687 6e6e4c 9691 6e85a4 4 API calls 9687->9691 9688 6e6e3d 9690 702405 4 API calls 9688->9690 9693 6e6e47 9690->9693 9691->9693 9695 6e85a4 4 API calls 9693->9695 9694->9687 9694->9688 9694->9703 9696 6e6ec5 9695->9696 9697 6e4088 4 API calls 9696->9697 9696->9703 9698 6e6f71 9697->9698 9699 6e85a4 4 API calls 9698->9699 9698->9703 9701 6e6f9e 9699->9701 9700 6e4088 4 API calls 9700->9701 9701->9700 9702 6e85a4 4 API calls 9701->9702 9701->9703 9702->9701 9703->9674 9703->9678 9705 6edf1f 9704->9705 9706 6e4088 4 API calls 9705->9706 9707 6e6d62 9705->9707 9706->9707 9707->9703 9708 702405 9707->9708 9709 702431 9708->9709 9716 6e9903 9709->9716 9711 7024b6 9711->9694 9712 702450 9712->9711 9713 70248c 9712->9713 9714 6ee4e4 4 API calls 9712->9714 9713->9711 9756 6f6d72 9713->9756 9714->9712 9717 6e9924 9716->9717 9718 6e99a4 9717->9718 9719 6e9a10 9717->9719 9722 6e9952 9717->9722 9720 6e99c4 9718->9720 9721 6e86e2 4 API calls 9718->9721 9723 6e85a4 4 API calls 9719->9723 9720->9722 9724 6e85a4 4 API calls 9720->9724 9725 6e99ea 9720->9725 9721->9720 9722->9712 9727 6e9a45 9723->9727 9724->9725 9725->9722 9726 70572d 2 API calls 9725->9726 9726->9722 9727->9725 9728 6e85a4 4 API calls 9727->9728 9729 6e9aaa 9728->9729 9729->9725 9730 6e4088 4 API calls 9729->9730 9731 6e9aed 9730->9731 9731->9725 9732 6e86e2 4 API calls 9731->9732 9733 6e9b25 9732->9733 9733->9725 9734 6e4088 4 API calls 9733->9734 9735 6e9b46 9734->9735 9735->9725 9736 6e4088 4 API calls 9735->9736 9737 6e9b73 9736->9737 9737->9725 9738 6edec6 4 API calls 9737->9738 9740 6e9c7b 9737->9740 9739 6e9c56 9738->9739 9739->9725 9742 6edec6 4 API calls 9739->9742 9740->9725 9741 6edec6 4 API calls 9740->9741 9743 6e9d47 9741->9743 9742->9740 9744 6f6d72 4 API calls 9743->9744 9745 6e9e51 9743->9745 9744->9743 9745->9725 9746 6ea66b 9745->9746 9749 6e86e2 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9745->9749 9751 6e534c GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9745->9751 9752 6edec6 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9745->9752 9753 6f6d72 4 API calls 9745->9753 9754 6e85a4 4 API calls 9745->9754 9755 6ee4e4 4 API calls 9745->9755 9747 6e85a4 4 API calls 9746->9747 9748 6ea6fa 9746->9748 9747->9748 9748->9725 9750 6e85a4 4 API calls 9748->9750 9749->9745 9750->9725 9751->9745 9752->9745 9753->9745 9754->9745 9755->9745 9757 6f6d97 9756->9757 9758 6f6f07 9757->9758 9759 6f6dd4 9757->9759 9760 6eb38e 4 API calls 9758->9760 9761 6f6e66 9759->9761 9762 6f6df4 9759->9762 9765 6f6e24 9760->9765 9764 7058f9 4 API calls 9761->9764 9763 7058f9 4 API calls 9762->9763 9763->9765 9764->9765 9765->9713 9767 70410e 9766->9767 9768 709707 Mailbox 8 API calls 9767->9768 9771 70419c 9768->9771 9769 7041f1 ReadFile 9770 704256 WaitForSingleObject 9769->9770 9769->9771 9770->9602 9771->9769 9771->9770 9772 709883 8 API calls 9771->9772 9772->9771 9303 6f5485 9304 6f5488 Mailbox 9303->9304 9305 6f55fd CreateProcessA 9304->9305 9306 6f5677 9305->9306 9307 6f5633 CloseHandle CloseHandle 9305->9307 9307->9306 9192 70d01d 9193 70d03a 9192->9193 9199 705d58 9193->9199 9197 70d067 9198 70d108 ExitProcess 9197->9198 9200 705d93 9199->9200 9210 6e565e 9200->9210 9202 705dbb 9203 6f5d50 9202->9203 9204 6f5d87 GetStdHandle 9203->9204 9205 6f5d74 9203->9205 9206 6f5dc5 GetStdHandle 9204->9206 9207 6f5db3 9204->9207 9205->9204 9208 6f5dfa GetStdHandle 9206->9208 9207->9206 9208->9197 9211 6e56c5 GetProcessHeap HeapAlloc 9210->9211 9212 6e5695 9210->9212 9211->9202 9212->9211 9773 6e519e 9774 7023a6 Mailbox 2 API calls 9773->9774 9775 6e51b3 9774->9775

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 006FFF2A Relevance: 68.5, APIs: 29, Strings: 9, Instructions: 2026synchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 00700590
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 007005E4
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00700629
                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00700649
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 007006E6
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 00700873
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateMutex$CommandCountEnvironmentLineTickVariable
                                                                                                                                                                                                            • String ID: $}\N$241$C:\Windows\system32\config\systemprofile$C:\hjflhukc\xxxniijvj.exe$HO$^d/$tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"$wb_m$~z0
                                                                                                                                                                                                            • API String ID: 3327569919-2039580995
                                                                                                                                                                                                            • Opcode ID: 17797059419fb3c61bd7669142564b569e9fba1c1c56f6308d705395b899ee1b
                                                                                                                                                                                                            • Instruction ID: 2e3ee24ea039e9ae000fe3fc675072ef79b44a8e7a0d3c89c776d4fb59986b0b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 17797059419fb3c61bd7669142564b569e9fba1c1c56f6308d705395b899ee1b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9A039771605204DBD748DF6CEC96AFA37F5FB48711B10C21AE9028A2E1EB3C9981CB5D
                                                                                                                                                                                                            Function 006E88A8 Relevance: 30.6, APIs: 12, Strings: 5, Instructions: 877fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 490 6e88a8-6e88de call 6e57a9 493 6e88ea-6e898e GetVersionExA call 6ee769 call 6e457c 490->493 494 6e88e0 490->494 499 6e899c-6e89c2 493->499 500 6e8990-6e899a 493->500 494->493 501 6e89d7-6e89dd 499->501 502 6e89c4-6e89d1 499->502 500->501 503 6e8b3f-6e8b5f 501->503 504 6e89e3-6e8add call 6fc0de call 6ef38b CreateDirectoryA call 6fa805 501->504 502->501 505 6e8b65-6e8b77 503->505 517 6e8ae2-6e8b3d call 6ef38b call 6f8251 504->517 507 6e8ba9-6e8bb0 505->507 508 6e8b79-6e8b93 505->508 510 6e8bb6-6e8c17 call 6fa805 call 6e846d call 6f8251 507->510 508->510 511 6e8b95-6e8ba7 508->511 525 6e8c2d-6e8c3f 510->525 526 6e8c19-6e8c2b 510->526 511->510 517->505 528 6e8c4b-6e8c73 call 6ec9ba call 70d492 call 6ec622 525->528 529 6e8c41 525->529 526->528 536 6e8d6f-6e8e0c call 6fc0de call 6ef38b CreateDirectoryA call 705eaf 528->536 537 6e8c79-6e8ccc 528->537 529->528 549 6e8e0e-6e8e18 536->549 550 6e8e1a 536->550 539 6e8cfe-6e8d29 DeleteFileA 537->539 540 6e8cce-6e8cec 537->540 541 6e8d3d-6e8d65 RemoveDirectoryA 539->541 542 6e8d2b-6e8d37 539->542 540->539 544 6e8cee-6e8cf8 540->544 541->536 542->541 544->539 551 6e8e24-6e8e26 549->551 550->551 552 6e8e28-6e8e42 551->552 553 6e8e44 551->553 554 6e8e46-6e8e73 call 6ef793 552->554 553->554 557 6e8e89-6e8e8e 554->557 558 6e8e75-6e8e87 554->558 559 6e8e94-6e8f2f CreateDirectoryA call 6fa805 call 6ef38b call 6fa805 557->559 558->559 566 6e8f64-6e8fcf call 6f8251 call 6e846d call 6f8251 call 6ec9ba call 70d492 call 6ec622 559->566 567 6e8f31-6e8f57 559->567 581 6e9769-6e97f8 call 6ef793 SetFileAttributesA call 6f06af 566->581 582 6e8fd5-6e8fe6 566->582 567->566 568 6e8f59-6e8f5e 567->568 568->566 596 6e97fa-6e9815 581->596 597 6e981b-6e9826 call 6e5017 581->597 584 6e906c-6e90da call 6fa805 call 6f074e call 6f8251 582->584 585 6e8fec-6e906a call 6fa805 call 6f074e call 6f8251 582->585 605 6e90e0-6e910d 584->605 585->605 596->597 606 6e910f-6e9126 605->606 607 6e9132-6e9192 call 6ef38b CreateDirectoryA call 705eaf 605->607 606->607 608 6e9128 606->608 613 6e9194-6e91a0 607->613 614 6e91c1-6e9257 call 6ef793 CreateDirectoryA call 6fa805 call 6ef38b call 6fa805 607->614 608->607 613->614 615 6e91a2-6e91bb 613->615 624 6e9259-6e926c 614->624 625 6e9272-6e92a4 call 6f8251 call 6e846d 614->625 615->614 624->625 630 6e92a6-6e92be 625->630 631 6e92c0-6e92e7 625->631 632 6e92ff-6e933b call 6f8251 call 6ec9ba call 70d492 call 6ec622 630->632 631->632 633 6e92e9-6e92f9 631->633 642 6e9756-6e9763 632->642 643 6e9341-6e93c2 GetTempPathA call 7042b6 632->643 633->632 642->581 646 6e93ea-6e93ec 643->646 647 6e93ee 646->647 648 6e93c4-6e93dd 646->648 651 6e946e-6e94fb call 705eaf call 6ef793 CreateDirectoryA 647->651 649 6e93df-6e93e9 648->649 650 6e93f0-6e9412 648->650 649->646 652 6e9414-6e941c 650->652 653 6e9422-6e9453 650->653 659 6e950d-6e9557 call 6fa805 call 6ef38b 651->659 660 6e94fd-6e9507 651->660 652->653 653->651 655 6e9455-6e9469 653->655 655->651 665 6e956b-6e9610 call 6fa805 call 6f8251 call 6e846d call 6f8251 call 6ec9ba call 70d492 call 6ec622 659->665 666 6e9559-6e9565 659->666 660->659 681 6e9736-6e9751 665->681 682 6e9616-6e9627 665->682 666->665 681->642 683 6e9629 682->683 684 6e9633-6e96ce GetTempPathA call 705eaf call 6fa805 682->684 683->684 689 6e96da-6e96fe call 6ef38b 684->689 690 6e96d0 684->690 693 6e970f-6e972a call 6f8251 689->693 694 6e9700-6e970a 689->694 690->689 693->681 697 6e972c 693->697 694->693 697->681
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersionExA.KERNEL32(0071B028), ref: 006E893E
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 006E8AB6
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?,00000000), ref: 006E8D05
                                                                                                                                                                                                            • RemoveDirectoryA.KERNELBASE(00000000), ref: 006E8D5F
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 006E8DD9
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 006E8E9C
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 006E9158
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 006E91F4
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?,?,?,?,00000000), ref: 006E936E
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(0000005C,00000000,?,?,?,?,?,?,00000000), ref: 006E94DA
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,0000005C,?,?,?,00000000), ref: 006E963F
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 006E97B0
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                            • String ID: C:\Windows\system32\config\systemprofile$C:\hjflhukc\$\$gKV`$h)N^
                                                                                                                                                                                                            • API String ID: 1691758827-4224816522
                                                                                                                                                                                                            • Opcode ID: 08fbe189352bd912b15d668c85a30f205a2e38a6bffee895818c3075c7e7aea1
                                                                                                                                                                                                            • Instruction ID: 00f4b4968db0ca244334dd44df3b101a23cd8d80053d011cfd0d73d7c2504618
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08fbe189352bd912b15d668c85a30f205a2e38a6bffee895818c3075c7e7aea1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6782D0B1515244DFC748DB6DEC969EA37BAFB44300B00C06AE906DB2E1EB3C9946CB5D
                                                                                                                                                                                                            Function 007084D7 Relevance: 26.9, APIs: 13, Strings: 2, Instructions: 688memorylibraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 698 7084d7-708575 699 708577-708595 698->699 700 70859b-7085a7 698->700 699->700 701 7085b3-7085e0 700->701 702 7085a9 700->702 703 7085e2-7085ec 701->703 704 708608-708619 701->704 702->701 705 708601-708606 703->705 706 7085ee-7085ff 703->706 707 708628-708670 call 6fa805 704->707 708 70861b-708622 704->708 705->707 706->707 711 708672 707->711 712 70867c-708697 call 705eaf 707->712 708->707 711->712 715 708699-7086b2 712->715 716 7086cd-7086f6 call 6f8251 GetProcessHeap 712->716 715->716 717 7086b4-7086c6 715->717 720 708711-70871d 716->720 721 7086f8-70870c 716->721 717->716 723 70872d-70875c call 6fa805 720->723 724 70871f-708727 720->724 722 7090ec-7090f0 721->722 727 708768-7087aa LoadLibraryA call 6f8251 723->727 728 70875e 723->728 724->723 731 7087ac-7087cc 727->731 732 7087ce 727->732 728->727 733 7087d8-7087da 731->733 732->733 734 7087f5-708805 733->734 735 7087dc-7087f0 733->735 737 708807-708824 734->737 738 70882a-708884 call 6fa805 GetProcAddress call 6f8251 734->738 736 7090eb 735->736 736->722 737->738 743 708886-7088a7 FreeLibrary 738->743 744 7088ac-7088f9 HeapAlloc 738->744 745 708a20-708a22 743->745 746 708926-70894e GetAdaptersInfo 744->746 747 7088fb-708921 FreeLibrary 744->747 748 7090ea 745->748 749 708950-70895d 746->749 750 708963-708966 746->750 747->745 748->736 749->750 751 708a39-708a4b 750->751 752 70896c-70898c HeapFree 750->752 753 708a4d-708a5c 751->753 754 708a5e-708a6e 751->754 755 7089ab-7089b7 752->755 756 70898e-7089a9 752->756 757 708a73-708a8e GetAdaptersInfo 753->757 754->757 758 7089bd-7089f9 HeapAlloc 755->758 756->758 759 708a94-708afb call 6fa805 call 705eaf 757->759 760 70906d-70908e 757->760 761 708a27-708a33 758->761 762 7089fb-708a16 FreeLibrary 758->762 768 708afd-708b09 759->768 769 708b0f-708b2d call 6f8251 759->769 764 709094-7090e7 HeapFree FreeLibrary 760->764 761->751 762->745 764->748 768->769 772 708b39-708b59 769->772 773 708b2f 769->773 774 708b5b-708b65 772->774 775 708b7f 772->775 773->772 776 708b73-708b7d 774->776 777 708b67-708b71 774->777 778 708b89-708bb1 call 707406 775->778 776->778 777->778 781 708ca7-708cbc 778->781 782 708bb7-708bf4 call 707406 778->782 783 708cf4-708d18 781->783 784 708cbe-708cd7 781->784 790 708c22-708c24 782->790 791 708bf6-708c13 782->791 787 708d1e-708d20 783->787 784->783 786 708cd9-708cef 784->786 786->783 787->778 789 708d26 787->789 792 709043-70906b call 6f06af 789->792 794 708c26-708c80 790->794 795 708c9d 790->795 791->790 793 708c15-708c1b 791->793 792->764 793->790 797 708c86-708c98 794->797 798 708d2b-708d66 call 6fa805 794->798 795->781 797->787 802 708d75-708d86 798->802 803 708d68-708d73 798->803 805 708d94-708da0 802->805 806 708d88-708d92 802->806 804 708da6-708df5 call 705eaf call 6f8251 803->804 811 708fe2-70903d call 6f06af 804->811 812 708dfb-708e22 804->812 805->804 806->804 811->792 814 708e24-708e36 812->814 815 708e38-708e42 812->815 817 708e54-708eab 814->817 815->817 818 708e44-708e4e 815->818 819 708ed2-708ede 817->819 820 708ead-708ed0 817->820 818->817 821 708ee4-708f32 819->821 820->821 822 708f34-708f50 821->822 823 708f55-708f5b 821->823 822->823 824 708f62-708f72 823->824 825 708f5d-708f61 823->825 826 708f74-708f94 824->826 827 708f9a-708fd9 824->827 825->824 826->827 827->812 828 708fdf 827->828 828->811
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,006FB7C4,?,?,00000000,00000100,00000009), ref: 007086E1
                                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,006FB7C4,?,?,00000000,00000100,00000009), ref: 0070876A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00708854
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,006FB7C4,?,?,00000000,00000100,00000009), ref: 00708891
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,00000000,00000288,?,?,?,?,?,?,?,?,006FB7C4,?,?,00000000,00000100), ref: 007088DD
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000100,?,?,?,?,?,?,?,?,006FB7C4,?,?,00000000,00000100,00000009), ref: 00708908
                                                                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00000009,?,?,?,?,?,?,?,?,006FB7C4,?,?,00000000,00000100,00000009), ref: 00708935
                                                                                                                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,006FB7C4,?,?,00000000,00000100), ref: 0070897A
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,00000000,00000009,?,?,?,?,?,?,?,?,006FB7C4,?,?,00000000,00000100), ref: 007089C3
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000100,?,?,?,?,?,?,?,?,006FB7C4,?,?,00000000,00000100,00000009), ref: 00708A10
                                                                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00000009,?,?,?,?,?,?,?,?,006FB7C4,?,?,00000000,00000100,00000009), ref: 00708A78
                                                                                                                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,006FB7C4,?,?,00000000,00000100), ref: 007090B2
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000100,?,?,?,?,?,?,?,?,006FB7C4,?,?,00000000,00000100,00000009), ref: 007090D7
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Free$HeapLibrary$AdaptersAllocInfo$AddressLoadProcProcess
                                                                                                                                                                                                            • String ID: Q:3q$SAcA
                                                                                                                                                                                                            • API String ID: 2633798829-494069912
                                                                                                                                                                                                            • Opcode ID: f5d5dd539d52b5b2cc155bef9f85d3bc3ff954688a30b5f75c1f483ca4c17d05
                                                                                                                                                                                                            • Instruction ID: 6d182f48da7504beead1c137bb28f39578c622fb14f349ac78cbcfaa79c55111
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f5d5dd539d52b5b2cc155bef9f85d3bc3ff954688a30b5f75c1f483ca4c17d05
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 345298B6614600CBC798CF6CEC966E937F5FB58311B10C51AE942CA2E1EB3C9941CB5E
                                                                                                                                                                                                            Function 006F8695 Relevance: 22.0, APIs: 10, Strings: 2, Instructions: 1045networkCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 006F9154
                                                                                                                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00001006,00000000,00000004), ref: 006F91DB
                                                                                                                                                                                                            • gethostbyname.WS2_32(?), ref: 006F9261
                                                                                                                                                                                                            • inet_ntoa.WS2_32(?), ref: 006F92CF
                                                                                                                                                                                                            • inet_addr.WS2_32(00000000), ref: 006F92D6
                                                                                                                                                                                                            • htons.WS2_32(00000050), ref: 006F92FB
                                                                                                                                                                                                            • connect.WS2_32(00000000,?,00000010), ref: 006F9316
                                                                                                                                                                                                            • send.WS2_32(00000000,00000000,00000000,00000000), ref: 006F93A1
                                                                                                                                                                                                            • recv.WS2_32(0000000B,?,00000400,00000000), ref: 006F947C
                                                                                                                                                                                                            • closesocket.WS2_32(0000000B), ref: 006F97C6
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: closesocketconnectgethostbynamehtonsinet_addrinet_ntoarecvsendsetsockoptsocket
                                                                                                                                                                                                            • String ID: /$;$Rb
                                                                                                                                                                                                            • API String ID: 4203722200-1076244922
                                                                                                                                                                                                            • Opcode ID: 05365ffa9a11ca0734a9b0a4970e7f682981dc119086dcc5ff0eee04a6e60353
                                                                                                                                                                                                            • Instruction ID: 20462a92ebb583e8f86417e0124be6b2963ff35006ebe43868b57013692801de
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 05365ffa9a11ca0734a9b0a4970e7f682981dc119086dcc5ff0eee04a6e60353
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2392BB72915204DBD718DF6CEC92AF937B6FB44710B10C41AEA06DA2E1EB389942CB5D
                                                                                                                                                                                                            Function 006E5C39 Relevance: 7.7, APIs: 5, Instructions: 247filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1144 6e5c39-6e5c67 1145 6e5c8e-6e5ca3 1144->1145 1146 6e5c69-6e5c8c 1144->1146 1147 6e5ca9-6e5cb2 1145->1147 1146->1147 1148 6e60a8-6e60ac 1147->1148 1149 6e5cb8-6e5ce0 1147->1149 1150 6e5d09 1149->1150 1151 6e5ce2-6e5cf1 1149->1151 1152 6e5d13-6e5d4a 1150->1152 1151->1152 1153 6e5cf3-6e5d07 1151->1153 1154 6e5d4c-6e5d63 1152->1154 1155 6e5d85 1152->1155 1153->1152 1156 6e5d79-6e5d83 1154->1156 1157 6e5d65-6e5d77 1154->1157 1158 6e5d8f-6e5ec7 call 707d24 call 7042b6 Sleep call 6ef38b call 6fa805 call 6ef38b call 6f8251 FindFirstFileA 1155->1158 1156->1158 1157->1158 1171 6e5ecd 1158->1171 1172 6e6052-6e6066 1158->1172 1173 6e5ed7-6e5ef2 1171->1173 1174 6e6068 1172->1174 1175 6e6072-6e609c call 6f06af 1172->1175 1176 6e5f2d 1173->1176 1177 6e5ef4-6e5f2b 1173->1177 1174->1175 1175->1148 1183 6e609e 1175->1183 1179 6e5f37-6e5f5c 1176->1179 1177->1179 1181 6e5f5e-6e5f6a 1179->1181 1182 6e5f70-6e5f97 call 6ef38b 1179->1182 1181->1182 1186 6e5fbe-6e5fd4 1182->1186 1187 6e5f99-6e5fa3 1182->1187 1183->1148 1190 6e5fdb-6e5ffd DeleteFileA 1186->1190 1188 6e5fa5-6e5faf 1187->1188 1189 6e5fb1-6e5fbc 1187->1189 1188->1190 1189->1190 1191 6e5fff-6e6011 1190->1191 1192 6e6018-6e6028 FindNextFileA 1190->1192 1191->1192 1192->1173 1193 6e602e-6e6048 FindClose 1192->1193 1193->1172
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNELBASE(000003E8), ref: 006E5DEC
                                                                                                                                                                                                            • FindFirstFileA.KERNELBASE(?,?), ref: 006E5EB2
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?), ref: 006E5FE2
                                                                                                                                                                                                            • FindNextFileA.KERNELBASE(00000000,?), ref: 006E6020
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 006E6042
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: b3d5af76ce10cbcb263ccc258168687bcfde46c4a7cea0648c0651c52dfebeca
                                                                                                                                                                                                            • Instruction ID: 8120b14192bac12e49f8d7ba682d463b9b7520fffd7fad5b39083314e252fc14
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b3d5af76ce10cbcb263ccc258168687bcfde46c4a7cea0648c0651c52dfebeca
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 22A1CE75512695DBC748CF6DEC969E933B9FB48301710C11AE906CA2E0EB3C9946CB8E
                                                                                                                                                                                                            Function 006F571F Relevance: 6.2, APIs: 4, Instructions: 213processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1231 6f571f-6f574f 1232 6f577f-6f5796 1231->1232 1233 6f5751-6f576b 1231->1233 1235 6f5798-6f57aa 1232->1235 1236 6f57b6-6f57d1 1232->1236 1233->1232 1234 6f576d-6f5779 1233->1234 1234->1232 1235->1236 1237 6f57ac 1235->1237 1238 6f57dd-6f5826 CreateToolhelp32Snapshot 1236->1238 1239 6f57d3 1236->1239 1237->1236 1240 6f584f-6f5865 1238->1240 1241 6f5828-6f584d 1238->1241 1239->1238 1242 6f586b-6f586d 1240->1242 1241->1242 1243 6f5873-6f58b1 1242->1243 1244 6f5ab1-6f5af0 call 6f06af 1242->1244 1246 6f58da-6f5908 Process32First 1243->1246 1247 6f58b3-6f58c6 1243->1247 1250 6f590e-6f5934 1246->1250 1251 6f5a6c-6f5a93 FindCloseChangeNotification 1246->1251 1247->1246 1249 6f58c8-6f58d4 1247->1249 1249->1246 1252 6f5936-6f5950 1250->1252 1253 6f5952 1250->1253 1254 6f5a95-6f5a9f 1251->1254 1255 6f5aa1-6f5aab 1251->1255 1256 6f595c-6f59c0 call 705eaf call 6f20d8 call 707406 1252->1256 1253->1256 1254->1244 1255->1244 1263 6f5a2b-6f5a42 1256->1263 1264 6f59c2-6f5a08 Process32Next 1256->1264 1267 6f5a44-6f5a53 1263->1267 1268 6f5a62 1263->1268 1265 6f5a0a-6f5a1c 1264->1265 1266 6f5a21-6f5a23 1264->1266 1265->1266 1266->1250 1269 6f5a29 1266->1269 1267->1251 1270 6f5a55-6f5a60 1267->1270 1268->1251 1269->1251 1270->1251
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006F5804
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 006F58E2
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 006F59E8
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 006F5A7E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3243318325-0
                                                                                                                                                                                                            • Opcode ID: 1fa510e856e178a374fff8757bc94637e799d012254f62487e0f59f3cd360d92
                                                                                                                                                                                                            • Instruction ID: bc290aacd7b4cfcfce43ad551b03d73b634e148baa46426790f2fcb56d41a9ab
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1fa510e856e178a374fff8757bc94637e799d012254f62487e0f59f3cd360d92
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6F91A976A05604DBC748DF2DECA65F937B5FB48311B10C11AEA02CA2E0EB38D952CF59
                                                                                                                                                                                                            Function 006FB3DB Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 588COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1271 6fb3db-6fb41a 1272 6fb41c-6fb434 1271->1272 1273 6fb441-6fb4a1 call 6efe2b 1271->1273 1272->1273 1275 6fb436-6fb43c 1272->1275 1277 6fb4a3-6fb4ad 1273->1277 1278 6fb4b2-6fb4e9 call 6e57a9 call 6e7ec1 1273->1278 1275->1273 1277->1278 1283 6fb4eb-6fb4f7 call 6f76a5 1278->1283 1284 6fb4f9 1278->1284 1286 6fb4ff-6fb530 GetComputerNameA 1283->1286 1284->1286 1288 6fb536-6fb5bc call 6fa805 call 705eaf call 6f8251 1286->1288 1289 6fb5c2-6fb66b call 6fa805 call 705eaf call 6f8251 call 6e846d 1286->1289 1288->1289 1304 6fb6cf-6fb715 call 6e695e call 705eaf 1289->1304 1305 6fb66d-6fb688 1289->1305 1312 6fb73c-6fb776 call 6ef38b 1304->1312 1313 6fb717-6fb736 1304->1313 1307 6fb6af-6fb6ca 1305->1307 1308 6fb68a-6fb6ad 1305->1308 1307->1304 1308->1304 1316 6fb778-6fb782 1312->1316 1317 6fb787-6fb854 call 6f06af call 7084d7 call 7042b6 call 6f0b92 call 6e5724 call 6e5017 1312->1317 1313->1312 1316->1317 1330 6fb888-6fb8a0 call 6e695e 1317->1330 1331 6fb856-6fb869 1317->1331 1335 6fb8ac-6fb8d0 1330->1335 1336 6fb8a2 1330->1336 1331->1330 1332 6fb86b-6fb882 1331->1332 1332->1330 1337 6fb913 1335->1337 1338 6fb8d2-6fb8fc 1335->1338 1336->1335 1339 6fb91d-6fb9ae call 6f0b92 call 6e5724 call 6e5017 call 6e695e call 6f0b92 call 6e5724 call 6e5017 1337->1339 1340 6fb8fe-6fb908 1338->1340 1341 6fb90a-6fb911 1338->1341 1356 6fb9bc 1339->1356 1357 6fb9b0-6fb9ba 1339->1357 1340->1339 1341->1339 1358 6fb9c6-6fb9e4 call 6e695e 1356->1358 1357->1358 1361 6fb9e6 1358->1361 1362 6fb9f0-6fbae3 call 6f0b92 call 6e5724 call 6e5017 call 6e695e call 6f0b92 call 6e5724 call 6e5017 call 6e695e call 6fa805 call 6f0b92 call 6e5724 call 6e5017 1358->1362 1361->1362 1387 6fbaef-6fbb0a call 6f8251 1362->1387 1388 6fbae5 1362->1388 1391 6fbb0c 1387->1391 1392 6fbb16-6fbc67 call 6e695e call 6f0b92 call 6e5724 call 6e5017 call 6e695e call 6f0b92 call 6e5724 call 6e5017 call 6e695e call 6e3cdc call 6e4d07 call 6f0b92 call 6e5724 call 6e5017 call 6e695e call 6e52d0 1387->1392 1388->1387 1391->1392 1425 6fbc69-6fbc6e 1392->1425 1426 6fbc74-6fbcdb call 6f0b92 call 6e5724 call 6e5017 call 6ec9ba call 70d492 call 6f5fba 1392->1426 1425->1426 1439 6fbcdd-6fbcef 1426->1439 1440 6fbcfc-6fbdb7 call 709707 call 6ec9ba call 70d492 call 709883 call 6f9ab1 call 6eee34 call 6f06af * 2 1426->1440 1439->1440 1441 6fbcf1-6fbcf6 1439->1441 1458 6fbdb9-6fbdca 1440->1458 1459 6fbdd0-6fbe13 call 6f06af call 6e5017 call 6f9a04 1440->1459 1441->1440 1458->1459
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetComputerNameA.KERNEL32(?,?), ref: 006FB528
                                                                                                                                                                                                              • Part of subcall function 007042B6: lstrlen.KERNEL32(?,?,006E5DCE,?,00000104,?), ref: 00704320
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ComputerNamelstrlen
                                                                                                                                                                                                            • String ID: K]g[$myiW
                                                                                                                                                                                                            • API String ID: 4141851928-3148350528
                                                                                                                                                                                                            • Opcode ID: 4740af226a9709320071b075b1ea83dc9df3f924d17954e8781ff7450dd6235a
                                                                                                                                                                                                            • Instruction ID: 93556f1a5aa643aff0bb748f6256cd09778cc0ba6732fd94ef6b1fea8d0b060a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4740af226a9709320071b075b1ea83dc9df3f924d17954e8781ff7450dd6235a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DF42B271901249DBCB58EF6CED929FA73B9FB14704B00C01AE606E71E1EB389A45CB5D
                                                                                                                                                                                                            Function 007024D3 Relevance: 5.0, APIs: 1, Strings: 2, Instructions: 520sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1466 7024d3-70252b call 6e57a9 * 2 1471 70252d-70254d 1466->1471 1472 70255e 1466->1472 1473 702557-70255c 1471->1473 1474 70254f-702555 1471->1474 1475 702568-70258b 1472->1475 1473->1475 1474->1475 1476 7025a0-7025c1 1475->1476 1477 70258d-70259b 1475->1477 1478 7025c3 1476->1478 1479 7025cd-702661 call 70d256 call 6e46b3 call 6e5c39 1476->1479 1477->1476 1478->1479 1486 702663-702673 1479->1486 1487 702675-702686 1479->1487 1488 70268b-7026c4 call 6ef793 call 6fa805 1486->1488 1487->1488 1493 7026d1-7026f2 call 6ef38b 1488->1493 1494 7026c6-7026cb 1488->1494 1497 7026f4 1493->1497 1498 7026fe-70271b call 6f8251 1493->1498 1494->1493 1497->1498 1501 70272c-702757 1498->1501 1502 70271d-702727 1498->1502 1503 702759-70276b 1501->1503 1504 70276d-702783 1501->1504 1502->1501 1505 70278a-7027b8 call 6e3e8c 1503->1505 1504->1505 1508 7027c4-702812 call 70473b 1505->1508 1509 7027ba 1505->1509 1512 702cd6-702d35 call 709707 Sleep call 6f2192 call 6f571f 1508->1512 1513 702818 1508->1513 1509->1508 1528 702d3a-702d3d 1512->1528 1515 702822-70288a call 6f85e7 1513->1515 1516 70281a-70281c 1513->1516 1521 70289c-7028af 1515->1521 1522 70288c-702896 1515->1522 1516->1512 1516->1515 1524 702c62-702c64 1521->1524 1522->1521 1526 7028b4-7028c5 1524->1526 1527 702c6a 1524->1527 1530 7028d6-702902 call 6e3e8c 1526->1530 1531 7028c7-7028d1 1526->1531 1529 702cb4-702ccc 1527->1529 1532 702d43-702d5b 1528->1532 1533 702de6-702df0 1528->1533 1529->1512 1542 702961-7029ce call 70443e call 6fa805 call 6f8695 1530->1542 1543 702904 1530->1543 1531->1530 1535 702d7b-702d82 1532->1535 1536 702d5d-702d6e 1532->1536 1533->1505 1538 702d84-702dba call 6f54d8 1535->1538 1539 702dcb-702de1 1535->1539 1536->1535 1537 702d70-702d75 1536->1537 1537->1535 1538->1539 1549 702dbc-702dc6 1538->1549 1539->1533 1555 7029d3-702a40 call 6f8251 call 707dc0 call 704927 1542->1555 1546 702906-702909 1543->1546 1547 70290b-70295e call 70473b 1543->1547 1546->1542 1546->1547 1547->1542 1549->1539 1562 702a46-702a87 call 6fa805 1555->1562 1563 702c08-702c46 call 6f06af 1555->1563 1570 702a93-702af3 call 6e846d call 6f8251 call 6e5724 1562->1570 1571 702a89 1562->1571 1568 702c48-702c5f 1563->1568 1569 702c6c-702c93 1563->1569 1568->1524 1573 702ca1-702cae 1569->1573 1574 702c95-702c9f 1569->1574 1580 702af5 1570->1580 1581 702aff-702b16 call 6e695e 1570->1581 1571->1570 1573->1529 1574->1529 1580->1581 1584 702b18-702b24 1581->1584 1585 702b2a-702c03 call 6efe4b call 6e5724 call 6e5017 call 6fa805 call 6f8695 call 6f8251 call 707dc0 call 704927 1581->1585 1584->1585 1585->1563
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNELBASE(000008AE), ref: 00702D0A
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe", xrefs: 00702D94
                                                                                                                                                                                                            • C:\hjflhukc\xxxniijvj.exe, xrefs: 00702D9E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                                                            • String ID: C:\hjflhukc\xxxniijvj.exe$tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"
                                                                                                                                                                                                            • API String ID: 3472027048-2520137044
                                                                                                                                                                                                            • Opcode ID: 802665fddc49b84fd1f0010ef0710b71107792ded40de1e439a23687b7bccd91
                                                                                                                                                                                                            • Instruction ID: 631ca4a9bf425850c120a0d4cb1e58557dfa525cdf0b3f098f29c0c9e6c9b94b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 802665fddc49b84fd1f0010ef0710b71107792ded40de1e439a23687b7bccd91
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 89329872914244DFD748DF6CED96AEA37F5FB08700B10C11AE506DA2E1EB3C9A42CB59
                                                                                                                                                                                                            Function 006EBECE Relevance: 4.7, APIs: 3, Instructions: 222libraryloaderencryptionCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1602 6ebece-6ebf06 1603 6ebf08-6ebf12 1602->1603 1604 6ebf17-6ebf60 1602->1604 1603->1604 1605 6ebf84-6ebfb4 call 6eb7cd 1604->1605 1606 6ebf62-6ebf73 1604->1606 1610 6ec1ae-6ec1c5 1605->1610 1611 6ebfba-6ec04d call 6fa805 GetProcAddress call 6fa805 1605->1611 1606->1605 1607 6ebf75-6ebf7f 1606->1607 1607->1605 1613 6ec236-6ec24c 1610->1613 1614 6ec1c7-6ec1db CryptGenRandom 1610->1614 1628 6ec04f-6ec059 1611->1628 1629 6ec065-6ec0b1 call 6f8251 GetProcAddress call 6f8251 1611->1629 1615 6ec29e-6ec2d7 call 6e4eb1 1613->1615 1616 6ec24e-6ec299 call 6ece70 * 4 1613->1616 1614->1613 1618 6ec1dd-6ec1fd 1614->1618 1616->1615 1619 6ec1ff-6ec213 1618->1619 1620 6ec21a-6ec230 1618->1620 1619->1620 1620->1613 1628->1629 1631 6ec05b 1628->1631 1639 6ec0b3-6ec0ba 1629->1639 1640 6ec0f1-6ec132 1629->1640 1631->1629 1639->1640 1642 6ec0bc-6ec0c3 1639->1642 1643 6ec134-6ec166 1640->1643 1644 6ec172-6ec195 1640->1644 1647 6ec0ca-6ec0cc 1642->1647 1643->1644 1645 6ec168 1643->1645 1644->1610 1646 6ec197-6ec1a8 1644->1646 1645->1644 1646->1610 1647->1640 1648 6ec0ce-6ec0ec 1647->1648 1648->1644
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 006EC004
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 006EC080
                                                                                                                                                                                                            • CryptGenRandom.ADVAPI32(00000004,?,00000000,?,00704797,?,007027D6,?), ref: 006EC1D3
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$CryptRandom
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 646182245-0
                                                                                                                                                                                                            • Opcode ID: 0ca80509c85dfb5524be0ab19fd7d2103ce5f4d33b16625fcb43d3a5d367c10f
                                                                                                                                                                                                            • Instruction ID: ccd96711f9dd600067ab4e92ab46c9b1f744e325a9c80fdb127a51a4918c05f3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0ca80509c85dfb5524be0ab19fd7d2103ce5f4d33b16625fcb43d3a5d367c10f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8391B771615341DBD7688F6DEC929E937B6FB04760710C21AE916CA2F0EB7C8982CB4D
                                                                                                                                                                                                            Function 007074E8 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00707525
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CtrlDispatcherServiceStart
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3789849863-0
                                                                                                                                                                                                            • Opcode ID: d740df0969aaadd8265c96f9916899da2c7ae0b05c71b25ce6cda5ac8017630c
                                                                                                                                                                                                            • Instruction ID: fde33b9fcb026758d3d843945e41ca61816ae8670ca047f3a23ac2e4f70d6918
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d740df0969aaadd8265c96f9916899da2c7ae0b05c71b25ce6cda5ac8017630c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C4F0FEB2A112089FD704DF5CE94A6E97BF8F714316F04C65AD415D3290E7799614CF84
                                                                                                                                                                                                            Function 006EC9ED Relevance: 12.2, APIs: 8, Instructions: 196registrysynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1116 6ec9ed-6eca6d 1117 6eca6f-6eca7b 1116->1117 1118 6eca9c-6ecaa6 1116->1118 1119 6eca7d-6eca9a 1117->1119 1120 6ecaab-6ecb0d RegisterServiceCtrlHandlerA 1117->1120 1118->1120 1119->1120 1121 6ecdba-6ecdd1 1120->1121 1122 6ecb13-6ecb37 1120->1122 1123 6ecb39-6ecb51 1122->1123 1124 6ecb57-6ecbcb SetServiceStatus CreateEventA 1122->1124 1123->1124 1125 6ecbde-6ecbfe SetServiceStatus 1124->1125 1126 6ecbcd-6ecbd8 1124->1126 1127 6ecc30-6ecc3c 1125->1127 1128 6ecc00-6ecc13 1125->1128 1126->1125 1129 6ecc42-6ecc6d WaitForSingleObject 1127->1129 1130 6ecc29-6ecc2e 1128->1130 1131 6ecc15-6ecc27 1128->1131 1129->1129 1132 6ecc6f-6eccff call 6eb7cd SetServiceStatus CloseHandle 1129->1132 1130->1129 1131->1129 1135 6ecd10-6ecd21 1132->1135 1136 6ecd01-6ecd0b 1132->1136 1137 6ecd2f-6ecd3c 1135->1137 1138 6ecd23-6ecd2d 1135->1138 1136->1135 1139 6ecd42-6ecd69 1137->1139 1138->1139 1140 6ecd6b-6ecd7b 1139->1140 1141 6ecd88-6ecda5 SetServiceStatus 1139->1141 1140->1141 1142 6ecd7d-6ecd83 1140->1142 1141->1121 1143 6ecda7-6ecdb4 1141->1143 1142->1141 1143->1121
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(Function_0000BA72), ref: 006ECAF2
                                                                                                                                                                                                            • SetServiceStatus.SECHOST(0071B2DC), ref: 006ECB64
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 006ECB78
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0071B2DC), ref: 006ECBE5
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00001388), ref: 006ECC62
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0071B2DC), ref: 006ECCAF
                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 006ECCC5
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0071B2DC), ref: 006ECD8F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3399922960-0
                                                                                                                                                                                                            • Opcode ID: a344687968a283f9f8015dbcbb2886c43efb2e8cf7f8f7f9f379c6bce3486bdc
                                                                                                                                                                                                            • Instruction ID: d982c6ad5bbca6b240020caf87787ee305263d181ed6d2590ad014427053aad3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a344687968a283f9f8015dbcbb2886c43efb2e8cf7f8f7f9f379c6bce3486bdc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9913071112241DBC708CF6DED999E93BFAFB18711310C52AE4068A2F0EB3C9846CB9D
                                                                                                                                                                                                            Function 006F5485 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1194 6f5485-6f5486 1195 6f54f9-6f550c 1194->1195 1196 6f5488-6f54d5 1194->1196 1198 6f550e-6f5529 1195->1198 1199 6f552b 1195->1199 1196->1195 1200 6f5535-6f55d8 call 6f06af * 2 1198->1200 1199->1200 1205 6f55fd-6f5631 CreateProcessA 1200->1205 1206 6f55da-6f55f6 1200->1206 1208 6f5677 1205->1208 1209 6f5633-6f5643 1205->1209 1206->1205 1207 6f55f8 1206->1207 1207->1205 1212 6f5681-6f568e 1208->1212 1210 6f564f-6f5675 CloseHandle * 2 1209->1210 1211 6f5645 1209->1211 1210->1212 1211->1210
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,006EDA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 006F5628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(006EDA33,?,?,?,?,00000000), ref: 006F5652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 006F5665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: fac7abe0959c2a42f72901857e608ea22e9418d526e2d740c1ac5adc8243a2b6
                                                                                                                                                                                                            • Instruction ID: 65570c3b931488c9f594c3508d5491c8f3cdb35a053c1ef575b277ead8eccb0c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fac7abe0959c2a42f72901857e608ea22e9418d526e2d740c1ac5adc8243a2b6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C441BD715016489BCB58CFADFD969FA77B5FB84310710C11AEA02CA1F1E7388911CB59
                                                                                                                                                                                                            Function 006F54D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1213 6f54d8-6f54e8 1214 6f54ea-6f550c 1213->1214 1215 6f5535-6f55d8 call 6f06af * 2 1213->1215 1218 6f550e-6f5529 1214->1218 1219 6f552b 1214->1219 1223 6f55fd-6f5631 CreateProcessA 1215->1223 1224 6f55da-6f55f6 1215->1224 1218->1215 1219->1215 1226 6f5677 1223->1226 1227 6f5633-6f5643 1223->1227 1224->1223 1225 6f55f8 1224->1225 1225->1223 1230 6f5681-6f568e 1226->1230 1228 6f564f-6f5675 CloseHandle * 2 1227->1228 1229 6f5645 1227->1229 1228->1230 1229->1228
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,006EDA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 006F5628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(006EDA33,?,?,?,?,00000000), ref: 006F5652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 006F5665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 6d2b41910a09a1fb03a673512df6dee85bbd2940372aef04c5c7525235927a6b
                                                                                                                                                                                                            • Instruction ID: 685b72a7d3157c9928683b09b8cb0f25b55ea544cacdd1ed2a10cbd3441db475
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6d2b41910a09a1fb03a673512df6dee85bbd2940372aef04c5c7525235927a6b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7941B071501648DBCB58DFADFD969FA77B6FB84700B00C01AE6129A1F0EB384941DB5E
                                                                                                                                                                                                            Function 006EC622 Relevance: 4.7, APIs: 3, Instructions: 206fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1649 6ec622-6ec69d call 70dfa1 call 6eb7cd 1654 6ec69f 1649->1654 1655 6ec6a9-6ec6b1 1649->1655 1654->1655 1656 6ec6ef-6ec709 1655->1656 1657 6ec6b3-6ec6ea call 6e4eb1 1655->1657 1659 6ec70b-6ec71a 1656->1659 1660 6ec737-6ec75b CreateFileA 1656->1660 1665 6ec9b6-6ec9b9 1657->1665 1659->1660 1662 6ec71c-6ec731 1659->1662 1663 6ec79f-6ec7b3 1660->1663 1664 6ec75d-6ec784 call 6e4eb1 1660->1664 1662->1660 1667 6ec7b8-6ec7d2 1663->1667 1673 6ec798-6ec79a 1664->1673 1674 6ec786-6ec792 1664->1674 1669 6ec7f9-6ec7fb 1667->1669 1670 6ec7d4-6ec7f4 1667->1670 1671 6ec7fd-6ec819 1669->1671 1672 6ec81b-6ec82d 1669->1672 1670->1669 1675 6ec837-6ec8a2 call 6f85e7 call 70970f 1671->1675 1672->1675 1676 6ec9b5 1673->1676 1674->1673 1681 6ec8d6-6ec8ee 1675->1681 1682 6ec8a4-6ec8d4 1675->1682 1676->1665 1683 6ec8fa-6ec948 WriteFile 1681->1683 1684 6ec8f0 1681->1684 1682->1683 1683->1667 1685 6ec94e-6ec962 1683->1685 1684->1683 1686 6ec964-6ec96e 1685->1686 1687 6ec970-6ec97c 1685->1687 1688 6ec982-6ec9a2 FindCloseChangeNotification call 6e4eb1 1686->1688 1687->1688 1690 6ec9a7-6ec9b4 1688->1690 1690->1676
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 006EB7CD: WaitForSingleObject.KERNEL32(007027D6,00004E20,00000000,?,006EBFA2,00000000,00000000,?,00704797,?,007027D6,?), ref: 006EB81D
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,00000000,006ED913,00000000,00000000,?,00000000), ref: 006EC746
                                                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,?,00000000,?), ref: 006EC90B
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000000,?), ref: 006EC983
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$ChangeCloseCreateFindNotificationObjectSingleWaitWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2552625159-0
                                                                                                                                                                                                            • Opcode ID: 36f3a1f0702ba95698376821fc792d9d40ae6ff0c4a5b3857fd7ccef6997fd37
                                                                                                                                                                                                            • Instruction ID: 44ce94528c574599b449f15b6f3a0761a4e841e4a6f7a30a5b9c9ca82d20676a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 36f3a1f0702ba95698376821fc792d9d40ae6ff0c4a5b3857fd7ccef6997fd37
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FA91A9B5512245DBC708CF2DED959EA7BB6FB88320710C11AE506CA2F1E73C9942DB4D
                                                                                                                                                                                                            Function 006EE769 Relevance: 4.6, APIs: 3, Instructions: 101memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1691 6ee769-6ee79c 1692 6ee79e-6ee7b7 1691->1692 1693 6ee7b9-6ee7ce 1691->1693 1694 6ee7d4-6ee807 1692->1694 1693->1694 1695 6ee81a-6ee82f 1694->1695 1696 6ee809-6ee818 1694->1696 1697 6ee83b-6ee881 AllocateAndInitializeSid 1695->1697 1698 6ee831 1695->1698 1696->1697 1699 6ee8ef-6ee908 1697->1699 1700 6ee883-6ee89d CheckTokenMembership 1697->1700 1698->1697 1701 6ee89f-6ee8c2 1700->1701 1702 6ee8c9-6ee8e9 FreeSid 1700->1702 1701->1702 1702->1699
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(006E8954,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,006E8954), ref: 006EE865
                                                                                                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 006EE895
                                                                                                                                                                                                            • FreeSid.ADVAPI32(?), ref: 006EE8DC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3429775523-0
                                                                                                                                                                                                            • Opcode ID: 045115efb78367cec7ee7f972e90c90c3caef70d89eae4b71c861a7617e017fb
                                                                                                                                                                                                            • Instruction ID: b383f77fa1fcedae6b1e9147683392bedaf3adf54f1efaf4c1a4a8469d3a5346
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 045115efb78367cec7ee7f972e90c90c3caef70d89eae4b71c861a7617e017fb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AD417AB5916244EFCB04CFADEC856E977B5FB08705B40C01AE501D62E0E73D9942DB1E
                                                                                                                                                                                                            Function 006F20D8 Relevance: 3.0, APIs: 2, Instructions: 27stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1703 6f20d8-6f210d lstrlen 1704 6f210f-6f2119 1703->1704 1705 6f211b-6f2127 1703->1705 1706 6f212d-6f214f CharLowerBuffA 1704->1706 1705->1706
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • lstrlen.KERNEL32(?,?,006F5997,?,?,?), ref: 006F20F0
                                                                                                                                                                                                            • CharLowerBuffA.USER32(?,00000000,?,006F5997,?,?,?), ref: 006F2131
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 794975171-0
                                                                                                                                                                                                            • Opcode ID: aabf4ceb2c550f687b7e85c8fa428aa8b03b9745a0d2c53ecfc863fab3d9e886
                                                                                                                                                                                                            • Instruction ID: 446279b9a227a95df9f6fabe4b785613226209f7dea4ae1ed389d461d8e64a63
                                                                                                                                                                                                            • Opcode Fuzzy Hash: aabf4ceb2c550f687b7e85c8fa428aa8b03b9745a0d2c53ecfc863fab3d9e886
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1AF067316142089BCB49CF4EEC564F637F2FB54700700C019EA068A6F0E7389D80ABAE
                                                                                                                                                                                                            Function 007023A6 Relevance: 3.0, APIs: 2, Instructions: 23memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1707 7023a6-7023be 1708 7023c0-7023d6 1707->1708 1709 7023e2-702404 GetProcessHeap RtlAllocateHeap 1707->1709 1708->1709 1710 7023d8 1708->1710 1710->1709
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,0070A3A7,?,?,?,0070D0BE), ref: 007023F6
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0070A3A7,?,?,?,0070D0BE), ref: 007023FD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: 2d7802f62c20eee9add9b3000b690703d8fbb8ea55a574b93aa61a21229c5c0a
                                                                                                                                                                                                            • Instruction ID: 847560d3545337d173c155d460bd00f08fd5554ee88cd439ba8d43f8c8abaaff
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2d7802f62c20eee9add9b3000b690703d8fbb8ea55a574b93aa61a21229c5c0a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CEF03076500201EBCA108FADFD8D99A37B4F314318B64C112F445DA0E5D77CE8458B58
                                                                                                                                                                                                            Function 006EDE5A Relevance: 3.0, APIs: 2, Instructions: 17memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1711 6ede5a-6ede88 GetProcessHeap RtlFreeHeap 1712 6ede9a-6ede9b 1711->1712 1713 6ede8a-6ede94 1711->1713 1713->1712
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000002,?,006F82CB,000036E2,000036E2,00000000,-00000002,?,006E5E87,00000002,00000000,?,00000000,000036E2,00000002), ref: 006EDE6C
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,006F82CB,000036E2,000036E2,00000000,-00000002,?,006E5E87,00000002,00000000,?,00000000,000036E2,00000002,?), ref: 006EDE73
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                            • Opcode ID: 329d4712ef1fe065440913516ce00941ab4e000d1d0264055f39414b58dca61d
                                                                                                                                                                                                            • Instruction ID: 92202daab6305684a98f6fd0d08b2a6f28ee4f3d77fae2b31085c73c8006297a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 329d4712ef1fe065440913516ce00941ab4e000d1d0264055f39414b58dca61d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3E08C32641248EBEE108BEEFC4A6843BE8FB21741B00C110F145CA6B0C72995408A8C
                                                                                                                                                                                                            Function 007075CE Relevance: 1.7, APIs: 1, Instructions: 152fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(007027D6,80000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,00000000,?,007047E5,007027D6,00000000,00003571,00000003), ref: 0070770C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                            • Opcode ID: 57055acdae95accc8667b0e805845f25a4ee30152af9a0c01601ec8c40a00fe2
                                                                                                                                                                                                            • Instruction ID: e2610c3d74323e9071237c1bd64f91a785ed86476b77e7620552baa1dfc82f81
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 57055acdae95accc8667b0e805845f25a4ee30152af9a0c01601ec8c40a00fe2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B951EE75A19241DBD3188B6CFD926B237F8FB50321B10C12AE906CA5F0E76DA941CB5D
                                                                                                                                                                                                            Function 006E3B2C Relevance: 1.6, APIs: 1, Instructions: 104fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 006E3BF6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                            • Opcode ID: 351abd3de1fd012bd1a49913eca9467662e16251e12964c4d07a6fb4c889c53d
                                                                                                                                                                                                            • Instruction ID: 161cb4c1cc0627966f9ef674f8694be8fd2dd8721bc8c5b4894e6ca444fa067e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 351abd3de1fd012bd1a49913eca9467662e16251e12964c4d07a6fb4c889c53d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3441E472941349DBC368DF6EEC4B9E237B8E784714B04C16AE601DB2E0DA389581CF9D
                                                                                                                                                                                                            Function 0070473B Relevance: 1.4, APIs: 1, Instructions: 107sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNELBASE(000003E8,?,00000000,00000000,?,007027D6,?), ref: 00704859
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3472027048-0
                                                                                                                                                                                                            • Opcode ID: acb18d99d2de796516402d8167d2c0e14390fe3e763dd4186db69f7c48a933a0
                                                                                                                                                                                                            • Instruction ID: b98b208b42d0f8fa24f587cd179b11e2a2172c95d68617c852bc396a612e9344
                                                                                                                                                                                                            • Opcode Fuzzy Hash: acb18d99d2de796516402d8167d2c0e14390fe3e763dd4186db69f7c48a933a0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0941DEB1550200DBD3689F6CFC47AA237B5FB84711B00C00EEA059A2E1EB7C9541CBAE

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 0070D831 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 388pipeprocessfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreatePipe.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,00000000), ref: 0070D98F
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0070D9F9
                                                                                                                                                                                                            • CreatePipe.KERNEL32(?,00000000,?,00000000), ref: 0070DA48
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0070DA7E
                                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 0070DBCC
                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000020,00000020,00000000), ref: 0070DC1C
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0070DC33
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0070DC66
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0070DC89
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00002710), ref: 0070DD4F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0070DD9F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0070DDB2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0070DE41
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0070DE67
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0070DE7E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 1130065513-2746444292
                                                                                                                                                                                                            • Opcode ID: d120fc259a19dc91d5c200932ece4df6a9a33f4c44b44d7db685c3eff5f703f1
                                                                                                                                                                                                            • Instruction ID: 0af8a96887c7f7b90285ffb18031809ab0890c1ade274844db3f90ac8b980d30
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d120fc259a19dc91d5c200932ece4df6a9a33f4c44b44d7db685c3eff5f703f1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 91026576611205DBCB18CFACEC869EA7BF5FB48700714C21AE902D62F0EB3C9951CB59
                                                                                                                                                                                                            Function 007035AD Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00703685
                                                                                                                                                                                                            • CreateServiceA.ADVAPI32(00000000,00A46118,00A46118,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 007036D6
                                                                                                                                                                                                            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00703728
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0070374C
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0070375D
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,00000010), ref: 007037D1
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00703836
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00703847
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 007038B1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                            • String ID: 3ch$qh~B
                                                                                                                                                                                                            • API String ID: 3525021261-274300185
                                                                                                                                                                                                            • Opcode ID: 082b8d9dc0395f5996b55e1382fd4b63a425adbfa9529ddfc23d476c4c698b22
                                                                                                                                                                                                            • Instruction ID: 51f7b0fc490c4abbdb2ea00594c80215a6efe10129ba002d5d08c72c648e5775
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 082b8d9dc0395f5996b55e1382fd4b63a425adbfa9529ddfc23d476c4c698b22
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 829166B5524600EBC7088F6CED959F977F9FB49701700C11AE8029A2F1EB7D9A42CB6D
                                                                                                                                                                                                            Function 006F111E Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 289fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006F11F7
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 006F1267
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 006F128B
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 006F12D1
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 006F153B
                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 006F157E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 006F158F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                            • String ID: Ra);
                                                                                                                                                                                                            • API String ID: 3478262135-4229484525
                                                                                                                                                                                                            • Opcode ID: 334d49256a5de17ba64e4952063abc55265b1e22853813b116ee7a1d188751d0
                                                                                                                                                                                                            • Instruction ID: b11d1b2e1b51388a2c52b8293039ea513a9150fa67d8d571278ba44730876ba6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 334d49256a5de17ba64e4952063abc55265b1e22853813b116ee7a1d188751d0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78B1DFB1515204EED7588F6CEC929FA37F9FB49754710C11AEA01CA2E0EB3C9942CB1E
                                                                                                                                                                                                            Function 006F1636 Relevance: 10.8, APIs: 7, Instructions: 279processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006F16B2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 006F17BE
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 006F1932
                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 006F1991
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,0000000A,00000000), ref: 006F1A6A
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 006F1ACE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 006F1AF5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 930127669-0
                                                                                                                                                                                                            • Opcode ID: 1bc4c8e651d208d9b6ce584518e9dbf488b333c3fd3196930b1ad111f0748ab8
                                                                                                                                                                                                            • Instruction ID: 536c8d78223c7f582635571d776085b5985622a07ab0aa9ec78531569f5fc3fb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1bc4c8e651d208d9b6ce584518e9dbf488b333c3fd3196930b1ad111f0748ab8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 18C1EF76505604DBD718DF6CEC966F933B5FB55311B00C11AEA06CA2E0EB7C9942CB8D
                                                                                                                                                                                                            Function 006F9F24 Relevance: 7.8, APIs: 5, Instructions: 329serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 006F9FF7
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,?), ref: 006FA049
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 006FA061
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 006FA162
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 006FA3B6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1579346331-0
                                                                                                                                                                                                            • Opcode ID: 93de15114c75c973664fc1a9a81375b8f22cc8d3fc5312005676b74d42627ca1
                                                                                                                                                                                                            • Instruction ID: 1ee07b34093fc8025a93baa15c58787790792f0abb4007a261ee91604fd70303
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 93de15114c75c973664fc1a9a81375b8f22cc8d3fc5312005676b74d42627ca1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 44D1BCB6905604DBC708CFACED959F977F6FB44310B15C01AE905DA2E0EB3CAA81CB59
                                                                                                                                                                                                            Function 006F0806 Relevance: 10.7, APIs: 7, Instructions: 195processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006F08C2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 006F0966
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,000000B3), ref: 006F0A15
                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,000000FF,?,?,?,?,000000B3), ref: 006F0A64
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,000000B3), ref: 006F0A82
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 006F0AD2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 006F0B10
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2696918072-0
                                                                                                                                                                                                            • Opcode ID: 72fb489fd8e327bd18464b866246b37d8a19727076fe42507835c848a084f966
                                                                                                                                                                                                            • Instruction ID: 69c723c71cbd42d3a11ea41a7e180b5ef819feedea103dfcf7359953b7b7454a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 72fb489fd8e327bd18464b866246b37d8a19727076fe42507835c848a084f966
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8A819776511615DBD348CB6CFC92AF933B9FB48702B00C11AE941D66E1EB3C9981CB4D
                                                                                                                                                                                                            Function 006FB046 Relevance: 9.2, APIs: 6, Instructions: 184filetimeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 006FB104
                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 006FB16D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 006FB1B2
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006FB25F
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 006FB2AB
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 006FB2D8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3236713533-0
                                                                                                                                                                                                            • Opcode ID: 059fc79415b1605b349729b29649caa8b20b4f325d61d707f5f228feb066ced9
                                                                                                                                                                                                            • Instruction ID: 98ed90dfab68b7a7c89c8d3a877680fa0fb15681efcaf38f973fb601a04484cb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 059fc79415b1605b349729b29649caa8b20b4f325d61d707f5f228feb066ced9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7471AB75515208DBC318CF6CED928FA37B9FB48315710D61AEA52C66E0E73C9A42CB1D
                                                                                                                                                                                                            Function 00704589 Relevance: 7.6, APIs: 5, Instructions: 104synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000009,00000002,?,006ED583,006EAD87,00000002,00000000), ref: 00704637
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000002,?,00000000,00000000), ref: 00704655
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,006ED583,006EAD87,00000002,00000000,?,?,?,?,?,?,?,00000009,?,?), ref: 0070468D
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,006ED583,006EAD87,00000002,00000000,?,?,?,?,?,?,?,00000009,?), ref: 007046A1
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,006ED583,006EAD87,00000002,00000000,?,?,?,?,?,?,?,00000009,?,?), ref: 00704712
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1404307249-0
                                                                                                                                                                                                            • Opcode ID: 69b09566c52901683c734c580b85b03aec288c6ad52d3ada374a6b5cdd61ed8f
                                                                                                                                                                                                            • Instruction ID: 09c3e3572029f347cf32351aac684f7f09887acf7bf3aa9d86bed90ad55db331
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 69b09566c52901683c734c580b85b03aec288c6ad52d3ada374a6b5cdd61ed8f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 684158B6111240DFC328CF6CED899A63BFAFB89711710C51AE946C66F0E73C9852CB19
                                                                                                                                                                                                            Function 00704927 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323sleepfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00704CBC
                                                                                                                                                                                                              • Part of subcall function 006F074E: wvsprintfA.USER32(?,?,00000000), ref: 006F07C3
                                                                                                                                                                                                            • Sleep.KERNEL32(00015F90), ref: 00704E60
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00704E7F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$DeleteModuleNameSleepwvsprintf
                                                                                                                                                                                                            • String ID: KU
                                                                                                                                                                                                            • API String ID: 4183770253-1793860563
                                                                                                                                                                                                            • Opcode ID: c28b9d40edbf6a3007595a83a5770e7f63c8a823424721bbaccea842b0fb386e
                                                                                                                                                                                                            • Instruction ID: 3ee5e147dee393b28c0d422bb7a22c1709291f829748d30c868956ec0b8efa11
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c28b9d40edbf6a3007595a83a5770e7f63c8a823424721bbaccea842b0fb386e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A0D1ADB5611208DAC718DF6CEC969E637F9FB48710B00C51AEA05CA2F1DB3C9A81CB5D
                                                                                                                                                                                                            Function 006F9B78 Relevance: 6.2, APIs: 4, Instructions: 201fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006F9C43
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 006F9CA8
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 006F9DC7
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 006F9E86
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateRead
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2564258376-0
                                                                                                                                                                                                            • Opcode ID: b749289b804920d445166028ef2603beabf580b529154c83b378f152dc8c5335
                                                                                                                                                                                                            • Instruction ID: 80cf1d29010d93e3db4533f86b972eeb3a9dd4c45ed9ccb7a69fd3adb90a6782
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b749289b804920d445166028ef2603beabf580b529154c83b378f152dc8c5335
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE81BC75611204DBC714DF6CEC86AFA37BAFB44711B10C419EA02D62E1EB3C9982CB6D
                                                                                                                                                                                                            Function 007090F1 Relevance: 6.0, APIs: 4, Instructions: 38memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,006F8146,00000000,?,00000000,?,006EF85A,0070970E,?,?,00709573,0070970E,00000001), ref: 00709143
                                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,006F8146,00000000), ref: 0070914A
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,006F8146,00000000,?,00000000,?,006EF85A,0070970E,?,?,00709573,0070970E,00000001,?), ref: 00709174
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,006F8146,00000000,?,00000000,?,006EF85A,0070970E,?,?,00709573,0070970E,00000001,?), ref: 0070917B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2246668141.00000000006E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246641320.00000000006E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246701399.000000000070F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246720509.0000000000710000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246738863.0000000000713000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2246758326.000000000071C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_6e0000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1154092256-0
                                                                                                                                                                                                            • Opcode ID: dd7e56b58759708e72e694a2ce2a68e46365ffa2f3a62f063c90cdb504d30aa6
                                                                                                                                                                                                            • Instruction ID: df38a904b6569e63d4a6d5f31aa332377223e75193f96d832ddbfc7db75b2e8b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd7e56b58759708e72e694a2ce2a68e46365ffa2f3a62f063c90cdb504d30aa6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B5011A76580604DFCB089FA8FC996A93BB4FB48701B44C115F90A866E1EB7D94418B4C

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:8.9%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                            Total number of Nodes:1498
                                                                                                                                                                                                            Total number of Limit Nodes:7
                                                                                                                                                                                                            execution_graph 8936 f7686 8939 efc1b 8936->8939 8942 1094b4 8939->8942 8943 1094e3 8942->8943 8944 1094bd Mailbox 8942->8944 8945 ede5a Mailbox 2 API calls 8944->8945 8945->8943 9198 ead87 9199 eada3 9198->9199 9254 e501c 9199->9254 9201 eae0e 9202 10443e 4 API calls 9201->9202 9207 eb26c Mailbox 9201->9207 9203 eaeff 9202->9203 9204 fa805 2 API calls 9203->9204 9205 eaf15 9204->9205 9206 e846d 9 API calls 9205->9206 9208 eaf2d 9206->9208 9209 f8251 2 API calls 9208->9209 9210 eaf56 9209->9210 9257 102306 9210->9257 9215 e5724 8 API calls 9216 eaf88 Mailbox 9215->9216 9217 fa805 2 API calls 9216->9217 9218 eafc5 9217->9218 9219 f0b92 9 API calls 9218->9219 9220 eafe2 9219->9220 9221 e5724 8 API calls 9220->9221 9222 eafee Mailbox 9221->9222 9223 f8251 2 API calls 9222->9223 9224 eb00f 9223->9224 9225 efe4b 8 API calls 9224->9225 9226 eb02d 9225->9226 9227 e5724 8 API calls 9226->9227 9228 eb036 Mailbox 9227->9228 9263 f1c14 9228->9263 9230 eb066 9267 e60ad 9230->9267 9232 eb085 Mailbox 9233 f5fba 9 API calls 9232->9233 9234 eb0c9 9233->9234 9321 e7ef1 9234->9321 9237 fa805 2 API calls 9238 eb0f8 9237->9238 9239 f0b92 9 API calls 9238->9239 9240 eb149 9239->9240 9241 e5724 8 API calls 9240->9241 9242 eb155 Mailbox 9241->9242 9243 f8251 2 API calls 9242->9243 9244 eb174 Mailbox 9243->9244 9245 109883 8 API calls 9244->9245 9246 eb19a 9245->9246 9247 109707 Mailbox 8 API calls 9246->9247 9248 eb1ea 9247->9248 9249 fa805 2 API calls 9248->9249 9250 eb217 9249->9250 9325 f8695 9250->9325 9252 eb235 9253 f8251 2 API calls 9252->9253 9253->9207 9255 109883 8 API calls 9254->9255 9256 e5042 SetEvent 9255->9256 9256->9201 9425 e4f0b 9257->9425 9260 f1bc3 9261 107848 8 API calls 9260->9261 9262 eaf7c 9261->9262 9262->9215 9264 f1c36 Mailbox 9263->9264 9265 ebdcb 8 API calls 9264->9265 9266 f1ce6 Mailbox 9265->9266 9266->9230 9268 e6101 9267->9268 9269 fa805 2 API calls 9268->9269 9274 e623b Mailbox 9268->9274 9270 e61a7 9269->9270 9271 e846d 9 API calls 9270->9271 9272 e61d6 9271->9272 9273 f8251 2 API calls 9272->9273 9273->9274 9275 e6321 9274->9275 9278 e63fd 9274->9278 9276 fa805 2 API calls 9275->9276 9277 e635d 9276->9277 9279 e846d 9 API calls 9277->9279 9281 fa805 2 API calls 9278->9281 9280 e6381 9279->9280 9282 f8251 2 API calls 9280->9282 9283 e6487 Mailbox 9281->9283 9284 e639c Mailbox 9282->9284 9433 f7ab8 9283->9433 9284->9232 9287 f8251 2 API calls 9288 e64eb 9287->9288 9289 e651c 9288->9289 9290 e6598 9288->9290 9291 fa805 2 API calls 9289->9291 9445 e8036 9290->9445 9293 e6532 9291->9293 9295 e846d 9 API calls 9293->9295 9298 e6548 9295->9298 9296 e65cb 9302 fa805 2 API calls 9296->9302 9297 e6668 9299 eddd3 lstrlen 9297->9299 9300 f8251 2 API calls 9298->9300 9301 e66a4 9299->9301 9300->9284 9449 fae3b 9301->9449 9303 e65f2 9302->9303 9304 e846d 9 API calls 9303->9304 9306 e6612 9304->9306 9309 f8251 2 API calls 9306->9309 9309->9284 9311 fa805 2 API calls 9312 e6718 9311->9312 9313 f8251 2 API calls 9312->9313 9314 e6775 9313->9314 9315 1042b6 lstrlen 9314->9315 9316 e67c4 9315->9316 9317 ec622 5 API calls 9316->9317 9318 e67e3 9317->9318 9457 10d831 9318->9457 9322 e7f14 9321->9322 9323 edd8f 8 API calls 9322->9323 9324 e7f37 9323->9324 9324->9237 9326 f86b6 9325->9326 9327 e3e8c GetSystemTimeAsFileTime 9326->9327 9328 f8873 9327->9328 9329 1042b6 lstrlen 9328->9329 9335 f88d0 9329->9335 9330 f9185 Mailbox 9330->9252 9331 1042b6 lstrlen 9332 f8a48 9331->9332 9333 1042b6 lstrlen 9332->9333 9334 f8a56 9333->9334 9334->9330 9336 fa805 2 API calls 9334->9336 9335->9330 9335->9331 9337 f8ad5 9336->9337 9338 e846d 9 API calls 9337->9338 9339 f8b0f 9338->9339 9340 f8251 2 API calls 9339->9340 9341 f8b3d Mailbox 9340->9341 9342 fa805 2 API calls 9341->9342 9356 f8d19 9341->9356 9344 f8b9e 9342->9344 9343 f0b92 9 API calls 9345 f8dbe 9343->9345 9346 f23e9 9 API calls 9344->9346 9347 e5724 8 API calls 9345->9347 9349 f8bc8 Mailbox 9346->9349 9348 f8dca Mailbox 9347->9348 9350 fa805 2 API calls 9348->9350 9352 f8251 2 API calls 9349->9352 9351 f8ded 9350->9351 9353 f0b92 9 API calls 9351->9353 9358 f8bf7 9352->9358 9354 f8e04 9353->9354 9355 e5724 8 API calls 9354->9355 9357 f8e10 Mailbox 9355->9357 9356->9343 9360 f8251 2 API calls 9357->9360 9358->9356 9359 f1c14 8 API calls 9358->9359 9361 f8c77 9359->9361 9362 f8e3b 9360->9362 9363 fa805 2 API calls 9361->9363 9364 f0b92 9 API calls 9362->9364 9365 f8cbd 9363->9365 9366 f8e8b 9364->9366 9368 e846d 9 API calls 9365->9368 9367 e5724 8 API calls 9366->9367 9371 f8e9a Mailbox 9367->9371 9369 f8cff 9368->9369 9370 f8251 2 API calls 9369->9370 9370->9356 9373 fa805 2 API calls 9371->9373 9408 f9051 Mailbox 9371->9408 9372 fa805 2 API calls 9374 f9087 9372->9374 9375 f8f09 9373->9375 9377 f0b92 9 API calls 9374->9377 9376 f0b92 9 API calls 9375->9376 9378 f8f23 9376->9378 9379 f90d7 9377->9379 9380 e5724 8 API calls 9378->9380 9381 e5724 8 API calls 9379->9381 9382 f8f32 Mailbox 9380->9382 9383 f90e3 Mailbox 9381->9383 9384 fa805 2 API calls 9382->9384 9385 f8251 2 API calls 9383->9385 9386 f8f5b 9384->9386 9387 f90fd 9385->9387 9389 f8251 2 API calls 9386->9389 9388 f9142 socket 9387->9388 9390 e5724 8 API calls 9387->9390 9388->9330 9392 f9197 9388->9392 9391 f8fbc Mailbox 9389->9391 9390->9388 9395 f074e wvsprintfA 9391->9395 9393 f91bb setsockopt 9392->9393 9394 f91f3 gethostbyname 9392->9394 9393->9394 9394->9330 9398 f9289 inet_ntoa inet_addr 9394->9398 9397 f8fdd 9395->9397 9399 f8251 2 API calls 9397->9399 9402 f92ef 9398->9402 9403 f92f9 htons connect 9398->9403 9401 f8ff4 9399->9401 9404 f0b92 9 API calls 9401->9404 9402->9403 9403->9330 9406 f932f Mailbox 9403->9406 9405 f9042 9404->9405 9407 e5724 8 API calls 9405->9407 9409 f939f send 9406->9409 9407->9408 9408->9372 9410 f93bb Mailbox 9409->9410 9410->9330 9411 109707 Mailbox 8 API calls 9410->9411 9413 f93df Mailbox 9411->9413 9412 f946b recv 9412->9413 9413->9412 9416 f9784 closesocket 9413->9416 9419 f7f29 Mailbox 8 API calls 9413->9419 9420 109883 8 API calls 9413->9420 9421 f8251 GetProcessHeap RtlFreeHeap 9413->9421 9423 fa805 GetProcessHeap RtlAllocateHeap 9413->9423 9424 f23e9 9 API calls 9413->9424 9655 10d5e8 9413->9655 9659 ef1bd 9413->9659 9416->9330 9417 f97e1 9416->9417 9418 f1c14 8 API calls 9417->9418 9418->9330 9419->9413 9420->9413 9421->9413 9423->9413 9424->9413 9426 e4f16 9425->9426 9429 ee739 9426->9429 9430 ee751 9429->9430 9431 edd8f 8 API calls 9430->9431 9432 e4f36 9431->9432 9432->9260 9434 f7ae2 9433->9434 9440 e64bc 9434->9440 9486 106c12 9434->9486 9439 f7d11 9444 f7c94 Mailbox 9439->9444 9496 fbff6 9439->9496 9440->9287 9442 f7dab 9503 f70e6 9442->9503 9513 f761b 9444->9513 9446 e804b GetModuleFileNameA 9445->9446 9448 e65c2 9446->9448 9448->9296 9448->9297 9450 fae5e 9449->9450 9451 ebece 8 API calls 9450->9451 9452 e66de 9450->9452 9451->9452 9453 103ca3 9452->9453 9454 e6702 9453->9454 9455 103cd9 9453->9455 9454->9311 9455->9454 9456 fae3b 8 API calls 9455->9456 9456->9455 9458 10d84e Mailbox 9457->9458 9459 10d94f CreatePipe 9458->9459 9460 10d999 9459->9460 9461 10d9ad SetHandleInformation 9459->9461 9463 109707 Mailbox 8 API calls 9460->9463 9464 e6894 DeleteFileA 9460->9464 9465 10da12 9461->9465 9466 10da3b CreatePipe 9461->9466 9463->9464 9464->9284 9465->9466 9467 10da52 9466->9467 9468 10da66 SetHandleInformation 9466->9468 9469 10de64 CloseHandle 9467->9469 9471 10da9a Mailbox 9468->9471 9469->9460 9470 10de7b CloseHandle 9469->9470 9470->9460 9472 10db76 CreateProcessA 9471->9472 9473 10dbe0 CloseHandle 9472->9473 9474 10dc04 WriteFile 9472->9474 9478 10ddd2 CloseHandle 9473->9478 9474->9473 9476 10dc3e CloseHandle CloseHandle 9474->9476 9480 10dca1 9476->9480 9478->9469 9648 104101 9480->9648 9484 10dd6c CloseHandle CloseHandle 9484->9478 9487 106c2d 9486->9487 9488 e4088 4 API calls 9487->9488 9489 106cb8 9488->9489 9490 e86e2 4 API calls 9489->9490 9491 f7c5d 9489->9491 9490->9491 9491->9444 9492 e86e2 9491->9492 9493 e86f8 9492->9493 9494 e4088 4 API calls 9493->9494 9495 e873e Mailbox 9494->9495 9495->9439 9516 e7bf8 9496->9516 9500 fc05c 9528 e774c 9500->9528 9502 fc089 Mailbox 9502->9442 9504 f70f3 9503->9504 9510 f71ef 9504->9510 9540 fa4b9 9504->9540 9507 fa805 2 API calls 9509 f740b 9507->9509 9508 fa805 2 API calls 9508->9510 9509->9510 9511 f8251 2 API calls 9509->9511 9510->9444 9512 f745e 9511->9512 9512->9508 9512->9510 9514 10572d 2 API calls 9513->9514 9515 f7661 9514->9515 9515->9440 9517 e7c25 9516->9517 9518 fa805 2 API calls 9517->9518 9519 e7c4e Mailbox 9518->9519 9520 f8251 2 API calls 9519->9520 9521 e7c82 9520->9521 9522 f0ce6 9521->9522 9523 f0d32 Mailbox 9522->9523 9525 f1054 Mailbox 9523->9525 9526 f0ecd 9523->9526 9534 f0113 9523->9534 9525->9500 9526->9525 9527 f0113 4 API calls 9526->9527 9527->9526 9529 e77a8 Mailbox 9528->9529 9530 f0ce6 4 API calls 9529->9530 9531 e7a60 9530->9531 9532 f0ce6 4 API calls 9531->9532 9533 e7ab2 9532->9533 9533->9502 9535 f0132 Mailbox 9534->9535 9536 fa805 2 API calls 9535->9536 9537 f0318 9536->9537 9538 f8251 2 API calls 9537->9538 9539 f05f9 9538->9539 9539->9526 9541 fa506 9540->9541 9542 106c12 4 API calls 9541->9542 9544 fa539 9542->9544 9543 10572d 2 API calls 9548 f719b 9543->9548 9545 fa58e 9544->9545 9546 fa563 9544->9546 9550 fa5e4 9544->9550 9551 e69a8 9545->9551 9547 10572d 2 API calls 9546->9547 9547->9548 9548->9507 9548->9510 9548->9512 9550->9543 9552 e69c7 Mailbox 9551->9552 9553 e4088 4 API calls 9552->9553 9564 e76f7 9552->9564 9554 e6c45 9553->9554 9555 e4088 4 API calls 9554->9555 9585 e70f3 9554->9585 9557 e6c6a 9555->9557 9556 e76cf 9558 e76fc 9556->9558 9559 e76e7 9556->9559 9563 e4088 4 API calls 9557->9563 9557->9585 9560 10572d 2 API calls 9558->9560 9562 10572d 2 API calls 9559->9562 9560->9564 9561 10572d 2 API calls 9561->9585 9562->9564 9566 e6c97 9563->9566 9564->9550 9565 e86e2 4 API calls 9567 e6d18 9565->9567 9566->9565 9576 e6cb9 Mailbox 9566->9576 9566->9585 9567->9585 9586 edec6 9567->9586 9569 e6e4c 9573 e85a4 4 API calls 9569->9573 9570 e6e3d 9572 102405 4 API calls 9570->9572 9575 e6e47 9572->9575 9573->9575 9577 e85a4 4 API calls 9575->9577 9576->9569 9576->9570 9576->9585 9578 e6ec5 9577->9578 9579 e4088 4 API calls 9578->9579 9578->9585 9580 e6f71 9579->9580 9581 e85a4 4 API calls 9580->9581 9580->9585 9583 e6f9e 9581->9583 9582 e4088 4 API calls 9582->9583 9583->9582 9584 e85a4 4 API calls 9583->9584 9583->9585 9584->9583 9585->9556 9585->9561 9587 edf1f 9586->9587 9588 e4088 4 API calls 9587->9588 9589 e6d62 9587->9589 9588->9589 9589->9585 9590 102405 9589->9590 9591 102431 9590->9591 9598 e9903 9591->9598 9593 1024b6 9593->9576 9594 102450 9594->9593 9595 ee4e4 4 API calls 9594->9595 9596 10248c 9594->9596 9595->9594 9596->9593 9638 f6d72 9596->9638 9599 e9924 9598->9599 9600 e99a4 9599->9600 9601 e9a10 9599->9601 9604 e9952 9599->9604 9602 e99c4 9600->9602 9603 e86e2 4 API calls 9600->9603 9605 e85a4 4 API calls 9601->9605 9602->9604 9606 e85a4 4 API calls 9602->9606 9630 e99ea 9602->9630 9603->9602 9604->9594 9608 e9a45 9605->9608 9606->9630 9607 10572d 2 API calls 9607->9604 9609 e85a4 4 API calls 9608->9609 9608->9630 9610 e9aaa 9609->9610 9611 e4088 4 API calls 9610->9611 9610->9630 9612 e9aed 9611->9612 9613 e86e2 4 API calls 9612->9613 9612->9630 9614 e9b25 9613->9614 9615 e4088 4 API calls 9614->9615 9614->9630 9616 e9b46 9615->9616 9617 e4088 4 API calls 9616->9617 9616->9630 9618 e9b73 9617->9618 9619 edec6 4 API calls 9618->9619 9620 e9c7b 9618->9620 9618->9630 9621 e9c56 9619->9621 9622 edec6 4 API calls 9620->9622 9620->9630 9623 edec6 4 API calls 9621->9623 9621->9630 9624 e9d47 9622->9624 9623->9620 9625 f6d72 4 API calls 9624->9625 9632 e9e51 9624->9632 9625->9624 9626 ea66b 9627 e85a4 4 API calls 9626->9627 9628 ea6fa 9626->9628 9627->9628 9629 e85a4 4 API calls 9628->9629 9628->9630 9629->9630 9630->9604 9630->9607 9631 e86e2 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9631->9632 9632->9626 9632->9630 9632->9631 9633 e534c GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9632->9633 9634 edec6 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9632->9634 9635 f6d72 4 API calls 9632->9635 9636 e85a4 4 API calls 9632->9636 9637 ee4e4 4 API calls 9632->9637 9633->9632 9634->9632 9635->9632 9636->9632 9637->9632 9639 f6d97 9638->9639 9640 f6f07 9639->9640 9641 f6dd4 9639->9641 9642 eb38e 4 API calls 9640->9642 9643 f6e66 9641->9643 9644 f6df4 9641->9644 9647 f6e24 9642->9647 9646 1058f9 4 API calls 9643->9646 9645 1058f9 4 API calls 9644->9645 9645->9647 9646->9647 9647->9596 9649 10410e 9648->9649 9650 109707 Mailbox 8 API calls 9649->9650 9653 10419c 9650->9653 9651 1041f1 ReadFile 9652 104256 WaitForSingleObject 9651->9652 9651->9653 9652->9484 9653->9651 9653->9652 9654 109883 8 API calls 9653->9654 9654->9653 9656 10d5ff 9655->9656 9657 e3e8c GetSystemTimeAsFileTime 9656->9657 9658 10d628 9656->9658 9657->9658 9658->9413 9660 ef206 9659->9660 9661 fa805 2 API calls 9660->9661 9662 ef22f 9661->9662 9663 f23e9 9 API calls 9662->9663 9664 ef250 Mailbox 9663->9664 9665 f8251 2 API calls 9664->9665 9666 ef28d 9665->9666 9667 fa805 2 API calls 9666->9667 9672 ef2a5 9666->9672 9668 ef2cb 9667->9668 9669 f23e9 9 API calls 9668->9669 9670 ef2e2 Mailbox 9669->9670 9671 f8251 2 API calls 9670->9671 9671->9672 9672->9413 8831 10d01d 8832 10d03a 8831->8832 8838 105d58 8832->8838 8836 10d067 8837 10d108 ExitProcess 8836->8837 8839 105d93 8838->8839 8849 e565e 8839->8849 8841 105dbb 8842 f5d50 8841->8842 8843 f5d87 GetStdHandle 8842->8843 8844 f5d74 8842->8844 8845 f5dc5 GetStdHandle 8843->8845 8846 f5db3 8843->8846 8844->8843 8847 f5dfa GetStdHandle 8845->8847 8846->8845 8847->8836 8850 e56c5 GetProcessHeap HeapAlloc 8849->8850 8851 e5695 8849->8851 8850->8841 8851->8850 9673 e519e 9674 1023a6 Mailbox 2 API calls 9673->9674 9675 e51b3 9674->9675 8946 1040bb 8947 1040c6 8946->8947 8950 edd8f 8947->8950 8951 edda0 8950->8951 8952 102f94 8 API calls 8951->8952 8953 eddad 8952->8953 9687 1095bd 9688 1095c3 Mailbox 9687->9688 9689 1090f1 Mailbox 4 API calls 9688->9689 9690 109605 Mailbox 9689->9690 8954 f54a1 8955 f54ba 8954->8955 8956 f550a Mailbox 8954->8956 8957 f55fd CreateProcessA 8956->8957 8958 f5677 8957->8958 8959 f5633 CloseHandle CloseHandle 8957->8959 8959->8958 7944 10cdbf 7945 10ce1b 7944->7945 7948 fff2a 7945->7948 7946 10cf4c 8175 f8251 7948->8175 7952 fff74 7953 f8251 2 API calls 7952->7953 7954 fff88 7953->7954 7955 fa805 2 API calls 7954->7955 7956 fffc7 7955->7956 7957 f8251 2 API calls 7956->7957 7958 fffdb 7957->7958 7959 fa805 2 API calls 7958->7959 7960 10001a 7959->7960 7961 f8251 2 API calls 7960->7961 7962 10002e 7961->7962 7963 fa805 2 API calls 7962->7963 7964 100063 7963->7964 7965 f8251 2 API calls 7964->7965 7966 100077 7965->7966 7967 fa805 2 API calls 7966->7967 7968 1000f0 7967->7968 7969 f8251 2 API calls 7968->7969 7970 100126 7969->7970 7971 fa805 2 API calls 7970->7971 7972 1001a6 7971->7972 7973 f8251 2 API calls 7972->7973 7974 1001c4 7973->7974 7975 fa805 2 API calls 7974->7975 7976 100238 7975->7976 7977 f8251 2 API calls 7976->7977 7978 100252 7977->7978 7979 fa805 2 API calls 7978->7979 7980 100283 7979->7980 7981 f8251 2 API calls 7980->7981 7982 1002bf 7981->7982 7983 fa805 2 API calls 7982->7983 7984 100325 7983->7984 7985 f8251 2 API calls 7984->7985 7986 100339 7985->7986 7987 fa805 2 API calls 7986->7987 7988 10036a 7987->7988 7989 f8251 2 API calls 7988->7989 7990 1003bd 7989->7990 7991 fa805 2 API calls 7990->7991 7992 100402 7991->7992 7993 f8251 2 API calls 7992->7993 7994 100422 7993->7994 7995 fa805 2 API calls 7994->7995 7996 100469 7995->7996 7997 f8251 2 API calls 7996->7997 7998 1004b2 7997->7998 7999 f8251 2 API calls 7998->7999 8000 100503 Mailbox 7999->8000 8182 ede5a GetProcessHeap RtlFreeHeap 8000->8182 8004 10054a 8005 fa805 2 API calls 8004->8005 8006 100560 GetEnvironmentVariableA 8005->8006 8007 1005b2 8006->8007 8008 f8251 2 API calls 8007->8008 8009 1005d0 CreateMutexA CreateMutexA CreateMutexA 8008->8009 8010 100665 8009->8010 8011 100809 8010->8011 8012 1006c9 8010->8012 8013 1006de GetTickCount 8010->8013 8189 e88a8 8011->8189 8012->8013 8015 1006f2 8013->8015 8017 fa805 2 API calls 8015->8017 8016 100818 GetCommandLineA 8020 1008a8 8016->8020 8019 100710 8017->8019 8023 f8251 2 API calls 8019->8023 8021 fa805 2 API calls 8020->8021 8022 1008c5 8021->8022 8025 f8251 2 API calls 8022->8025 8024 1007b7 8023->8024 8024->8011 8026 10092f 8025->8026 8027 101311 GetCommandLineA 8026->8027 8028 100964 8026->8028 8348 103e09 8027->8348 8029 fa805 2 API calls 8028->8029 8033 100996 8029->8033 8032 1013a1 8351 1042b6 8032->8351 8034 f8251 2 API calls 8033->8034 8036 100a10 8034->8036 8040 fa805 2 API calls 8036->8040 8042 100a21 8036->8042 8037 1013dc 8038 101417 GetModuleFileNameA 8037->8038 8039 1013f9 8037->8039 8354 f20d8 lstrlen 8038->8354 8039->8038 8045 100ac3 8040->8045 8345 f15e5 8042->8345 8047 f8251 2 API calls 8045->8047 8046 10145c 8052 f20d8 2 API calls 8046->8052 8048 100b1f 8047->8048 8048->8042 8292 ef793 8048->8292 8049 fa805 2 API calls 8050 1022a4 8049->8050 8555 ee2f8 8050->8555 8053 101510 8052->8053 8055 f20d8 2 API calls 8053->8055 8067 101523 8055->8067 8057 fa805 2 API calls 8063 100ba4 8057->8063 8058 101785 8377 e3b2c 8058->8377 8059 1022c9 8059->7946 8061 1017c8 8062 10175d 8061->8062 8385 fb3db 8061->8385 8062->8042 8065 f8251 2 API calls 8063->8065 8084 100be7 8065->8084 8066 1017ed 8068 e3e8c GetSystemTimeAsFileTime 8066->8068 8067->8058 8071 1015b0 8067->8071 8069 101806 8068->8069 8479 eddd3 8069->8479 8357 faf1f 8071->8357 8075 1015e1 8363 e5c39 8075->8363 8078 100d00 Sleep 8079 fb046 5 API calls 8078->8079 8080 100d57 8079->8080 8080->8084 8081 1015fa 8081->8062 8082 fa805 2 API calls 8081->8082 8085 101680 8082->8085 8083 100dd2 Sleep 8083->8084 8084->8078 8084->8083 8108 100dfe 8084->8108 8297 f571f 8084->8297 8308 fb046 8084->8308 8320 e3e8c 8084->8320 8088 1042b6 lstrlen 8085->8088 8086 10186d 8090 1018fb WSAStartup 8086->8090 8087 f571f 6 API calls 8087->8108 8089 101695 MessageBoxA 8088->8089 8097 101738 8089->8097 8093 101928 8090->8093 8099 10197d 8090->8099 8091 100ee5 8092 fb046 5 API calls 8091->8092 8096 100ef9 8092->8096 8093->8049 8100 100f60 GetModuleFileNameA SetFileAttributesA 8096->8100 8101 1012ba 8096->8101 8102 f8251 2 API calls 8097->8102 8098 101a3d 8109 101a8c CloseHandle SetFileAttributesA 8098->8109 8133 101d7e 8098->8133 8099->8098 8483 10395f 8099->8483 8105 100fcc CopyFileA 8100->8105 8338 f54d8 8101->8338 8102->8062 8103 100ea2 Sleep 8103->8108 8110 fa805 2 API calls 8105->8110 8108->8087 8108->8091 8108->8103 8324 f0806 8108->8324 8111 101b05 CopyFileA 8109->8111 8112 101ae9 8109->8112 8113 101044 8110->8113 8114 101b22 SetFileAttributesA 8111->8114 8115 101c76 8111->8115 8112->8111 8123 f8251 2 API calls 8113->8123 8121 101b79 8114->8121 8122 101b5b 8114->8122 8524 eb7cd WaitForSingleObject 8115->8524 8116 f571f 6 API calls 8116->8133 8118 1019d7 8118->8062 8493 ef02c 8118->8493 8120 101e3f SetFileAttributesA CopyFileA SetFileAttributesA 8134 ef793 lstrlen 8120->8134 8130 101c27 Sleep 8121->8130 8515 f6bd8 8121->8515 8502 1035ad 8122->8502 8126 101077 8123->8126 8124 f0806 9 API calls 8128 101dcb Sleep 8124->8128 8139 fa805 2 API calls 8126->8139 8149 10111d 8126->8149 8128->8133 8132 f54d8 3 API calls 8130->8132 8132->8115 8133->8116 8133->8120 8133->8124 8138 101ed0 8134->8138 8135 101bef 8135->8130 8136 101195 SetFileAttributesA 8142 10126d 8136->8142 8137 101206 SetFileAttributesA 8137->8142 8141 fa805 2 API calls 8138->8141 8145 1010ce 8139->8145 8144 101ee6 8141->8144 8142->8101 8146 fa805 2 API calls 8144->8146 8147 f8251 2 API calls 8145->8147 8148 101f29 8146->8148 8147->8149 8150 f8251 2 API calls 8148->8150 8149->8136 8149->8137 8151 101f4e 8150->8151 8526 1075ce 8151->8526 8153 101f65 8154 f8251 2 API calls 8153->8154 8155 101fc0 8154->8155 8530 10473b 8155->8530 8158 fa805 2 API calls 8159 102012 8158->8159 8160 fa805 2 API calls 8159->8160 8161 102031 8160->8161 8551 f074e 8161->8551 8163 102063 8164 f8251 2 API calls 8163->8164 8165 102079 8164->8165 8166 f8251 2 API calls 8165->8166 8167 102092 8166->8167 8168 f54d8 3 API calls 8167->8168 8169 1020d2 Mailbox 8168->8169 8170 102140 CreateThread 8169->8170 8172 102179 8170->8172 8171 1021c3 Sleep 8172->8171 8554 1074e8 StartServiceCtrlDispatcherA 8172->8554 8176 f8268 Mailbox 8175->8176 8177 ede5a Mailbox 2 API calls 8176->8177 8178 f82cb 8177->8178 8179 fa805 8178->8179 8561 1023a6 8179->8561 8181 fa878 Mailbox 8181->7952 8183 ede8a 8182->8183 8184 10d256 GetSystemTime 8183->8184 8185 10d2ec 8184->8185 8186 e3e8c GetSystemTimeAsFileTime 8185->8186 8187 10d368 GetTickCount 8186->8187 8188 10d39b 8187->8188 8188->8004 8190 e88cc 8189->8190 8191 e88ea GetVersionExA 8190->8191 8564 ee769 8191->8564 8197 e8b28 8200 fa805 2 API calls 8197->8200 8198 e89fc 8199 e8a89 CreateDirectoryA 8198->8199 8201 fa805 2 API calls 8199->8201 8202 e8bc2 8200->8202 8204 e8ae2 8201->8204 8587 e846d 8202->8587 8207 f8251 2 API calls 8204->8207 8206 f8251 2 API calls 8208 e8c06 Mailbox 8206->8208 8207->8197 8591 ec622 8208->8591 8210 e8d6f 8211 fc0de 6 API calls 8210->8211 8216 e8d85 8211->8216 8212 e8cfe DeleteFileA 8214 e8d3d RemoveDirectoryA 8212->8214 8215 e8d2b 8212->8215 8214->8210 8215->8214 8217 e8dc3 CreateDirectoryA 8216->8217 8218 e8e00 8217->8218 8219 ef793 lstrlen 8218->8219 8220 e8e64 CreateDirectoryA 8219->8220 8222 fa805 2 API calls 8220->8222 8223 e8eb8 8222->8223 8224 fa805 2 API calls 8223->8224 8225 e8f10 8224->8225 8226 f8251 2 API calls 8225->8226 8227 e8f6c 8226->8227 8228 e846d 9 API calls 8227->8228 8229 e8f89 8228->8229 8230 f8251 2 API calls 8229->8230 8231 e8f9b Mailbox 8230->8231 8232 ec622 5 API calls 8231->8232 8233 e8fca 8232->8233 8234 e9769 8233->8234 8236 e906c 8233->8236 8237 e8fec 8233->8237 8235 ef793 lstrlen 8234->8235 8239 e977f SetFileAttributesA 8235->8239 8238 fa805 2 API calls 8236->8238 8240 fa805 2 API calls 8237->8240 8241 e9082 8238->8241 8249 e97e1 Mailbox 8239->8249 8242 e900e 8240->8242 8243 f074e wvsprintfA 8241->8243 8244 f074e wvsprintfA 8242->8244 8246 e90a0 8243->8246 8245 e9034 8244->8245 8247 f8251 2 API calls 8245->8247 8248 f8251 2 API calls 8246->8248 8250 e905d 8247->8250 8248->8250 8249->8016 8251 e9128 8250->8251 8252 e9144 CreateDirectoryA 8251->8252 8253 e917e 8252->8253 8254 ef793 lstrlen 8253->8254 8255 e91cd CreateDirectoryA 8254->8255 8256 fa805 2 API calls 8255->8256 8257 e9210 8256->8257 8258 fa805 2 API calls 8257->8258 8259 e923f 8258->8259 8260 f8251 2 API calls 8259->8260 8261 e927a 8260->8261 8262 e846d 9 API calls 8261->8262 8263 e928f 8262->8263 8264 f8251 2 API calls 8263->8264 8265 e9307 Mailbox 8264->8265 8266 ec622 5 API calls 8265->8266 8267 e9336 8266->8267 8268 e9716 8267->8268 8269 e9341 GetTempPathA 8267->8269 8268->8234 8270 1042b6 lstrlen 8269->8270 8271 e938b 8270->8271 8272 ef793 lstrlen 8271->8272 8273 e94ae CreateDirectoryA 8272->8273 8274 e94fd 8273->8274 8275 fa805 2 API calls 8274->8275 8276 e9519 8275->8276 8277 fa805 2 API calls 8276->8277 8278 e9577 8277->8278 8279 f8251 2 API calls 8278->8279 8280 e95a4 8279->8280 8281 e846d 9 API calls 8280->8281 8282 e95ba 8281->8282 8283 f8251 2 API calls 8282->8283 8284 e95dc Mailbox 8283->8284 8285 ec622 5 API calls 8284->8285 8286 e960b 8285->8286 8286->8268 8287 e9633 GetTempPathA 8286->8287 8288 e9670 8287->8288 8289 fa805 2 API calls 8288->8289 8290 e96a4 8289->8290 8291 f8251 2 API calls 8290->8291 8291->8268 8293 eddd3 lstrlen 8292->8293 8294 ef7bd 8293->8294 8295 1042b6 lstrlen 8294->8295 8296 ef80a 8294->8296 8295->8296 8296->8057 8298 f5751 CreateToolhelp32Snapshot 8297->8298 8301 f5828 8298->8301 8300 f58da Process32First 8303 f5a6c FindCloseChangeNotification 8300->8303 8305 f590e 8300->8305 8301->8300 8302 f5a95 Mailbox 8301->8302 8302->8084 8303->8302 8304 f20d8 2 API calls 8304->8305 8305->8304 8306 f5a29 8305->8306 8307 f59c2 Process32Next 8305->8307 8306->8303 8307->8305 8309 fb068 CreateFileA 8308->8309 8311 fb11b 8309->8311 8312 fb142 GetFileTime 8309->8312 8311->8084 8313 fb1c7 8312->8313 8314 fb177 8312->8314 8317 fb204 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 8313->8317 8315 fb193 8314->8315 8316 fb1b1 CloseHandle 8314->8316 8315->8316 8316->8311 8318 fb264 GetFileSize CloseHandle 8317->8318 8319 fb2f4 8318->8319 8319->8311 8321 e3ebf GetSystemTimeAsFileTime 8320->8321 8323 e3f11 __aulldiv 8321->8323 8323->8084 8325 f084d CreateToolhelp32Snapshot 8324->8325 8327 f08ee Process32First 8325->8327 8328 f0b20 Mailbox 8325->8328 8330 f0aeb 8327->8330 8336 f0988 8327->8336 8328->8108 8331 f0b0f CloseHandle 8330->8331 8332 f0aea 8330->8332 8331->8328 8332->8330 8332->8331 8333 f20d8 2 API calls 8333->8336 8334 f09f5 OpenProcess 8334->8336 8335 f0aa4 Process32Next 8335->8332 8335->8336 8336->8333 8336->8334 8336->8335 8337 f0a61 TerminateProcess CloseHandle 8336->8337 8337->8336 8339 f54ea Mailbox 8338->8339 8340 f55fd CreateProcessA 8339->8340 8341 f5677 8340->8341 8342 f5633 8340->8342 8341->8042 8343 f564f CloseHandle CloseHandle 8342->8343 8344 f5645 8342->8344 8343->8341 8344->8343 8638 fbf87 8345->8638 8347 f1600 ExitProcess 8349 1042b6 lstrlen 8348->8349 8350 103e48 8349->8350 8350->8032 8352 1042cf lstrlen 8351->8352 8352->8037 8355 f210f CharLowerBuffA 8354->8355 8355->8046 8358 faf3f 8357->8358 8640 f111e 8358->8640 8360 faf7b 8361 f54d8 3 API calls 8360->8361 8362 fafe0 Mailbox 8361->8362 8362->8075 8364 e5c69 8363->8364 8365 1042b6 lstrlen 8364->8365 8372 e6052 Mailbox 8364->8372 8366 e5dce Sleep 8365->8366 8367 e5e25 8366->8367 8368 fa805 2 API calls 8367->8368 8369 e5e52 8368->8369 8370 f8251 2 API calls 8369->8370 8371 e5e87 FindFirstFileA 8370->8371 8371->8372 8374 e5ecd 8371->8374 8372->8081 8373 e5fdb DeleteFileA 8373->8374 8375 e6018 FindNextFileA 8373->8375 8374->8373 8374->8375 8375->8374 8376 e602e FindClose 8375->8376 8376->8372 8378 ef793 lstrlen 8377->8378 8379 e3b68 8378->8379 8380 fa805 2 API calls 8379->8380 8381 e3b88 8380->8381 8382 f8251 2 API calls 8381->8382 8383 e3bc6 CreateFileA 8382->8383 8384 e3c14 Mailbox 8383->8384 8384->8061 8386 fb41c 8385->8386 8387 fb4ff GetComputerNameA 8386->8387 8388 fb536 8387->8388 8389 fb59e 8387->8389 8391 fa805 2 API calls 8388->8391 8390 fa805 2 API calls 8389->8390 8392 fb5fa 8390->8392 8393 fb552 8391->8393 8395 f8251 2 API calls 8392->8395 8394 f8251 2 API calls 8393->8394 8394->8389 8396 fb63d 8395->8396 8397 e846d 9 API calls 8396->8397 8398 fb661 8397->8398 8671 e695e 8398->8671 8400 fb6db Mailbox 8674 1084d7 8400->8674 8403 1042b6 lstrlen 8404 fb7d9 8403->8404 8709 f0b92 8404->8709 8408 fb834 Mailbox 8409 e695e 8 API calls 8408->8409 8410 fb891 8409->8410 8411 f0b92 9 API calls 8410->8411 8412 fb92e 8411->8412 8413 e5724 8 API calls 8412->8413 8414 fb93d Mailbox 8413->8414 8415 e695e 8 API calls 8414->8415 8416 fb964 8415->8416 8417 f0b92 9 API calls 8416->8417 8418 fb988 8417->8418 8419 e5724 8 API calls 8418->8419 8420 fb997 Mailbox 8419->8420 8421 e695e 8 API calls 8420->8421 8422 fb9cf 8421->8422 8423 f0b92 9 API calls 8422->8423 8424 fb9fe 8423->8424 8425 e5724 8 API calls 8424->8425 8426 fba0a Mailbox 8425->8426 8427 e695e 8 API calls 8426->8427 8428 fba25 8427->8428 8429 f0b92 9 API calls 8428->8429 8430 fba48 8429->8430 8431 e5724 8 API calls 8430->8431 8432 fba57 Mailbox 8431->8432 8433 e695e 8 API calls 8432->8433 8434 fba79 8433->8434 8435 fa805 2 API calls 8434->8435 8436 fba95 8435->8436 8437 f0b92 9 API calls 8436->8437 8438 fbab9 8437->8438 8439 e5724 8 API calls 8438->8439 8440 fbac8 Mailbox 8439->8440 8441 f8251 2 API calls 8440->8441 8442 fbaf7 8441->8442 8443 e695e 8 API calls 8442->8443 8444 fbb1f 8443->8444 8445 f0b92 9 API calls 8444->8445 8446 fbb3d 8445->8446 8447 e5724 8 API calls 8446->8447 8448 fbb49 Mailbox 8447->8448 8449 e695e 8 API calls 8448->8449 8450 fbb75 8449->8450 8451 f0b92 9 API calls 8450->8451 8452 fbb96 8451->8452 8453 e5724 8 API calls 8452->8453 8454 fbba5 Mailbox 8453->8454 8455 e695e 8 API calls 8454->8455 8456 fbbcb 8455->8456 8716 e3cdc 8456->8716 8460 fbc06 8461 f0b92 9 API calls 8460->8461 8462 fbc12 8461->8462 8463 e5724 8 API calls 8462->8463 8464 fbc21 Mailbox 8463->8464 8465 e695e 8 API calls 8464->8465 8466 fbc3f 8465->8466 8467 f0b92 9 API calls 8466->8467 8468 fbc85 8467->8468 8469 e5724 8 API calls 8468->8469 8470 fbc94 Mailbox 8469->8470 8726 f5fba 8470->8726 8472 fbccc 8753 109707 8472->8753 8474 fbd04 Mailbox 8756 109883 8474->8756 8476 fbd30 8760 eee34 8476->8760 8478 fbd6e Mailbox 8478->8066 8480 ede20 8479->8480 8481 1042b6 lstrlen 8480->8481 8482 ede3f 8481->8482 8482->8086 8484 103980 8483->8484 8485 ef793 lstrlen 8484->8485 8486 1039f3 8485->8486 8487 fa805 2 API calls 8486->8487 8492 103a11 Mailbox 8486->8492 8488 103ace 8487->8488 8489 f8251 2 API calls 8488->8489 8490 103b0d 8489->8490 8808 f9b78 8490->8808 8492->8118 8494 ef065 8493->8494 8495 e3e8c GetSystemTimeAsFileTime 8494->8495 8497 ef079 8495->8497 8496 ef15a 8496->8098 8497->8496 8498 e3e8c GetSystemTimeAsFileTime 8497->8498 8501 ef104 8498->8501 8499 ef10f Sleep 8500 e3e8c GetSystemTimeAsFileTime 8499->8500 8500->8501 8501->8496 8501->8499 8503 1035f3 OpenSCManagerA 8502->8503 8505 1036a9 CreateServiceA 8503->8505 8512 1038db 8503->8512 8506 1036f0 ChangeServiceConfig2A StartServiceA CloseServiceHandle 8505->8506 8509 103777 OpenServiceA 8505->8509 8508 10388e CloseServiceHandle 8506->8508 8508->8512 8511 1037eb 8509->8511 8513 103811 StartServiceA CloseServiceHandle 8511->8513 8514 103866 8511->8514 8512->8121 8513->8514 8514->8508 8516 f6c36 8515->8516 8517 fa805 2 API calls 8516->8517 8518 f6c9d RegOpenKeyA 8517->8518 8519 f8251 2 API calls 8518->8519 8520 f6ccb 8519->8520 8521 f6d31 RegCloseKey 8520->8521 8522 1042b6 lstrlen 8520->8522 8521->8135 8523 f6d0f RegSetValueExA 8522->8523 8523->8521 8525 eb846 8524->8525 8525->8062 8527 1075f4 8526->8527 8528 1076ef CreateFileA 8527->8528 8529 107732 Mailbox 8528->8529 8529->8153 8531 104771 8530->8531 8532 104797 8530->8532 8535 ebece 8 API calls 8531->8535 8533 fa805 2 API calls 8532->8533 8534 1047be 8533->8534 8536 1075ce CreateFileA 8534->8536 8535->8532 8537 1047e5 8536->8537 8538 f8251 2 API calls 8537->8538 8539 104803 8538->8539 8540 104835 Sleep 8539->8540 8550 1048af 8539->8550 8541 fa805 2 API calls 8540->8541 8542 104886 8541->8542 8545 1075ce CreateFileA 8542->8545 8547 10489b 8545->8547 8549 f8251 2 API calls 8547->8549 8548 101fe7 8548->8158 8549->8550 8550->8548 8825 1091aa 8550->8825 8552 f0764 wvsprintfA 8551->8552 8552->8163 8554->8171 8556 ee30a 8555->8556 8557 eb7cd WaitForSingleObject 8556->8557 8558 ee324 8557->8558 8559 f15e5 ExitProcess 8558->8559 8560 ee35a 8559->8560 8560->8059 8562 1023c0 8561->8562 8563 1023e2 GetProcessHeap RtlAllocateHeap 8561->8563 8562->8563 8563->8181 8566 ee79e AllocateAndInitializeSid 8564->8566 8567 e8954 8566->8567 8568 ee883 CheckTokenMembership 8566->8568 8571 e457c 8567->8571 8569 ee89f 8568->8569 8570 ee8c9 FreeSid 8568->8570 8569->8570 8570->8567 8572 e4595 8571->8572 8573 fa805 2 API calls 8572->8573 8574 e45da GetProcAddress 8573->8574 8575 f8251 2 API calls 8574->8575 8576 e4613 8575->8576 8577 e4623 GetCurrentProcess 8576->8577 8578 e463a 8576->8578 8577->8578 8578->8197 8579 fc0de GetWindowsDirectoryA 8578->8579 8580 fc125 8579->8580 8581 fa805 2 API calls 8580->8581 8586 fc1b6 8580->8586 8582 fc164 8581->8582 8583 f8251 2 API calls 8582->8583 8584 fc1a4 8583->8584 8585 1042b6 lstrlen 8584->8585 8585->8586 8586->8198 8588 e848a 8587->8588 8607 e4f47 8588->8607 8592 ec62f 8591->8592 8593 eb7cd WaitForSingleObject 8592->8593 8594 ec686 8593->8594 8595 ec6ef CreateFileA 8594->8595 8596 ec6b3 8594->8596 8599 ec75d 8595->8599 8601 ec79f Mailbox 8595->8601 8597 e4eb1 ReleaseMutex 8596->8597 8606 e8c6e 8597->8606 8600 e4eb1 ReleaseMutex 8599->8600 8600->8606 8602 ec8fa WriteFile 8601->8602 8602->8601 8603 ec94e FindCloseChangeNotification 8602->8603 8636 e4eb1 ReleaseMutex 8603->8636 8606->8210 8606->8212 8608 e4f6e 8607->8608 8609 1042b6 lstrlen 8608->8609 8610 e4f99 8609->8610 8613 102f94 8610->8613 8612 e4fa3 8612->8206 8616 1094ec 8613->8616 8615 102fac Mailbox 8615->8612 8617 109509 Mailbox 8616->8617 8619 10950e Mailbox 8617->8619 8620 ef821 8617->8620 8619->8615 8621 ef845 8620->8621 8623 ef85a Mailbox 8621->8623 8624 f7f29 8621->8624 8623->8619 8626 f7f48 Mailbox 8624->8626 8625 f8135 8633 1090f1 8625->8633 8626->8625 8628 f802a 8626->8628 8632 f8109 Mailbox 8626->8632 8629 1023a6 Mailbox 2 API calls 8628->8629 8630 f8057 Mailbox 8629->8630 8631 ede5a Mailbox 2 API calls 8630->8631 8631->8632 8632->8623 8634 109152 GetProcessHeap HeapAlloc 8633->8634 8635 10912b GetProcessHeap RtlReAllocateHeap 8633->8635 8634->8632 8635->8632 8637 e4ecb 8636->8637 8637->8606 8639 fbfa3 8638->8639 8639->8347 8641 f114d 8640->8641 8642 f11d9 CreateFileA 8641->8642 8643 f1219 8642->8643 8644 f124b ReadFile CloseHandle 8643->8644 8645 f15a4 8643->8645 8646 f129d 8644->8646 8645->8360 8647 f12bd GetTickCount 8646->8647 8667 e51ca 8647->8667 8649 f12de 8650 1042b6 lstrlen 8649->8650 8651 f1310 8650->8651 8652 fa805 2 API calls 8651->8652 8653 f1378 8652->8653 8654 f8251 2 API calls 8653->8654 8657 f1416 8654->8657 8656 f154f 8656->8645 8658 f1564 WriteFile CloseHandle 8656->8658 8659 fa805 2 API calls 8657->8659 8666 f14e0 CreateFileA 8657->8666 8658->8645 8660 f147e 8659->8660 8661 1042b6 lstrlen 8660->8661 8662 f14a0 8661->8662 8663 f074e wvsprintfA 8662->8663 8664 f14a9 8663->8664 8665 f8251 2 API calls 8664->8665 8665->8666 8666->8656 8668 e51ea 8667->8668 8669 1042b6 lstrlen 8668->8669 8670 e5235 8669->8670 8670->8649 8672 109883 8 API calls 8671->8672 8673 e6983 8672->8673 8673->8400 8675 108577 8674->8675 8676 fa805 2 API calls 8675->8676 8677 108652 8676->8677 8678 f8251 2 API calls 8677->8678 8679 1086d5 GetProcessHeap 8678->8679 8680 108711 8679->8680 8692 fb7c4 8679->8692 8681 fa805 2 API calls 8680->8681 8682 108739 LoadLibraryA 8681->8682 8684 f8251 2 API calls 8682->8684 8685 10878f 8684->8685 8686 fa805 2 API calls 8685->8686 8685->8692 8687 108837 GetProcAddress 8686->8687 8688 f8251 2 API calls 8687->8688 8689 10886e 8688->8689 8690 108886 FreeLibrary 8689->8690 8691 1088ac HeapAlloc 8689->8691 8690->8692 8693 108926 8691->8693 8694 1088fb FreeLibrary 8691->8694 8692->8403 8695 108a27 8693->8695 8696 10896c HeapFree 8693->8696 8694->8692 8700 fa805 2 API calls 8695->8700 8708 108d26 Mailbox 8695->8708 8697 10898e HeapAlloc 8696->8697 8697->8695 8699 1089fb FreeLibrary 8697->8699 8699->8692 8702 108ac3 8700->8702 8701 109094 HeapFree FreeLibrary 8701->8692 8703 f8251 2 API calls 8702->8703 8704 108b17 8703->8704 8705 fa805 2 API calls 8704->8705 8704->8708 8706 108d41 8705->8706 8707 f8251 2 API calls 8706->8707 8707->8708 8708->8701 8766 f23e9 8709->8766 8712 e5724 8713 e573e Mailbox 8712->8713 8714 109883 8 API calls 8713->8714 8715 e5789 8714->8715 8715->8408 8717 e3d0f Mailbox 8716->8717 8718 fa805 2 API calls 8717->8718 8719 e3d74 8718->8719 8720 f8251 2 API calls 8719->8720 8721 e3db8 8720->8721 8722 e4d07 8721->8722 8723 e4d1f 8722->8723 8724 1042b6 lstrlen 8723->8724 8725 e4d4c 8724->8725 8725->8460 8727 f6020 8726->8727 8728 fa805 2 API calls 8727->8728 8729 f604e 8728->8729 8730 fa805 2 API calls 8729->8730 8731 f6067 8730->8731 8732 fa805 2 API calls 8731->8732 8733 f60be 8732->8733 8734 f8251 2 API calls 8733->8734 8735 f60d2 8734->8735 8736 fa805 2 API calls 8735->8736 8737 f6144 8736->8737 8738 f8251 2 API calls 8737->8738 8739 f61a1 8738->8739 8740 f8251 2 API calls 8739->8740 8750 f621c 8740->8750 8741 f6a70 8742 f8251 2 API calls 8741->8742 8745 f6b1c Mailbox 8742->8745 8743 f07f5 8 API calls 8751 f664d Mailbox 8743->8751 8745->8472 8746 f07f5 8 API calls 8749 f6983 8746->8749 8747 e5071 9 API calls 8747->8751 8748 e5071 9 API calls 8748->8750 8749->8741 8749->8746 8775 e5071 8749->8775 8750->8748 8750->8751 8772 f07f5 8750->8772 8751->8741 8751->8743 8751->8747 8751->8749 8754 1094ec Mailbox 8 API calls 8753->8754 8755 10970e 8754->8755 8755->8474 8757 109898 Mailbox 8756->8757 8758 1094ec Mailbox 8 API calls 8757->8758 8759 1098a3 Mailbox 8758->8759 8759->8476 8761 eee52 8760->8761 8785 f1da2 8761->8785 8763 eee71 Mailbox 8764 109883 8 API calls 8763->8764 8765 eef9f 8763->8765 8764->8765 8765->8478 8767 f23f5 8766->8767 8768 1042b6 lstrlen 8767->8768 8769 f2488 8768->8769 8770 102f94 8 API calls 8769->8770 8771 f0ba0 8770->8771 8771->8712 8781 eba10 8772->8781 8774 f0802 8774->8750 8776 eacbe 8775->8776 8777 1042b6 lstrlen 8776->8777 8778 ead02 8777->8778 8779 109883 8 API calls 8778->8779 8780 ead0c 8779->8780 8780->8749 8782 eba25 Mailbox 8781->8782 8783 1094ec Mailbox 8 API calls 8782->8783 8784 eba30 Mailbox 8783->8784 8784->8774 8790 edb48 8785->8790 8787 f1e43 8787->8763 8789 f1db4 8789->8787 8794 ebece 8789->8794 8791 edb5b Mailbox 8790->8791 8792 edb9f 8790->8792 8793 109707 Mailbox 8 API calls 8791->8793 8792->8789 8793->8792 8795 ebf08 8794->8795 8796 eb7cd WaitForSingleObject 8795->8796 8797 ebfa2 8796->8797 8798 fa805 2 API calls 8797->8798 8802 ec09d 8797->8802 8799 ebfe5 GetProcAddress 8798->8799 8800 fa805 2 API calls 8799->8800 8803 ec033 8800->8803 8801 e4eb1 ReleaseMutex 8804 ec2bd 8801->8804 8802->8801 8805 f8251 2 API calls 8803->8805 8804->8789 8806 ec06d GetProcAddress 8805->8806 8807 f8251 2 API calls 8806->8807 8807->8802 8809 f9b85 8808->8809 8810 109707 Mailbox 8 API calls 8809->8810 8811 f9c02 8810->8811 8812 eb7cd WaitForSingleObject 8811->8812 8813 f9c24 CreateFileA 8812->8813 8814 f9c5a 8813->8814 8818 f9c78 Mailbox 8813->8818 8816 e4eb1 ReleaseMutex 8814->8816 8815 f9c8b ReadFile 8815->8818 8824 f9e2f Mailbox 8816->8824 8817 f7f29 Mailbox 8 API calls 8817->8818 8818->8815 8818->8817 8819 f9e6a CloseHandle 8818->8819 8820 109883 8 API calls 8818->8820 8821 f9dbc CloseHandle 8818->8821 8819->8814 8820->8818 8822 f9dd9 8821->8822 8823 e4eb1 ReleaseMutex 8822->8823 8823->8824 8824->8492 8827 1091e0 8825->8827 8826 1048e6 8829 eea59 CloseHandle 8826->8829 8827->8826 8828 1092ba WriteFile 8827->8828 8828->8826 8830 eea8e 8829->8830 8830->8548 9691 e59a1 9694 10cf7e 9691->9694 9695 10236a lstrlen 9694->9695 9696 e59af 9695->9696 8852 e4e3c 8853 e4e47 8852->8853 8856 f56c6 8853->8856 8857 f56e3 Mailbox 8856->8857 8860 fa7bc 8857->8860 8859 e4e9b 8861 ef821 Mailbox 8 API calls 8860->8861 8862 fa7d6 Mailbox 8861->8862 8862->8859 9700 e11b7 9701 e1214 9700->9701 9704 e122a Mailbox 9700->9704 9702 1042b6 lstrlen 9702->9704 9703 f074e wvsprintfA 9703->9704 9704->9701 9704->9702 9704->9703 8867 efa34 8870 e7fce 8867->8870 8869 efa42 8871 1042b6 lstrlen 8870->8871 8872 e7fe9 Mailbox 8871->8872 8872->8869 9705 e81b5 9706 e81dc 9705->9706 9707 e3b08 8 API calls 9706->9707 9708 e823c 9707->9708 9709 fbf07 8 API calls 9708->9709 9710 e8276 9709->9710 9711 ee9b3 9712 f9a0f 8 API calls 9711->9712 9713 ee9e3 9712->9713 9714 e5724 8 API calls 9713->9714 9715 eea10 9714->9715 8873 e9830 8874 e983b Mailbox 8873->8874 8875 102f94 8 API calls 8874->8875 8876 e98bd 8875->8876 8877 e444e 8878 e446b 8877->8878 8881 ee4e4 8878->8881 8882 ee513 8881->8882 8883 ee69a 8882->8883 8884 ee553 8882->8884 8899 eb38e 8883->8899 8886 ee576 8884->8886 8887 ee621 8884->8887 8891 1058f9 8886->8891 8888 1058f9 4 API calls 8887->8888 8890 e4575 8888->8890 8892 105931 8891->8892 8893 1059a1 8892->8893 8898 105937 8892->8898 8907 e85a4 8892->8907 8895 e85a4 4 API calls 8893->8895 8896 1059f4 8893->8896 8895->8896 8911 10572d 8896->8911 8898->8890 8900 eb3c3 8899->8900 8901 e85a4 4 API calls 8900->8901 8902 eb456 8900->8902 8901->8902 8903 e4088 4 API calls 8902->8903 8904 eb7b4 8902->8904 8905 eb4c3 8903->8905 8904->8890 8905->8904 8906 e4088 4 API calls 8905->8906 8906->8905 8909 e85be 8907->8909 8908 e860a Mailbox 8908->8893 8909->8908 8915 e4088 8909->8915 8912 105761 Mailbox 8911->8912 8913 1058d3 8912->8913 8914 ede5a Mailbox 2 API calls 8912->8914 8913->8898 8914->8912 8916 e40bc 8915->8916 8917 e40d8 8915->8917 8918 1023a6 Mailbox 2 API calls 8916->8918 8917->8908 8919 e40d1 Mailbox 8918->8919 8919->8917 8920 ede5a Mailbox 2 API calls 8919->8920 8920->8917 8964 1024d3 8965 10250c 8964->8965 8966 10d256 3 API calls 8965->8966 8967 10261c 8966->8967 8968 e5c39 10 API calls 8967->8968 8969 102645 8968->8969 8970 ef793 lstrlen 8969->8970 8971 102697 8970->8971 8972 fa805 2 API calls 8971->8972 8973 1026ad 8972->8973 8974 f8251 2 API calls 8973->8974 8990 102706 Mailbox 8974->8990 8975 109707 Mailbox 8 API calls 8976 102cf0 Sleep 8975->8976 9009 f2192 8976->9009 8978 f571f 6 API calls 8978->8990 8979 e3e8c GetSystemTimeAsFileTime 8979->8990 8980 f54d8 3 API calls 8980->8990 8982 10473b 12 API calls 8982->8990 8983 f8695 21 API calls 8983->8990 8984 fa805 GetProcessHeap RtlAllocateHeap 8984->8990 8985 e846d 9 API calls 8985->8990 8986 e695e 8 API calls 8986->8990 8988 e5724 8 API calls 8988->8990 8989 f8251 GetProcessHeap RtlFreeHeap 8989->8990 8990->8975 8990->8978 8990->8979 8990->8980 8990->8982 8990->8983 8990->8984 8990->8985 8990->8986 8990->8988 8990->8989 8991 107dc0 50 API calls 8990->8991 8992 104927 32 API calls 8990->8992 8993 10443e 8990->8993 9005 efe4b 8990->9005 8991->8990 8992->8990 8994 104470 8993->8994 8995 fa805 2 API calls 8994->8995 8996 1044cd 8995->8996 8997 fa805 2 API calls 8996->8997 8998 1044fc 8997->8998 9018 ea928 8998->9018 9001 f8251 2 API calls 9002 104546 9001->9002 9003 f8251 2 API calls 9002->9003 9004 10456f 9003->9004 9004->8990 9006 efe66 Mailbox 9005->9006 9007 109883 8 API calls 9006->9007 9008 eff60 Mailbox 9006->9008 9007->9008 9008->8990 9012 f21ab 9009->9012 9010 f22b7 DeleteFileA 9010->9012 9011 f233c 9014 f23c2 9011->9014 9029 eb920 9011->9029 9012->9010 9012->9011 9017 f23d9 9012->9017 9024 f9ef6 9012->9024 9033 e5430 9014->9033 9017->8990 9019 ea95f Mailbox 9018->9019 9020 fa805 2 API calls 9019->9020 9021 eac5d 9020->9021 9022 f8251 2 API calls 9021->9022 9023 eac90 9022->9023 9023->9001 9037 f5b3e 9024->9037 9026 f9f0d 9041 e82bf 9026->9041 9030 eb93a 9029->9030 9032 eb97f 9030->9032 9056 ede9c 9030->9056 9032->9011 9034 e5438 9033->9034 9035 1094b4 Mailbox 2 API calls 9034->9035 9036 efc29 9035->9036 9038 f5b5a Mailbox 9037->9038 9039 f7f29 Mailbox 8 API calls 9038->9039 9040 f5b64 Mailbox 9039->9040 9040->9026 9042 e82cc 9041->9042 9043 e82dc 9042->9043 9045 f9a0f 9042->9045 9043->9012 9048 107848 9045->9048 9047 f9a1d 9047->9043 9049 10785a Mailbox 9048->9049 9052 104333 9049->9052 9051 107870 Mailbox 9051->9047 9053 10433e 9052->9053 9054 ef821 Mailbox 8 API calls 9053->9054 9055 1043a8 9054->9055 9055->9051 9059 e84ea 9056->9059 9060 e8529 9059->9060 9063 ebdcb 9060->9063 9062 e854b 9062->9032 9064 ebde1 Mailbox 9063->9064 9065 f7f29 Mailbox 8 API calls 9064->9065 9066 ebe04 Mailbox 9065->9066 9066->9062 9067 f98cc 9068 f1da2 12 API calls 9067->9068 9069 f9900 9068->9069 9070 109883 8 API calls 9069->9070 9071 f9994 9070->9071 9076 e50c3 9077 e50e0 9076->9077 9078 1042b6 lstrlen 9077->9078 9079 e510f Mailbox 9078->9079 9080 f7f29 Mailbox 8 API calls 9079->9080 9081 e5123 9080->9081 9082 e5071 9 API calls 9081->9082 9083 e5145 9082->9083 9086 fbf07 9083->9086 9087 fbf15 Mailbox 9086->9087 9088 109883 8 API calls 9087->9088 9089 e5183 9088->9089 9168 102f5d ExitProcess 9094 ebcdc 9095 ebcfa 9094->9095 9096 109707 Mailbox 8 API calls 9095->9096 9097 ebd13 9096->9097 9102 e563a 9097->9102 9099 ebd3a Mailbox 9100 109707 Mailbox 8 API calls 9099->9100 9101 ebdb8 9100->9101 9103 e5648 9102->9103 9104 edd8f 8 API calls 9103->9104 9105 e5659 9104->9105 9105->9099 9106 1084c2 9109 e8020 9106->9109 9112 10236a 9109->9112 9111 e802b 9113 1042b6 lstrlen 9112->9113 9114 102378 9113->9114 9114->9111 9119 ecedb FlushFileBuffers 9120 ecf0d GetLastError 9119->9120 9121 ecf39 9119->9121 9120->9121 9169 ef553 9170 ef567 9169->9170 9171 ef5b5 9169->9171 9171->9170 9172 ef671 ReadFile 9171->9172 9172->9170 9173 eb353 9174 102f94 8 API calls 9173->9174 9175 eb377 9174->9175 9720 ec9ed 9721 eca6f RegisterServiceCtrlHandlerA 9720->9721 9723 ecb13 SetServiceStatus CreateEventA 9721->9723 9734 ecda7 9721->9734 9725 ecbde SetServiceStatus 9723->9725 9726 ecbcd 9723->9726 9727 ecc00 9725->9727 9726->9725 9728 ecc42 WaitForSingleObject 9727->9728 9728->9728 9729 ecc6f 9728->9729 9730 eb7cd WaitForSingleObject 9729->9730 9731 ecc84 SetServiceStatus CloseHandle 9730->9731 9732 ecd01 SetServiceStatus 9731->9732 9732->9734 9735 10cffe 9736 10d050 9735->9736 9737 105d58 2 API calls 9736->9737 9738 10d055 9737->9738 9739 f5d50 3 API calls 9738->9739 9740 10d067 9739->9740 9741 10d108 ExitProcess 9740->9741 9176 fb360 9177 fb378 9176->9177 9178 1042b6 lstrlen 9177->9178 9179 fb3a5 9178->9179 9182 efc31 9179->9182 9185 1098df 9182->9185 9184 efc47 9186 109923 9185->9186 9187 109982 9186->9187 9188 10998f 9186->9188 9189 ebdcb 8 API calls 9187->9189 9190 edbdf 8 API calls 9188->9190 9191 10998d Mailbox 9188->9191 9189->9191 9190->9191 9191->9184 9122 104ee1 9123 104efa 9122->9123 9126 10d527 9123->9126 9125 104f99 9127 10d544 9126->9127 9130 edbdf 9127->9130 9129 10d559 Mailbox 9129->9125 9131 edbf5 Mailbox 9130->9131 9132 ef821 Mailbox 8 API calls 9131->9132 9133 edc18 9132->9133 9133->9129 8924 e507a 8925 1042b6 lstrlen 8924->8925 8926 e50a9 8925->8926 9134 ee2f9 9135 ee30a 9134->9135 9136 eb7cd WaitForSingleObject 9135->9136 9137 ee324 9136->9137 9138 f15e5 ExitProcess 9137->9138 9139 ee35a 9138->9139 8927 eba72 8928 eba89 8927->8928 8930 ebb03 SetServiceStatus 8927->8930 8928->8930 8935 ebaa1 SetServiceStatus 8928->8935 8931 ebb88 SetEvent 8930->8931 8933 ebcd8 8931->8933 8935->8933

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 000FFF2A Relevance: 63.3, APIs: 29, Strings: 6, Instructions: 2026synchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 00100590
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 001005E4
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00100629
                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00100649
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 001006E6
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 00100873
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateMutex$CommandCountEnvironmentLineTickVariable
                                                                                                                                                                                                            • String ID: 241$C:\Windows\system32\config\systemprofile$HO$^d/$wb_m$~z0
                                                                                                                                                                                                            • API String ID: 3327569919-55223334
                                                                                                                                                                                                            • Opcode ID: 42bbb80f14f4a43bf0af0210a827c7f96492bb0ee31ca16abbd35ace3591e53d
                                                                                                                                                                                                            • Instruction ID: 9d2dbb1851abc239425e7abadcacecdfb75496e367249fd488d4b1d48e0f3e03
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 42bbb80f14f4a43bf0af0210a827c7f96492bb0ee31ca16abbd35ace3591e53d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9303B775609205DBD70CDBA8FE86AFA37B5FB48700B40C11AE502CAEB1EB7598C1CB51
                                                                                                                                                                                                            Function 000E88A8 Relevance: 30.6, APIs: 12, Strings: 5, Instructions: 877fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 490 e88a8-e88de call e57a9 493 e88ea-e898e GetVersionExA call ee769 call e457c 490->493 494 e88e0 490->494 499 e899c-e89c2 493->499 500 e8990-e899a 493->500 494->493 501 e89d7-e89dd 499->501 502 e89c4-e89d1 499->502 500->501 503 e8b3f-e8b5f 501->503 504 e89e3-e8add call fc0de call ef38b CreateDirectoryA call fa805 501->504 502->501 505 e8b65-e8b77 503->505 518 e8ae2-e8b3d call ef38b call f8251 504->518 507 e8ba9-e8bb0 505->507 508 e8b79-e8b93 505->508 511 e8bb6-e8c17 call fa805 call e846d call f8251 507->511 508->511 512 e8b95-e8ba7 508->512 525 e8c2d-e8c3f 511->525 526 e8c19-e8c2b 511->526 512->511 518->505 528 e8c4b-e8c73 call ec9ba call 10d492 call ec622 525->528 529 e8c41 525->529 526->528 536 e8d6f-e8e0c call fc0de call ef38b CreateDirectoryA call 105eaf 528->536 537 e8c79-e8ccc 528->537 529->528 549 e8e0e-e8e18 536->549 550 e8e1a 536->550 539 e8cfe-e8d29 DeleteFileA 537->539 540 e8cce-e8cec 537->540 542 e8d3d-e8d65 RemoveDirectoryA 539->542 543 e8d2b-e8d37 539->543 540->539 541 e8cee-e8cf8 540->541 541->539 542->536 543->542 551 e8e24-e8e26 549->551 550->551 552 e8e28-e8e42 551->552 553 e8e44 551->553 554 e8e46-e8e73 call ef793 552->554 553->554 557 e8e89-e8e8e 554->557 558 e8e75-e8e87 554->558 559 e8e94-e8f2f CreateDirectoryA call fa805 call ef38b call fa805 557->559 558->559 566 e8f64-e8fcf call f8251 call e846d call f8251 call ec9ba call 10d492 call ec622 559->566 567 e8f31-e8f57 559->567 581 e9769-e97f8 call ef793 SetFileAttributesA call f06af 566->581 582 e8fd5-e8fe6 566->582 567->566 568 e8f59-e8f5e 567->568 568->566 597 e97fa-e9815 581->597 598 e981b-e9826 call e5017 581->598 584 e906c-e90da call fa805 call f074e call f8251 582->584 585 e8fec-e906a call fa805 call f074e call f8251 582->585 605 e90e0-e910d 584->605 585->605 597->598 606 e910f-e9126 605->606 607 e9132-e9192 call ef38b CreateDirectoryA call 105eaf 605->607 606->607 608 e9128 606->608 613 e9194-e91a0 607->613 614 e91c1-e9257 call ef793 CreateDirectoryA call fa805 call ef38b call fa805 607->614 608->607 613->614 615 e91a2-e91bb 613->615 624 e9259-e926c 614->624 625 e9272-e92a4 call f8251 call e846d 614->625 615->614 624->625 630 e92a6-e92be 625->630 631 e92c0-e92e7 625->631 632 e92ff-e933b call f8251 call ec9ba call 10d492 call ec622 630->632 631->632 633 e92e9-e92f9 631->633 642 e9756-e9763 632->642 643 e9341-e93c2 GetTempPathA call 1042b6 632->643 633->632 642->581 646 e93ea-e93ec 643->646 647 e93ee 646->647 648 e93c4-e93dd 646->648 651 e946e-e94fb call 105eaf call ef793 CreateDirectoryA 647->651 649 e93df-e93e9 648->649 650 e93f0-e9412 648->650 649->646 652 e9414-e941c 650->652 653 e9422-e9453 650->653 659 e950d-e9557 call fa805 call ef38b 651->659 660 e94fd-e9507 651->660 652->653 653->651 655 e9455-e9469 653->655 655->651 665 e956b-e9610 call fa805 call f8251 call e846d call f8251 call ec9ba call 10d492 call ec622 659->665 666 e9559-e9565 659->666 660->659 681 e9736-e9751 665->681 682 e9616-e9627 665->682 666->665 681->642 683 e9629 682->683 684 e9633-e96ce GetTempPathA call 105eaf call fa805 682->684 683->684 689 e96da-e96fe call ef38b 684->689 690 e96d0 684->690 693 e970f-e972a call f8251 689->693 694 e9700-e970a 689->694 690->689 693->681 697 e972c 693->697 694->693 697->681
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersionExA.KERNEL32(0011B028), ref: 000E893E
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 000E8AB6
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?,00000000), ref: 000E8D05
                                                                                                                                                                                                            • RemoveDirectoryA.KERNELBASE(00000000), ref: 000E8D5F
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 000E8DD9
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 000E8E9C
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 000E9158
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 000E91F4
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?,?,?,?,00000000), ref: 000E936E
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(0000005C,00000000,?,?,?,?,?,?,00000000), ref: 000E94DA
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,0000005C,?,?,?,00000000), ref: 000E963F
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 000E97B0
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                            • String ID: C:\Windows\system32\config\systemprofile$C:\hjflhukc\$Ua-W$\$gKV`
                                                                                                                                                                                                            • API String ID: 1691758827-3231860264
                                                                                                                                                                                                            • Opcode ID: 2d317b047f7a5f65652db276c16e0922a587014bbd40a0b8f4e0120dbd804d99
                                                                                                                                                                                                            • Instruction ID: c087d86031cf0d2ddd7a8e3e30bf07b41ad48fef4233cb90b6c6c8621d1348df
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2d317b047f7a5f65652db276c16e0922a587014bbd40a0b8f4e0120dbd804d99
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2582EEB1505244CFC70CDB65FE829FA37B9FB54700B40C02AE906EAEA2EB3499C5CB55
                                                                                                                                                                                                            Function 000F571F Relevance: 6.2, APIs: 4, Instructions: 213processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 794 f571f-f574f 795 f577f-f5796 794->795 796 f5751-f576b 794->796 798 f5798-f57aa 795->798 799 f57b6-f57d1 795->799 796->795 797 f576d-f5779 796->797 797->795 798->799 802 f57ac 798->802 800 f57dd-f5826 CreateToolhelp32Snapshot 799->800 801 f57d3 799->801 803 f584f-f5865 800->803 804 f5828-f584d 800->804 801->800 802->799 805 f586b-f586d 803->805 804->805 806 f5873-f58b1 805->806 807 f5ab1-f5af0 call f06af 805->807 809 f58da-f5908 Process32First 806->809 810 f58b3-f58c6 806->810 813 f590e-f5934 809->813 814 f5a6c-f5a93 FindCloseChangeNotification 809->814 810->809 812 f58c8-f58d4 810->812 812->809 815 f5936-f5950 813->815 816 f5952 813->816 817 f5a95-f5a9f 814->817 818 f5aa1-f5aab 814->818 819 f595c-f5992 call 105eaf call f20d8 815->819 816->819 817->807 818->807 823 f5997-f59c0 call 107406 819->823 826 f5a2b-f5a42 823->826 827 f59c2-f5a08 Process32Next 823->827 830 f5a44-f5a53 826->830 831 f5a62 826->831 828 f5a0a-f5a1c 827->828 829 f5a21-f5a23 827->829 828->829 829->813 832 f5a29 829->832 830->814 833 f5a55-f5a60 830->833 831->814 832->814 833->814
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000F5804
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 000F58E2
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 000F59E8
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 000F5A7E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3243318325-0
                                                                                                                                                                                                            • Opcode ID: 2b9f7100e9ce70ed40785931d0a369c460551cb9301f6724895e53e0f9b73697
                                                                                                                                                                                                            • Instruction ID: fc6c9230d320e1dd87c1c5f29069c19d72ea9701d54688a4adeb1acb3cfde805
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b9f7100e9ce70ed40785931d0a369c460551cb9301f6724895e53e0f9b73697
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F091A975609604CBC75CDB69FEA55F937F5FB48311B14C11AEA02C6EA0EB3499C2CB41
                                                                                                                                                                                                            Function 000F0806 Relevance: 10.7, APIs: 7, Instructions: 195processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 698 f0806-f084b 699 f084d-f0867 698->699 700 f086c-f087c 698->700 699->700 701 f087e-f088b 700->701 702 f0891-f08a1 700->702 701->702 703 f08be-f08e8 CreateToolhelp32Snapshot 702->703 704 f08a3-f08b8 702->704 705 f08ee-f091f 703->705 706 f0b20-f0b91 call f06af 703->706 704->703 707 f095e-f0982 Process32First 705->707 708 f0921-f0941 705->708 711 f0aeb-f0b03 707->711 712 f0988 707->712 708->707 710 f0943-f0957 708->710 710->707 714 f0b0f-f0b16 CloseHandle 711->714 715 f0b05 711->715 716 f0989-f09ef call 105eaf call f20d8 call 107406 712->716 714->706 715->714 723 f09f5-f0a29 OpenProcess 716->723 724 f0aa4-f0ae4 Process32Next 716->724 725 f0a2b-f0a50 723->725 726 f0a92-f0a9e 723->726 724->716 727 f0aea 724->727 728 f0a52-f0a5c 725->728 729 f0a61-f0a88 TerminateProcess CloseHandle 725->729 726->724 727->711 728->729 729->726
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000F08C2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 000F0966
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000F0A15
                                                                                                                                                                                                            • TerminateProcess.KERNELBASE(00000000,000000FF), ref: 000F0A64
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000F0A82
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 000F0AD2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000F0B10
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2696918072-0
                                                                                                                                                                                                            • Opcode ID: c893d011d2fe8477b62773bf3cb1687b68a3defb7e535b655a24a4db3300dbf3
                                                                                                                                                                                                            • Instruction ID: 57cc137ff696516eb6274e7f2591aa788e0051b0c5bffedfb7ab2ee287f902ca
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c893d011d2fe8477b62773bf3cb1687b68a3defb7e535b655a24a4db3300dbf3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9481A776515615DBC34CCB68FF91AFA37B9FB48702B40C11AE902C6EA2EB3499C1CB45
                                                                                                                                                                                                            Function 000FB046 Relevance: 9.2, APIs: 6, Instructions: 184filetimeCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 730 fb046-fb066 731 fb0ac-fb0cc 730->731 732 fb068-fb09f 730->732 733 fb0ce-fb0d3 731->733 734 fb0d9-fb0ea 731->734 732->731 735 fb0a1-fb0a7 732->735 733->734 736 fb0ec 734->736 737 fb0f6-fb119 CreateFileA 734->737 735->731 736->737 738 fb11b-fb133 737->738 739 fb142-fb175 GetFileTime 737->739 740 fb13a-fb13d 738->740 741 fb1c7-fb202 739->741 742 fb177-fb191 739->742 743 fb35a-fb35f 740->743 746 fb204-fb20e 741->746 747 fb210-fb222 741->747 744 fb193-fb1ac 742->744 745 fb1b1-fb1c2 CloseHandle 742->745 744->745 745->740 748 fb252-fb2f2 call ee909 GetFileSize CloseHandle 746->748 749 fb248 747->749 750 fb224-fb246 747->750 753 fb2f4-fb2fe 748->753 754 fb323-fb334 748->754 749->748 750->748 755 fb314 753->755 756 fb300-fb30a 753->756 757 fb358 754->757 758 fb336-fb353 754->758 755->754 756->755 757->743 758->757
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 000FB104
                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 000FB16D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000FB1B2
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000FB25F
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 000FB2AB
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000FB2D8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3236713533-0
                                                                                                                                                                                                            • Opcode ID: 9af741e65bc4267d95a3e92981789f024ddbd4c92892ccead3e68e7c40bd7536
                                                                                                                                                                                                            • Instruction ID: d9f985dec16b2453105995e00b57d8ba45715851329dd2f3cc244d4c5c5b2b7e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9af741e65bc4267d95a3e92981789f024ddbd4c92892ccead3e68e7c40bd7536
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A771B731515209DBC358CF68EE918FA3BF9FB48315754C21AE912C7EA0E7348AC1DB15
                                                                                                                                                                                                            Function 000F54A1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 759 f54a1-f54b8 760 f550a-f550c 759->760 761 f54ba-f54d5 759->761 762 f550e-f5529 760->762 763 f552b 760->763 764 f5535-f55d8 call f06af * 2 762->764 763->764 769 f55fd-f5631 CreateProcessA 764->769 770 f55da-f55f6 764->770 772 f5677 769->772 773 f5633-f5643 769->773 770->769 771 f55f8 770->771 771->769 776 f5681-f568e 772->776 774 f564f-f5675 CloseHandle * 2 773->774 775 f5645 773->775 774->776 775->774
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,000EDA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 000F5628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(000EDA33,?,?,?,?,00000000), ref: 000F5652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 000F5665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 0a63b8400a5282baad110721a8814aebdb881121d323bfc0f410f1b0d54dbab8
                                                                                                                                                                                                            • Instruction ID: fdc786bea8d15680b074419a515cfde334d53758aeb0f314a9ef94430b8b9dca
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0a63b8400a5282baad110721a8814aebdb881121d323bfc0f410f1b0d54dbab8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B41EF32500648DBC71CDBA5FF959FA37B6FB84701B00C01AEA12CBD61E7358881DB15
                                                                                                                                                                                                            Function 000F54D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 777 f54d8-f54e8 778 f54ea-f550c 777->778 779 f5535-f55d8 call f06af * 2 777->779 780 f550e-f5529 778->780 781 f552b 778->781 786 f55fd-f5631 CreateProcessA 779->786 787 f55da-f55f6 779->787 780->779 781->779 789 f5677 786->789 790 f5633-f5643 786->790 787->786 788 f55f8 787->788 788->786 793 f5681-f568e 789->793 791 f564f-f5675 CloseHandle * 2 790->791 792 f5645 790->792 791->793 792->791
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,000EDA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 000F5628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(000EDA33,?,?,?,?,00000000), ref: 000F5652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 000F5665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: c935e2ad0a91b4798000639ad7c06350a6f7b792dd49cca9c6bbbf33082c45c3
                                                                                                                                                                                                            • Instruction ID: b727ee1e2574e595bc7eeedc739876a6ea61a69f809b17c0f2465148c27e6a97
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c935e2ad0a91b4798000639ad7c06350a6f7b792dd49cca9c6bbbf33082c45c3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E941AC71501608DBCB5CDBA5FF9A9FA37B6FB84B01B40C01AE6129AD71EB3048C1DB55
                                                                                                                                                                                                            Function 000EC622 Relevance: 4.7, APIs: 3, Instructions: 206fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 834 ec622-ec69d call 10dfa1 call eb7cd 839 ec69f 834->839 840 ec6a9-ec6b1 834->840 839->840 841 ec6ef-ec709 840->841 842 ec6b3-ec6ea call e4eb1 840->842 844 ec70b-ec71a 841->844 845 ec737-ec75b CreateFileA 841->845 850 ec9b6-ec9b9 842->850 844->845 847 ec71c-ec731 844->847 848 ec79f-ec7b3 845->848 849 ec75d-ec784 call e4eb1 845->849 847->845 852 ec7b8-ec7d2 848->852 858 ec798-ec79a 849->858 859 ec786-ec792 849->859 853 ec7f9-ec7fb 852->853 854 ec7d4-ec7f4 852->854 856 ec7fd-ec819 853->856 857 ec81b-ec82d 853->857 854->853 860 ec837-ec8a2 call f85e7 call 10970f 856->860 857->860 861 ec9b5 858->861 859->858 866 ec8d6-ec8ee 860->866 867 ec8a4-ec8d4 860->867 861->850 868 ec8fa-ec948 WriteFile 866->868 869 ec8f0 866->869 867->868 868->852 870 ec94e-ec962 868->870 869->868 871 ec964-ec96e 870->871 872 ec970-ec97c 870->872 873 ec982-ec9a2 FindCloseChangeNotification call e4eb1 871->873 872->873 875 ec9a7-ec9b4 873->875 875->861
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 000EB7CD: WaitForSingleObject.KERNEL32(000FAEAC,00004E20,00000001,?,000EBFA2,00000001,-AF16B4FB,?,000FAEAC,000E66DE), ref: 000EB81D
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(00000004,40000000,00000000,00000000,00000002,00000000,00000000,?,000E67E3,?,00000004,?,00000000,?), ref: 000EC746
                                                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,?,00000001,00000001,00000000,?,?,?,?,?,00000001), ref: 000EC90B
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00000001), ref: 000EC983
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$ChangeCloseCreateFindNotificationObjectSingleWaitWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2552625159-0
                                                                                                                                                                                                            • Opcode ID: 0c0ca85a838f39819cbff8e8d4e41a046f748a700f92c941ed8726a5512b9d99
                                                                                                                                                                                                            • Instruction ID: e9c977e8bbefa09e549da43eebb1211de546f2e3bcdb83e41a7913e1cadd7ccf
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0c0ca85a838f39819cbff8e8d4e41a046f748a700f92c941ed8726a5512b9d99
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF91B7B5515245DFC70CCF69FF959EA3BB5FB88720710C01AE402DAAB1E7328982CB45
                                                                                                                                                                                                            Function 000EE769 Relevance: 4.6, APIs: 3, Instructions: 101memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 876 ee769-ee79c 877 ee79e-ee7b7 876->877 878 ee7b9-ee7ce 876->878 879 ee7d4-ee807 877->879 878->879 880 ee81a-ee82f 879->880 881 ee809-ee818 879->881 882 ee83b-ee881 AllocateAndInitializeSid 880->882 883 ee831 880->883 881->882 884 ee8ef-ee908 882->884 885 ee883-ee89d CheckTokenMembership 882->885 883->882 886 ee89f-ee8c2 885->886 887 ee8c9-ee8e9 FreeSid 885->887 886->887 887->884
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(000E8954,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,000E8954), ref: 000EE865
                                                                                                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 000EE895
                                                                                                                                                                                                            • FreeSid.ADVAPI32(?), ref: 000EE8DC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3429775523-0
                                                                                                                                                                                                            • Opcode ID: 4956f64bf68ca402eab2f67301913d670d1c51647f9f06a8fa89002222f20a55
                                                                                                                                                                                                            • Instruction ID: 8e0657fe7a7176570260365dbeb354e97c1db23ba39c63569845c29fad331acd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4956f64bf68ca402eab2f67301913d670d1c51647f9f06a8fa89002222f20a55
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2C4186B5919248EFCB0CCFA5EF846E977F5FB08305B80C01AE406D6AA0EB3499C1CB55
                                                                                                                                                                                                            Function 000F20D8 Relevance: 3.0, APIs: 2, Instructions: 27stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 888 f20d8-f210d lstrlen 889 f210f-f2119 888->889 890 f211b-f2127 888->890 891 f212d-f214f CharLowerBuffA 889->891 890->891
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • lstrlen.KERNEL32(?,?,000F09C2,?,?,?), ref: 000F20F0
                                                                                                                                                                                                            • CharLowerBuffA.USER32(?,00000000,?,000F09C2,?,?,?), ref: 000F2131
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 794975171-0
                                                                                                                                                                                                            • Opcode ID: 795f59e1bebaf8387dfd66094fa16321d07468035315261b4795af236e75fdcb
                                                                                                                                                                                                            • Instruction ID: 2e66132089d9686fc2b8f90ebe7fe38258d65c6b875ca3cc6a0fa57200f8bfe9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 795f59e1bebaf8387dfd66094fa16321d07468035315261b4795af236e75fdcb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5CF067315142089BCB4D8F86EA564FA3BF2FB54700740C01AE9168AE70E7319DC0ABA6
                                                                                                                                                                                                            Function 001023A6 Relevance: 3.0, APIs: 2, Instructions: 23memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 892 1023a6-1023be 893 1023c0-1023d6 892->893 894 1023e2-102404 GetProcessHeap RtlAllocateHeap 892->894 893->894 895 1023d8 893->895 895->894
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,0010A3A7,?,?,?,0010D0BE), ref: 001023F6
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0010A3A7,?,?,?,0010D0BE), ref: 001023FD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: d4f0cc64bef9702dec386ca91395e7e9cc790b44c2981346b5c6c20a0e508161
                                                                                                                                                                                                            • Instruction ID: 44990d12c6d7d91da55cc7c4204ee2b295cab7d44d8bf8e7d8deeefc1256e445
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d4f0cc64bef9702dec386ca91395e7e9cc790b44c2981346b5c6c20a0e508161
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1CF0A0761002049BCE148FA8FE4A98A3764B318718B648012F485DE9E5D3B8E8858B90
                                                                                                                                                                                                            Function 000EDE5A Relevance: 3.0, APIs: 2, Instructions: 17memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 896 ede5a-ede88 GetProcessHeap RtlFreeHeap 897 ede9a-ede9b 896->897 898 ede8a-ede94 896->898 898->897
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,000F8109,?,000F8109,00000000), ref: 000EDE6C
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,000F8109,00000000), ref: 000EDE73
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                            • Opcode ID: 08d26db757c9be9a5afdd0abe27f07b4e53aaea21b269adeaac2c145c1f04c7f
                                                                                                                                                                                                            • Instruction ID: b8cf3f73d2e9d7f5151593246b2856df95f30d297429ec68dd8bb5580316f6c9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08d26db757c9be9a5afdd0abe27f07b4e53aaea21b269adeaac2c145c1f04c7f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 16E0C232540244EFEE08CBD6FE4B6843BE8FB21B41F00C111F145DAE30C72195C18A84
                                                                                                                                                                                                            Function 000F15E5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 899 f15e5-f160d call fbf87 ExitProcess
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: e9b313c16b8435ca6ad17e65b3305f7cd306c3b0a216d5cf14ce87070ebb18aa
                                                                                                                                                                                                            • Instruction ID: d91846bbdf11585e4dfff974fca257b8a86d1f6e1bf0bc11eba31e28e139a5eb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e9b313c16b8435ca6ad17e65b3305f7cd306c3b0a216d5cf14ce87070ebb18aa
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C1D012240043489A87186F64EE064E53FB5FF047007859021E9409AC31DB70D980DB5B

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 0010D831 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 388pipeprocessfileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 923 10d831-10d84c 924 10d858-10d877 923->924 925 10d84e 923->925 926 10d885-10d8a6 924->926 927 10d879-10d883 924->927 925->924 928 10d8ac-10d92b call f06af 926->928 927->928 931 10d944-10d949 928->931 932 10d92d-10d942 928->932 933 10d94f-10d997 CreatePipe 931->933 932->933 934 10d999-10d9a8 933->934 935 10d9ad-10d9cb 933->935 938 10de92-10decb call 109707 934->938 936 10d9e1-10d9ef 935->936 937 10d9cd-10d9df 935->937 939 10d9f4-10da10 SetHandleInformation 936->939 937->939 944 10ded7-10def1 938->944 945 10decd 938->945 942 10da12-10da23 939->942 943 10da3b-10da50 CreatePipe 939->943 946 10da31 942->946 947 10da25-10da2f 942->947 948 10da52-10da61 943->948 949 10da66-10dad7 SetHandleInformation call f06af * 2 943->949 945->944 946->943 947->943 950 10de64-10de79 CloseHandle 948->950 957 10db10-10db56 949->957 958 10dad9-10daf4 949->958 953 10de84-10de90 950->953 954 10de7b-10de7e CloseHandle 950->954 953->938 953->944 954->953 959 10db76-10dbde CreateProcessA 957->959 960 10db58-10db71 957->960 958->957 961 10daf6-10db09 958->961 962 10dbe0-10dc02 959->962 963 10dc04-10dc24 WriteFile 959->963 960->959 961->957 964 10dc30-10dc39 CloseHandle 962->964 965 10dc26 963->965 966 10dc3e-10dc52 963->966 967 10ddfe-10de08 964->967 965->964 968 10dc63-10dc9f CloseHandle * 2 966->968 969 10dc54-10dc5e 966->969 970 10de0a-10de1f 967->970 971 10de3e-10de5d CloseHandle 967->971 972 10dca1 968->972 973 10dcab-10dcc0 968->973 969->968 974 10de21-10de37 970->974 975 10de39 970->975 971->950 972->973 976 10dcc2-10dccc 973->976 977 10dcce-10dce6 973->977 974->971 975->971 978 10dd09-10dd25 call 104101 976->978 977->978 979 10dce8-10dd03 977->979 982 10dd47-10dd6a WaitForSingleObject 978->982 983 10dd27-10dd42 978->983 979->978 984 10dd8a-10dd96 982->984 985 10dd6c-10dd88 982->985 983->982 986 10dd9c-10ddd0 CloseHandle * 2 984->986 985->986 987 10ddd2-10dde6 986->987 988 10dded-10ddf9 986->988 987->988 988->967
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreatePipe.KERNEL32(00000000,?,?,00000000,?,00000001,?), ref: 0010D98F
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0010D9F9
                                                                                                                                                                                                            • CreatePipe.KERNEL32(?,?,?,00000000), ref: 0010DA48
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 0010DA7E
                                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 0010DBCC
                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000020,00000020,00000000), ref: 0010DC1C
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0010DC33
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0010DC66
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0010DC89
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00002710), ref: 0010DD4F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0010DD9F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0010DDB2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0010DE41
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0010DE67
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0010DE7E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 1130065513-2746444292
                                                                                                                                                                                                            • Opcode ID: 189d053d075bb01adfea44ecf01236252d0a52b19d8efd9e13640ef3a9974ed4
                                                                                                                                                                                                            • Instruction ID: 0e7b6a3063224ac2b15138043e766c65b2a675c4592aa77c411e715061d77c7c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 189d053d075bb01adfea44ecf01236252d0a52b19d8efd9e13640ef3a9974ed4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 55028576A15605DBCB0CCFA8FE819EA7BB5FB48700710C11AE842D7AB0EB7199C1CB55
                                                                                                                                                                                                            Function 001035AD Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00103685
                                                                                                                                                                                                            • CreateServiceA.ADVAPI32(00000000,015DE438,015DE438,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 001036D6
                                                                                                                                                                                                            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00103728
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0010374C
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0010375D
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,00000010), ref: 001037D1
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00103836
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00103847
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 001038B1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                            • String ID: 3ch$qh~B
                                                                                                                                                                                                            • API String ID: 3525021261-274300185
                                                                                                                                                                                                            • Opcode ID: f14ddfc8e4165b92f3df8de31987c6afb5be1c9673a400f0f69543da002d909c
                                                                                                                                                                                                            • Instruction ID: d4647d43a4a7849d4fc7dcaf1a8a492f24e529431ace55aec9a4484a16b51100
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f14ddfc8e4165b92f3df8de31987c6afb5be1c9673a400f0f69543da002d909c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 559186B95156009BC70C8F68FF959F97BB9FB49701340C01AE82297EA0E7B599C2CB51
                                                                                                                                                                                                            Function 000F111E Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 289fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000F11F7
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 000F1267
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000F128B
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 000F12D1
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 000F153B
                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 000F157E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000F158F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                            • String ID: Ra);
                                                                                                                                                                                                            • API String ID: 3478262135-4229484525
                                                                                                                                                                                                            • Opcode ID: 7dd707b594ab0138438c65e7bf06a848868e3d07a8af0e3be4b004a471fc1dfe
                                                                                                                                                                                                            • Instruction ID: 726423eac2426fa888e4e7d4a06bd127d8ee6c066b6aead42b1317688ec5dfc7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7dd707b594ab0138438c65e7bf06a848868e3d07a8af0e3be4b004a471fc1dfe
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2DB1DAB2519605DED71C9F68FE919FA37F8FB48714700C01AEA11CAEA1EB3499C1CB19
                                                                                                                                                                                                            Function 000F1636 Relevance: 10.8, APIs: 7, Instructions: 279processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000F16B2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 000F17BE
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 000F1932
                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 000F1991
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,0000000A), ref: 000F1A6A
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 000F1ACE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 000F1AF5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 930127669-0
                                                                                                                                                                                                            • Opcode ID: 2a532f17b9cb6b8bbe6be17875d1c3c0267749af35bb99ae4f721a6c9daf3d54
                                                                                                                                                                                                            • Instruction ID: 14ea47faee0cd7c5f5ad0522f9fa9484f78828f5e1ecd8c4c1c277c57ea960b8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2a532f17b9cb6b8bbe6be17875d1c3c0267749af35bb99ae4f721a6c9daf3d54
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 96C10D76609604CBC70CDFA4FE966F937B4FB18311B00C11AEA06C6EA1EB7499C1CB85
                                                                                                                                                                                                            Function 000F9F24 Relevance: 7.8, APIs: 5, Instructions: 329serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 000F9FF7
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,?), ref: 000FA049
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 000FA061
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 000FA162
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 000FA3B6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1579346331-0
                                                                                                                                                                                                            • Opcode ID: 049ad88a4a26a0abf3f876cf3cc5c8dbd9a6e27b68ed9a39c6d9f336b85a7d0d
                                                                                                                                                                                                            • Instruction ID: 64864d5c6ef2c7ab455c89343e6cd958a86965c7bcd0b46a509267d691e19735
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 049ad88a4a26a0abf3f876cf3cc5c8dbd9a6e27b68ed9a39c6d9f336b85a7d0d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DED1CAB6A05604DBC70CCF64FE91AF97BF5FB48710B14C01AE9159AEA0EB34A9C1DB41
                                                                                                                                                                                                            Function 000E5C39 Relevance: 7.7, APIs: 5, Instructions: 247filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 000E5DEC
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 000E5EB2
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 000E5FE2
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 000E6020
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 000E6042
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: 62b7f4968a1b3a6b2e3759bba540f5287a9818afc90944863bdf83b4aaf13274
                                                                                                                                                                                                            • Instruction ID: b76e27ef3b233eb516fea97b26ce29acc1601ea23d344e682f152f75246b00df
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 62b7f4968a1b3a6b2e3759bba540f5287a9818afc90944863bdf83b4aaf13274
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DEA1DCB5515A55CFC71CCB65FE929E937B8FB48706710C41AE806CAEB0EB3499C2CB41
                                                                                                                                                                                                            Function 000EC9ED Relevance: 12.2, APIs: 8, Instructions: 196registrysynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(Function_0000BA72), ref: 000ECAF2
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0011B2DC), ref: 000ECB64
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 000ECB78
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0011B2DC), ref: 000ECBE5
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00001388), ref: 000ECC62
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0011B2DC), ref: 000ECCAF
                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 000ECCC5
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0011B2DC), ref: 000ECD8F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3399922960-0
                                                                                                                                                                                                            • Opcode ID: dad04817d0fdf5ac7507079fa4e4e6af673880dc0d53d0d2a7cdfa20f4b37bdd
                                                                                                                                                                                                            • Instruction ID: a09aa2524654feed6b034f4962142dca8bb37cf1f29bc630b4b795c96e6ee88e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: dad04817d0fdf5ac7507079fa4e4e6af673880dc0d53d0d2a7cdfa20f4b37bdd
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B7912F7001A2518FD70CCF29EF99AEA3BF5FB18705340C52AE41686EB0EB3598C6CB45
                                                                                                                                                                                                            Function 00104589 Relevance: 7.6, APIs: 5, Instructions: 104synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000002,?,000ED583,Function_0000AD87,00000002,00000000), ref: 00104637
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000002,?,00000000,00000000), ref: 00104655
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000002,?,000ED583,Function_0000AD87,00000002,00000000), ref: 0010468D
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000002,?,000ED583,Function_0000AD87,00000002,00000000), ref: 001046A1
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,00000002,?,000ED583,Function_0000AD87,00000002,00000000), ref: 00104712
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1404307249-0
                                                                                                                                                                                                            • Opcode ID: 0a5f7deba29eda39133ee71851719e0b7fd4c7f0c87729d87a77d4fe9d965e06
                                                                                                                                                                                                            • Instruction ID: c46c5de2506160dc88429bdfedae152b62e677ffba05797fea639fcc8049c40d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0a5f7deba29eda39133ee71851719e0b7fd4c7f0c87729d87a77d4fe9d965e06
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2D415579106240DBC32C8F68FF859AA7BB6FB9A711750C41AE546C6EB0E37198C1CB11
                                                                                                                                                                                                            Function 00104927 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323sleepfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00104CBC
                                                                                                                                                                                                              • Part of subcall function 000F074E: wvsprintfA.USER32(?,?,?), ref: 000F07C3
                                                                                                                                                                                                            • Sleep.KERNEL32(00015F90), ref: 00104E60
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00104E7F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$DeleteModuleNameSleepwvsprintf
                                                                                                                                                                                                            • String ID: KU
                                                                                                                                                                                                            • API String ID: 4183770253-1793860563
                                                                                                                                                                                                            • Opcode ID: 9ab6c43b5a61eea99b4623bc0995d045ee96b934d346e6585f7623ab4fb35537
                                                                                                                                                                                                            • Instruction ID: a586c32f1a99ee52c7e04eb9fb721cbb6337f32b399268efc877fe369331e34b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9ab6c43b5a61eea99b4623bc0995d045ee96b934d346e6585f7623ab4fb35537
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3DD1CD75614208DFC70CDB64EE92AE637B9FB58710B40C41AEA06CBEB1EB7499C1CB51
                                                                                                                                                                                                            Function 000F9B78 Relevance: 6.2, APIs: 4, Instructions: 201fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000F9C43
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 000F9CA8
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 000F9DC7
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 000F9E86
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateRead
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2564258376-0
                                                                                                                                                                                                            • Opcode ID: b22efa76a59408e79bcda7ce9bf31b38042eff5664fc867fee32f5acf3233c49
                                                                                                                                                                                                            • Instruction ID: 5be8c028ec0d4b42a096b42dfc7c599e60ab5fa0274bb3db81aaa009e21d827d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b22efa76a59408e79bcda7ce9bf31b38042eff5664fc867fee32f5acf3233c49
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8A81B975615205DBC71CDF60FE92AFA3BB9FB48711B00801AEA02D6EA2E73498C1DB55
                                                                                                                                                                                                            Function 001090F1 Relevance: 6.0, APIs: 4, Instructions: 38memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,000F8146,00000000,?,?,?,?,?,000EF85A,?,?,?,00109573), ref: 00109143
                                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,000F8146,00000000), ref: 0010914A
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,000F8146,00000000,?,?,?,?,?,000EF85A,?,?,?,00109573,?), ref: 00109174
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,000F8146,00000000,?,?,?,?,?,000EF85A,?,?,?,00109573,?,00000001), ref: 0010917B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2257348732.00000000000E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000E0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257331439.00000000000E0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257377180.000000000010F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257392988.0000000000110000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257408969.0000000000113000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2257425715.000000000011C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_e0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1154092256-0
                                                                                                                                                                                                            • Opcode ID: 8071ef979285a36948b9d4ddb3f96298dca35dc0658cd77cd3bb35fa4eb5fe10
                                                                                                                                                                                                            • Instruction ID: f352e6e877448edab87a973ac2e3300673e3c7abf3a3c9dfe1397e354bee9da2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8071ef979285a36948b9d4ddb3f96298dca35dc0658cd77cd3bb35fa4eb5fe10
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DD011676680604DFCB089FA4FE99AA937B6FB48301F44C115F94A87E62EB7994C1CB40

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:7.9%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                            Total number of Nodes:1494
                                                                                                                                                                                                            Total number of Limit Nodes:6
                                                                                                                                                                                                            execution_graph 9678 e3b360 9679 e3b378 9678->9679 9680 e442b6 lstrlen 9679->9680 9681 e3b3a5 9680->9681 9684 e2fc31 9681->9684 9687 e498df 9684->9687 9686 e2fc47 9688 e49923 9687->9688 9689 e49982 9688->9689 9691 e4998f 9688->9691 9690 e2bdcb 8 API calls 9689->9690 9693 e4998d Mailbox 9690->9693 9692 e2dbdf 8 API calls 9691->9692 9691->9693 9692->9693 9693->9686 8812 e44ee1 8813 e44efa 8812->8813 8816 e4d527 8813->8816 8815 e44f99 8817 e4d544 8816->8817 8820 e2dbdf 8817->8820 8819 e4d559 Mailbox 8819->8815 8821 e2dbf5 Mailbox 8820->8821 8822 e2f821 Mailbox 8 API calls 8821->8822 8823 e2dc18 8822->8823 8823->8819 9114 e2c9ed 9115 e2ca6f RegisterServiceCtrlHandlerA 9114->9115 9117 e2cb13 SetServiceStatus CreateEventA 9115->9117 9118 e2cda7 9115->9118 9120 e2cbde SetServiceStatus 9117->9120 9121 e2cbcd 9117->9121 9122 e2cc00 9120->9122 9121->9120 9123 e2cc42 WaitForSingleObject 9122->9123 9123->9123 9124 e2cc6f 9123->9124 9125 e2b7cd WaitForSingleObject 9124->9125 9126 e2cc84 SetServiceStatus CloseHandle 9125->9126 9127 e2cd01 SetServiceStatus 9126->9127 9127->9118 9019 e2ba72 9022 e2bb03 SetServiceStatus 9019->9022 9024 e2ba89 9019->9024 9026 e2bb88 SetEvent 9022->9026 9024->9022 9027 e2baa1 SetServiceStatus 9024->9027 9025 e2bcd8 9026->9025 9027->9025 9135 e2cdf7 9136 e2ce11 Mailbox 9135->9136 9139 e31c14 9136->9139 9138 e2ce3a 9140 e31c36 Mailbox 9139->9140 9141 e2bdcb 8 API calls 9140->9141 9142 e31ce6 Mailbox 9141->9142 9142->9138 9028 e2507a 9029 e442b6 lstrlen 9028->9029 9030 e250a9 9029->9030 9143 e4cffe 9144 e4d050 9143->9144 9145 e45d58 2 API calls 9144->9145 9146 e4d055 9145->9146 9147 e35d50 3 API calls 9146->9147 9148 e4d067 9147->9148 9149 e4d108 ExitProcess 9148->9149 8824 e2e2f9 8825 e2e30a 8824->8825 8826 e2b7cd WaitForSingleObject 8825->8826 8827 e2e324 8826->8827 8828 e315e5 ExitProcess 8827->8828 8829 e2e35a 8828->8829 8830 e250c3 8831 e250e0 8830->8831 8832 e442b6 lstrlen 8831->8832 8833 e2510f Mailbox 8832->8833 8834 e37f29 Mailbox 8 API calls 8833->8834 8835 e25123 8834->8835 8836 e25071 9 API calls 8835->8836 8837 e25145 8836->8837 8840 e3bf07 8837->8840 8841 e3bf15 Mailbox 8840->8841 8842 e49883 8 API calls 8841->8842 8843 e25183 8842->8843 8844 e484c2 8847 e28020 8844->8847 8850 e4236a 8847->8850 8849 e2802b 8851 e442b6 lstrlen 8850->8851 8852 e42378 8851->8852 8852->8849 9031 e2444e 9032 e2446b 9031->9032 9035 e2e4e4 9032->9035 9036 e2e513 9035->9036 9037 e2e553 9036->9037 9038 e2e69a 9036->9038 9040 e2e621 9037->9040 9041 e2e576 9037->9041 9053 e2b38e 9038->9053 9043 e458f9 4 API calls 9040->9043 9045 e458f9 9041->9045 9044 e24575 9043->9044 9047 e45931 9045->9047 9046 e45937 9046->9044 9047->9046 9050 e459a1 9047->9050 9061 e285a4 9047->9061 9049 e285a4 4 API calls 9051 e459f4 9049->9051 9050->9049 9050->9051 9065 e4572d 9051->9065 9054 e2b3c3 9053->9054 9055 e285a4 4 API calls 9054->9055 9056 e2b456 9054->9056 9055->9056 9057 e24088 4 API calls 9056->9057 9058 e2b7b4 9056->9058 9059 e2b4c3 9057->9059 9058->9044 9059->9058 9060 e24088 4 API calls 9059->9060 9060->9059 9062 e285be 9061->9062 9064 e2860a Mailbox 9062->9064 9069 e24088 9062->9069 9064->9050 9067 e45761 Mailbox 9065->9067 9066 e458d3 9066->9046 9067->9066 9068 e2de5a Mailbox 2 API calls 9067->9068 9068->9067 9070 e240bc 9069->9070 9074 e240d8 9069->9074 9071 e423a6 Mailbox 2 API calls 9070->9071 9072 e240d1 Mailbox 9071->9072 9073 e2de5a Mailbox 2 API calls 9072->9073 9072->9074 9073->9074 9074->9064 8853 e398cc 8854 e31da2 12 API calls 8853->8854 8855 e39900 8854->8855 8856 e49883 8 API calls 8855->8856 8857 e39994 8856->8857 8858 e31ecc 8859 e31ee8 Mailbox 8858->8859 8862 e3a7bc 8859->8862 8861 e31f5b 8863 e2f821 Mailbox 8 API calls 8862->8863 8864 e3a7d6 Mailbox 8863->8864 8864->8861 9694 e2f553 9695 e2f567 9694->9695 9696 e2f5b5 9694->9696 9696->9695 9697 e2f671 ReadFile 9696->9697 9697->9695 9698 e2b353 9699 e42f94 8 API calls 9698->9699 9700 e2b377 9699->9700 8865 e424d3 8866 e4250c 8865->8866 8867 e4d256 3 API calls 8866->8867 8868 e4261c 8867->8868 8869 e25c39 10 API calls 8868->8869 8870 e42645 8869->8870 8871 e2f793 lstrlen 8870->8871 8872 e42697 8871->8872 8873 e3a805 2 API calls 8872->8873 8874 e426ad 8873->8874 8875 e38251 2 API calls 8874->8875 8879 e42706 Mailbox 8875->8879 8876 e49707 Mailbox 8 API calls 8877 e42cf0 Sleep 8876->8877 8910 e32192 8877->8910 8879->8876 8880 e3571f 6 API calls 8879->8880 8881 e23e8c GetSystemTimeAsFileTime 8879->8881 8882 e354d8 3 API calls 8879->8882 8884 e4473b 12 API calls 8879->8884 8885 e38695 21 API calls 8879->8885 8886 e3a805 GetProcessHeap RtlAllocateHeap 8879->8886 8887 e2846d 9 API calls 8879->8887 8888 e2695e 8 API calls 8879->8888 8890 e25724 8 API calls 8879->8890 8891 e38251 GetProcessHeap RtlFreeHeap 8879->8891 8892 e47dc0 50 API calls 8879->8892 8893 e44927 32 API calls 8879->8893 8894 e4443e 8879->8894 8906 e2fe4b 8879->8906 8880->8879 8881->8879 8882->8879 8884->8879 8885->8879 8886->8879 8887->8879 8888->8879 8890->8879 8891->8879 8892->8879 8893->8879 8895 e44470 8894->8895 8896 e3a805 2 API calls 8895->8896 8897 e444cd 8896->8897 8898 e3a805 2 API calls 8897->8898 8899 e444fc 8898->8899 8919 e2a928 8899->8919 8902 e38251 2 API calls 8903 e44546 8902->8903 8904 e38251 2 API calls 8903->8904 8905 e4456f 8904->8905 8905->8879 8907 e2fe66 Mailbox 8906->8907 8908 e49883 8 API calls 8907->8908 8909 e2ff60 Mailbox 8907->8909 8908->8909 8909->8879 8913 e321ab 8910->8913 8911 e323d9 8911->8879 8912 e322b7 DeleteFileA 8912->8913 8913->8911 8913->8912 8915 e3233c 8913->8915 8925 e39ef6 8913->8925 8916 e323c2 8915->8916 8930 e2b920 8915->8930 8934 e25430 8916->8934 8920 e2a95f Mailbox 8919->8920 8921 e3a805 2 API calls 8920->8921 8922 e2ac5d 8921->8922 8923 e38251 2 API calls 8922->8923 8924 e2ac90 8923->8924 8924->8902 8938 e35b3e 8925->8938 8927 e39f0d 8942 e282bf 8927->8942 8931 e2b93a 8930->8931 8933 e2b97f 8931->8933 8957 e2de9c 8931->8957 8933->8915 8935 e25438 8934->8935 8968 e494b4 8935->8968 8939 e35b5a Mailbox 8938->8939 8940 e37f29 Mailbox 8 API calls 8939->8940 8941 e35b64 Mailbox 8940->8941 8941->8927 8943 e282cc 8942->8943 8944 e282dc 8943->8944 8946 e39a0f 8943->8946 8944->8913 8949 e47848 8946->8949 8948 e39a1d 8948->8944 8950 e4785a Mailbox 8949->8950 8953 e44333 8950->8953 8952 e47870 Mailbox 8952->8948 8954 e4433e 8953->8954 8955 e2f821 Mailbox 8 API calls 8954->8955 8956 e443a8 8955->8956 8956->8952 8960 e284ea 8957->8960 8961 e28529 8960->8961 8964 e2bdcb 8961->8964 8963 e2854b 8963->8933 8965 e2bde1 Mailbox 8964->8965 8966 e37f29 Mailbox 8 API calls 8965->8966 8967 e2be04 Mailbox 8966->8967 8967->8963 8969 e494bd Mailbox 8968->8969 8971 e494e3 8968->8971 8970 e2de5a Mailbox 2 API calls 8969->8970 8970->8971 8972 e2dcdb 8973 e2dce6 8972->8973 8976 e356c6 8973->8976 8977 e356e3 Mailbox 8976->8977 8978 e3a7bc 8 API calls 8977->8978 8979 e2dd12 8978->8979 8980 e2cedb FlushFileBuffers 8981 e2cf0d GetLastError 8980->8981 8982 e2cf39 8980->8982 8981->8982 9701 e42f5d ExitProcess 8987 e2bcdc 8988 e2bcfa 8987->8988 8989 e49707 Mailbox 8 API calls 8988->8989 8990 e2bd13 8989->8990 8995 e2563a 8990->8995 8992 e2bd3a Mailbox 8993 e49707 Mailbox 8 API calls 8992->8993 8994 e2bdb8 8993->8994 8996 e25648 8995->8996 8999 e2dd8f 8996->8999 9000 e2dda0 8999->9000 9001 e42f94 8 API calls 9000->9001 9002 e25659 9001->9002 9002->8992 9154 e259a1 9157 e4cf7e 9154->9157 9158 e4236a lstrlen 9157->9158 9159 e259af 9158->9159 9160 e2e9b3 9161 e39a0f 8 API calls 9160->9161 9162 e2e9e3 9161->9162 9163 e25724 8 API calls 9162->9163 9164 e2ea10 9163->9164 9165 e211b7 9166 e21214 9165->9166 9168 e2122a Mailbox 9165->9168 9167 e442b6 lstrlen 9167->9168 9168->9166 9168->9167 9169 e3074e wvsprintfA 9168->9169 9169->9168 9083 e2fa34 9086 e27fce 9083->9086 9085 e2fa42 9087 e442b6 lstrlen 9086->9087 9088 e27fe9 Mailbox 9087->9088 9088->9085 9170 e281b5 9171 e281dc 9170->9171 9176 e23b08 9171->9176 9174 e3bf07 8 API calls 9175 e28276 9174->9175 9177 e23b16 9176->9177 9178 e2dd8f 8 API calls 9177->9178 9179 e23b27 9178->9179 9179->9174 9180 e495bd 9181 e495c3 Mailbox 9180->9181 9182 e490f1 Mailbox 4 API calls 9181->9182 9183 e49605 Mailbox 9182->9183 7926 e4cdbf 7927 e4ce1b 7926->7927 7930 e3ff25 7927->7930 7928 e4cf4c 8158 e38251 7930->8158 7934 e3ff74 7935 e38251 2 API calls 7934->7935 7936 e3ff88 7935->7936 7937 e3a805 2 API calls 7936->7937 7938 e3ffc7 7937->7938 7939 e38251 2 API calls 7938->7939 7940 e3ffdb 7939->7940 7941 e3a805 2 API calls 7940->7941 7942 e4001a 7941->7942 7943 e38251 2 API calls 7942->7943 7944 e4002e 7943->7944 7945 e3a805 2 API calls 7944->7945 7946 e40063 7945->7946 7947 e38251 2 API calls 7946->7947 7948 e40077 7947->7948 7949 e3a805 2 API calls 7948->7949 7950 e400f0 7949->7950 7951 e38251 2 API calls 7950->7951 7952 e40126 7951->7952 7953 e3a805 2 API calls 7952->7953 7954 e401a6 7953->7954 7955 e38251 2 API calls 7954->7955 7956 e401c4 7955->7956 7957 e3a805 2 API calls 7956->7957 7958 e40238 7957->7958 7959 e38251 2 API calls 7958->7959 7960 e40252 7959->7960 7961 e3a805 2 API calls 7960->7961 7962 e40283 7961->7962 7963 e38251 2 API calls 7962->7963 7964 e402bf 7963->7964 7965 e3a805 2 API calls 7964->7965 7966 e40325 7965->7966 7967 e38251 2 API calls 7966->7967 7968 e40339 7967->7968 7969 e3a805 2 API calls 7968->7969 7970 e4036a 7969->7970 7971 e38251 2 API calls 7970->7971 7972 e403bd 7971->7972 7973 e3a805 2 API calls 7972->7973 7974 e40402 7973->7974 7975 e38251 2 API calls 7974->7975 7976 e40422 7975->7976 7977 e3a805 2 API calls 7976->7977 7978 e40469 7977->7978 7979 e38251 2 API calls 7978->7979 7980 e404b2 7979->7980 7981 e38251 2 API calls 7980->7981 7982 e40503 Mailbox 7981->7982 8165 e2de5a GetProcessHeap RtlFreeHeap 7982->8165 7986 e4054a 7987 e3a805 2 API calls 7986->7987 7988 e40560 GetEnvironmentVariableA 7987->7988 7989 e405b2 7988->7989 7990 e38251 2 API calls 7989->7990 7991 e405d0 CreateMutexA CreateMutexA CreateMutexA 7990->7991 7992 e40665 7991->7992 7993 e40809 7992->7993 7994 e406de GetTickCount 7992->7994 7995 e406c9 7992->7995 8172 e288a8 7993->8172 7997 e406f2 7994->7997 7995->7994 7999 e3a805 2 API calls 7997->7999 7998 e40818 GetCommandLineA 8001 e408a8 7998->8001 8003 e40710 7999->8003 8002 e3a805 2 API calls 8001->8002 8005 e408c5 8002->8005 8004 e38251 2 API calls 8003->8004 8006 e407b7 8004->8006 8007 e38251 2 API calls 8005->8007 8006->7993 8008 e4092f 8007->8008 8009 e40964 8008->8009 8010 e41311 GetCommandLineA 8008->8010 8011 e3a805 2 API calls 8009->8011 8326 e43e09 8010->8326 8015 e40996 8011->8015 8014 e413a1 8329 e442b6 8014->8329 8016 e38251 2 API calls 8015->8016 8018 e40a10 8016->8018 8020 e40a21 8018->8020 8023 e3a805 2 API calls 8018->8023 8019 e413dc 8021 e41417 GetModuleFileNameA 8019->8021 8022 e413f9 8019->8022 8025 e40a37 8020->8025 8332 e320d8 lstrlen 8021->8332 8022->8021 8028 e40ac3 8023->8028 8533 e315e5 8025->8533 8030 e38251 2 API calls 8028->8030 8029 e4145c 8035 e320d8 2 API calls 8029->8035 8031 e40b1f 8030->8031 8031->8025 8275 e2f793 8031->8275 8032 e3a805 2 API calls 8033 e422a4 8032->8033 8536 e2e2f8 8033->8536 8036 e41510 8035->8036 8038 e320d8 2 API calls 8036->8038 8049 e41523 8038->8049 8040 e3a805 2 API calls 8045 e40ba4 8040->8045 8041 e422c9 8041->7928 8042 e41785 8355 e23b2c 8042->8355 8044 e417c8 8044->8025 8363 e3b3db 8044->8363 8047 e38251 2 API calls 8045->8047 8066 e40be7 8047->8066 8048 e417ed 8050 e23e8c GetSystemTimeAsFileTime 8048->8050 8049->8042 8053 e415b0 8049->8053 8051 e41806 8050->8051 8457 e2ddd3 8051->8457 8335 e3af1f 8053->8335 8057 e415e1 8341 e25c39 8057->8341 8060 e40d00 Sleep 8061 e3b046 5 API calls 8060->8061 8062 e40d57 8061->8062 8062->8066 8063 e415fa 8063->8025 8064 e3a805 2 API calls 8063->8064 8067 e41680 8064->8067 8065 e40dd2 Sleep 8065->8066 8066->8060 8066->8065 8071 e40dfe 8066->8071 8280 e3571f 8066->8280 8291 e3b046 8066->8291 8303 e23e8c 8066->8303 8070 e442b6 lstrlen 8067->8070 8068 e4186d 8073 e418fb WSAStartup 8068->8073 8069 e3571f 6 API calls 8069->8071 8072 e41695 MessageBoxA 8070->8072 8071->8069 8074 e40ee5 8071->8074 8084 e40e49 8071->8084 8081 e41738 8072->8081 8076 e41928 8073->8076 8083 e4197d 8073->8083 8075 e3b046 5 API calls 8074->8075 8079 e40ef9 8075->8079 8076->8032 8085 e40f60 GetModuleFileNameA SetFileAttributesA 8079->8085 8125 e4126d 8079->8125 8086 e38251 2 API calls 8081->8086 8082 e41a3d 8092 e41a8c CloseHandle SetFileAttributesA 8082->8092 8116 e41d7e 8082->8116 8083->8082 8461 e4395f 8083->8461 8084->8071 8084->8074 8087 e40ea2 Sleep 8084->8087 8307 e30806 8084->8307 8089 e40fcc CopyFileA 8085->8089 8086->8025 8087->8084 8093 e3a805 2 API calls 8089->8093 8094 e41b05 CopyFileA 8092->8094 8095 e41ae9 8092->8095 8096 e41044 8093->8096 8097 e41b22 SetFileAttributesA 8094->8097 8098 e41c76 8094->8098 8095->8094 8106 e38251 2 API calls 8096->8106 8104 e41b79 8097->8104 8105 e41b5b 8097->8105 8502 e2b7cd WaitForSingleObject 8098->8502 8099 e3571f 6 API calls 8099->8116 8101 e419d7 8101->8025 8471 e2f02c 8101->8471 8103 e41e3f SetFileAttributesA CopyFileA SetFileAttributesA 8117 e2f793 lstrlen 8103->8117 8113 e41c27 Sleep 8104->8113 8493 e36bd8 8104->8493 8480 e435ad 8105->8480 8109 e41077 8106->8109 8107 e30806 9 API calls 8111 e41dcb Sleep 8107->8111 8122 e3a805 2 API calls 8109->8122 8132 e4111d 8109->8132 8111->8116 8115 e354d8 3 API calls 8113->8115 8115->8098 8116->8099 8116->8103 8116->8107 8121 e41ed0 8117->8121 8118 e41bef 8118->8113 8119 e41195 SetFileAttributesA 8119->8125 8120 e41206 SetFileAttributesA 8120->8125 8124 e3a805 2 API calls 8121->8124 8128 e410ce 8122->8128 8127 e41ee6 8124->8127 8320 e354d8 8125->8320 8129 e3a805 2 API calls 8127->8129 8130 e38251 2 API calls 8128->8130 8131 e41f29 8129->8131 8130->8132 8133 e38251 2 API calls 8131->8133 8132->8119 8132->8120 8134 e41f4e 8133->8134 8504 e475ce 8134->8504 8136 e41f65 8137 e38251 2 API calls 8136->8137 8138 e41fc0 8137->8138 8508 e4473b 8138->8508 8141 e3a805 2 API calls 8142 e42012 8141->8142 8143 e3a805 2 API calls 8142->8143 8144 e42031 8143->8144 8529 e3074e 8144->8529 8146 e42063 8147 e38251 2 API calls 8146->8147 8148 e42079 8147->8148 8149 e38251 2 API calls 8148->8149 8150 e42092 8149->8150 8151 e354d8 3 API calls 8150->8151 8152 e420d2 Mailbox 8151->8152 8153 e42140 CreateThread 8152->8153 8155 e42179 8153->8155 8154 e421c3 Sleep 8155->8154 8532 e474e8 StartServiceCtrlDispatcherA 8155->8532 8159 e38268 Mailbox 8158->8159 8160 e2de5a Mailbox 2 API calls 8159->8160 8161 e382cb 8160->8161 8162 e3a805 8161->8162 8542 e423a6 8162->8542 8164 e3a878 Mailbox 8164->7934 8166 e2de8a 8165->8166 8167 e4d256 GetSystemTime 8166->8167 8168 e4d2ec 8167->8168 8169 e23e8c GetSystemTimeAsFileTime 8168->8169 8170 e4d368 GetTickCount 8169->8170 8171 e4d39b 8170->8171 8171->7986 8173 e288cc 8172->8173 8174 e288ea GetVersionExA 8173->8174 8545 e2e769 8174->8545 8180 e289fc 8183 e28a89 CreateDirectoryA 8180->8183 8181 e28b28 8182 e3a805 2 API calls 8181->8182 8184 e28bc2 8182->8184 8185 e3a805 2 API calls 8183->8185 8568 e2846d 8184->8568 8187 e28ae2 8185->8187 8190 e38251 2 API calls 8187->8190 8189 e38251 2 API calls 8191 e28c06 Mailbox 8189->8191 8190->8181 8572 e2c622 8191->8572 8193 e28d6f 8195 e3c0de 6 API calls 8193->8195 8194 e28cfe DeleteFileA 8198 e28d2b 8194->8198 8199 e28d3d RemoveDirectoryA 8194->8199 8196 e28d85 8195->8196 8200 e28dc3 CreateDirectoryA 8196->8200 8198->8199 8199->8193 8201 e28e00 8200->8201 8202 e2f793 lstrlen 8201->8202 8203 e28e64 CreateDirectoryA 8202->8203 8205 e3a805 2 API calls 8203->8205 8206 e28eb8 8205->8206 8207 e3a805 2 API calls 8206->8207 8208 e28f10 8207->8208 8209 e38251 2 API calls 8208->8209 8210 e28f6c 8209->8210 8211 e2846d 9 API calls 8210->8211 8212 e28f89 8211->8212 8213 e38251 2 API calls 8212->8213 8214 e28f9b Mailbox 8213->8214 8215 e2c622 5 API calls 8214->8215 8216 e28fca 8215->8216 8217 e29769 8216->8217 8219 e2906c 8216->8219 8220 e28fec 8216->8220 8218 e2f793 lstrlen 8217->8218 8221 e2977f SetFileAttributesA 8218->8221 8223 e3a805 2 API calls 8219->8223 8222 e3a805 2 API calls 8220->8222 8231 e297e1 Mailbox 8221->8231 8224 e2900e 8222->8224 8225 e29082 8223->8225 8227 e3074e wvsprintfA 8224->8227 8226 e3074e wvsprintfA 8225->8226 8228 e290a0 8226->8228 8229 e29034 8227->8229 8230 e38251 2 API calls 8228->8230 8232 e38251 2 API calls 8229->8232 8233 e2905d 8230->8233 8231->7998 8232->8233 8234 e29128 8233->8234 8235 e29144 CreateDirectoryA 8234->8235 8236 e2917e 8235->8236 8237 e2f793 lstrlen 8236->8237 8238 e291cd CreateDirectoryA 8237->8238 8239 e3a805 2 API calls 8238->8239 8240 e29210 8239->8240 8241 e3a805 2 API calls 8240->8241 8242 e2923f 8241->8242 8243 e38251 2 API calls 8242->8243 8244 e2927a 8243->8244 8245 e2846d 9 API calls 8244->8245 8246 e2928f 8245->8246 8247 e38251 2 API calls 8246->8247 8248 e29307 Mailbox 8247->8248 8249 e2c622 5 API calls 8248->8249 8250 e29336 8249->8250 8251 e29341 GetTempPathA 8250->8251 8252 e29716 8250->8252 8253 e442b6 lstrlen 8251->8253 8252->8217 8254 e2938b 8253->8254 8255 e2f793 lstrlen 8254->8255 8256 e294ae CreateDirectoryA 8255->8256 8257 e294fd 8256->8257 8258 e3a805 2 API calls 8257->8258 8259 e29519 8258->8259 8260 e3a805 2 API calls 8259->8260 8261 e29577 8260->8261 8262 e38251 2 API calls 8261->8262 8263 e295a4 8262->8263 8264 e2846d 9 API calls 8263->8264 8265 e295ba 8264->8265 8266 e38251 2 API calls 8265->8266 8267 e295dc Mailbox 8266->8267 8268 e2c622 5 API calls 8267->8268 8269 e2960b 8268->8269 8269->8252 8270 e29633 GetTempPathA 8269->8270 8271 e29670 8270->8271 8272 e3a805 2 API calls 8271->8272 8273 e296a4 8272->8273 8274 e38251 2 API calls 8273->8274 8274->8252 8276 e2ddd3 lstrlen 8275->8276 8278 e2f7bd 8276->8278 8277 e2f80a 8277->8040 8278->8277 8279 e442b6 lstrlen 8278->8279 8279->8277 8281 e35751 CreateToolhelp32Snapshot 8280->8281 8284 e35828 8281->8284 8283 e35a95 Mailbox 8283->8066 8284->8283 8285 e358da Process32First 8284->8285 8286 e35a6c FindCloseChangeNotification 8285->8286 8288 e3590e 8285->8288 8286->8283 8287 e320d8 2 API calls 8287->8288 8288->8287 8289 e359c2 Process32Next 8288->8289 8290 e35a29 8288->8290 8289->8288 8290->8286 8293 e3b068 CreateFileA 8291->8293 8294 e3b142 GetFileTime 8293->8294 8295 e3b11b 8293->8295 8296 e3b1c7 8294->8296 8297 e3b177 8294->8297 8295->8066 8300 e3b204 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 8296->8300 8298 e3b193 8297->8298 8299 e3b1b1 CloseHandle 8297->8299 8298->8299 8299->8295 8301 e3b264 GetFileSize CloseHandle 8300->8301 8302 e3b2f4 8301->8302 8302->8295 8304 e23ebf GetSystemTimeAsFileTime 8303->8304 8306 e23f11 __aulldiv 8304->8306 8306->8066 8308 e3084d CreateToolhelp32Snapshot 8307->8308 8311 e308ee Process32First 8308->8311 8313 e30b20 Mailbox 8308->8313 8312 e30aea CloseHandle 8311->8312 8318 e30988 8311->8318 8312->8313 8313->8084 8315 e320d8 2 API calls 8315->8318 8316 e309f5 OpenProcess 8316->8318 8317 e30aa4 Process32Next 8317->8312 8317->8318 8318->8315 8318->8316 8318->8317 8319 e30a61 TerminateProcess CloseHandle 8318->8319 8319->8318 8322 e354ea Mailbox 8320->8322 8321 e355fd CreateProcessA 8323 e35633 CloseHandle CloseHandle 8321->8323 8324 e35677 8321->8324 8322->8321 8323->8324 8324->8025 8327 e442b6 lstrlen 8326->8327 8328 e43e48 8327->8328 8328->8014 8330 e442cf lstrlen 8329->8330 8330->8019 8333 e3210f CharLowerBuffA 8332->8333 8333->8029 8336 e3af3f 8335->8336 8619 e3111e 8336->8619 8338 e3af7b 8339 e354d8 3 API calls 8338->8339 8340 e3afe0 Mailbox 8339->8340 8340->8057 8342 e25c69 8341->8342 8343 e442b6 lstrlen 8342->8343 8350 e26052 Mailbox 8342->8350 8344 e25dce Sleep 8343->8344 8345 e25e25 8344->8345 8346 e3a805 2 API calls 8345->8346 8347 e25e52 8346->8347 8348 e38251 2 API calls 8347->8348 8349 e25e87 FindFirstFileA 8348->8349 8349->8350 8353 e25ecd 8349->8353 8350->8063 8351 e25fdb DeleteFileA 8352 e26018 FindNextFileA 8351->8352 8351->8353 8352->8353 8354 e2602e FindClose 8352->8354 8353->8351 8353->8352 8354->8350 8356 e2f793 lstrlen 8355->8356 8357 e23b68 8356->8357 8358 e3a805 2 API calls 8357->8358 8359 e23b88 8358->8359 8360 e38251 2 API calls 8359->8360 8361 e23bc6 CreateFileA 8360->8361 8362 e23c14 Mailbox 8361->8362 8362->8044 8364 e3b41c 8363->8364 8365 e3b4ff GetComputerNameA 8364->8365 8366 e3b536 8365->8366 8374 e3b59e 8365->8374 8367 e3a805 2 API calls 8366->8367 8369 e3b552 8367->8369 8368 e3a805 2 API calls 8370 e3b5fa 8368->8370 8372 e38251 2 API calls 8369->8372 8371 e38251 2 API calls 8370->8371 8373 e3b63d 8371->8373 8372->8374 8375 e2846d 9 API calls 8373->8375 8374->8368 8376 e3b661 8375->8376 8650 e2695e 8376->8650 8378 e3b6db Mailbox 8653 e484d7 8378->8653 8381 e442b6 lstrlen 8382 e3b7d9 8381->8382 8688 e30b92 8382->8688 8386 e3b834 Mailbox 8387 e2695e 8 API calls 8386->8387 8388 e3b891 8387->8388 8389 e30b92 9 API calls 8388->8389 8390 e3b92e 8389->8390 8391 e25724 8 API calls 8390->8391 8392 e3b93d Mailbox 8391->8392 8393 e2695e 8 API calls 8392->8393 8394 e3b964 8393->8394 8395 e30b92 9 API calls 8394->8395 8396 e3b988 8395->8396 8397 e25724 8 API calls 8396->8397 8398 e3b997 Mailbox 8397->8398 8399 e2695e 8 API calls 8398->8399 8400 e3b9cf 8399->8400 8401 e30b92 9 API calls 8400->8401 8402 e3b9fe 8401->8402 8403 e25724 8 API calls 8402->8403 8404 e3ba0a Mailbox 8403->8404 8405 e2695e 8 API calls 8404->8405 8406 e3ba25 8405->8406 8407 e30b92 9 API calls 8406->8407 8408 e3ba48 8407->8408 8409 e25724 8 API calls 8408->8409 8410 e3ba57 Mailbox 8409->8410 8411 e2695e 8 API calls 8410->8411 8412 e3ba79 8411->8412 8413 e3a805 2 API calls 8412->8413 8414 e3ba95 8413->8414 8415 e30b92 9 API calls 8414->8415 8416 e3bab9 8415->8416 8417 e25724 8 API calls 8416->8417 8418 e3bac8 Mailbox 8417->8418 8419 e38251 2 API calls 8418->8419 8420 e3baf7 8419->8420 8421 e2695e 8 API calls 8420->8421 8422 e3bb1f 8421->8422 8423 e30b92 9 API calls 8422->8423 8424 e3bb3d 8423->8424 8425 e25724 8 API calls 8424->8425 8426 e3bb49 Mailbox 8425->8426 8427 e2695e 8 API calls 8426->8427 8428 e3bb75 8427->8428 8429 e30b92 9 API calls 8428->8429 8430 e3bb96 8429->8430 8431 e25724 8 API calls 8430->8431 8432 e3bba5 Mailbox 8431->8432 8433 e2695e 8 API calls 8432->8433 8434 e3bbcb 8433->8434 8695 e23cdc 8434->8695 8438 e3bc06 8439 e30b92 9 API calls 8438->8439 8440 e3bc12 8439->8440 8441 e25724 8 API calls 8440->8441 8442 e3bc21 Mailbox 8441->8442 8443 e2695e 8 API calls 8442->8443 8444 e3bc3f 8443->8444 8445 e30b92 9 API calls 8444->8445 8446 e3bc85 8445->8446 8447 e25724 8 API calls 8446->8447 8448 e3bc94 Mailbox 8447->8448 8705 e35fba 8448->8705 8450 e3bccc 8732 e49707 8450->8732 8452 e3bd04 Mailbox 8735 e49883 8452->8735 8454 e3bd30 8739 e2ee34 8454->8739 8456 e3bd6e Mailbox 8456->8048 8458 e2de20 8457->8458 8459 e442b6 lstrlen 8458->8459 8460 e2de3f 8459->8460 8460->8068 8462 e43980 8461->8462 8463 e2f793 lstrlen 8462->8463 8464 e439f3 8463->8464 8465 e3a805 2 API calls 8464->8465 8467 e43a11 Mailbox 8464->8467 8466 e43ace 8465->8466 8468 e38251 2 API calls 8466->8468 8467->8101 8469 e43b0d 8468->8469 8787 e39b78 8469->8787 8472 e2f065 8471->8472 8473 e23e8c GetSystemTimeAsFileTime 8472->8473 8475 e2f079 8473->8475 8474 e2f15a 8474->8082 8475->8474 8476 e23e8c GetSystemTimeAsFileTime 8475->8476 8477 e2f104 8476->8477 8477->8474 8478 e2f10f Sleep 8477->8478 8479 e23e8c GetSystemTimeAsFileTime 8478->8479 8479->8477 8481 e435f3 OpenSCManagerA 8480->8481 8483 e436a9 CreateServiceA 8481->8483 8490 e438db 8481->8490 8484 e436f0 ChangeServiceConfig2A StartServiceA CloseServiceHandle 8483->8484 8487 e43777 OpenServiceA 8483->8487 8486 e4388e CloseServiceHandle 8484->8486 8486->8490 8489 e437eb 8487->8489 8491 e43866 8489->8491 8492 e43811 StartServiceA CloseServiceHandle 8489->8492 8490->8104 8491->8486 8492->8491 8494 e36c36 8493->8494 8495 e3a805 2 API calls 8494->8495 8496 e36c9d RegOpenKeyA 8495->8496 8497 e38251 2 API calls 8496->8497 8498 e36ccb 8497->8498 8499 e36d31 RegCloseKey 8498->8499 8500 e442b6 lstrlen 8498->8500 8499->8118 8501 e36d0f RegSetValueExA 8500->8501 8501->8499 8503 e2b846 8502->8503 8503->8025 8505 e475f4 8504->8505 8506 e476ef CreateFileA 8505->8506 8507 e47732 Mailbox 8506->8507 8507->8136 8509 e44797 8508->8509 8510 e44771 8508->8510 8511 e3a805 2 API calls 8509->8511 8512 e2bece 8 API calls 8510->8512 8513 e447be 8511->8513 8512->8509 8514 e475ce CreateFileA 8513->8514 8515 e447e5 8514->8515 8516 e38251 2 API calls 8515->8516 8517 e44803 8516->8517 8518 e44835 Sleep 8517->8518 8528 e448af 8517->8528 8519 e3a805 2 API calls 8518->8519 8520 e44886 8519->8520 8522 e475ce CreateFileA 8520->8522 8524 e4489b 8522->8524 8526 e38251 2 API calls 8524->8526 8526->8528 8527 e41fe7 8527->8141 8528->8527 8804 e491aa 8528->8804 8531 e30764 wvsprintfA 8529->8531 8531->8146 8532->8154 8810 e3bf87 8533->8810 8535 e31600 ExitProcess 8537 e2e30a 8536->8537 8538 e2b7cd WaitForSingleObject 8537->8538 8539 e2e324 8538->8539 8540 e315e5 ExitProcess 8539->8540 8541 e2e35a 8540->8541 8541->8041 8543 e423c0 8542->8543 8544 e423e2 GetProcessHeap RtlAllocateHeap 8542->8544 8543->8544 8544->8164 8547 e2e79e AllocateAndInitializeSid 8545->8547 8548 e2e883 CheckTokenMembership 8547->8548 8549 e28954 8547->8549 8550 e2e8c9 FreeSid 8548->8550 8551 e2e89f 8548->8551 8552 e2457c 8549->8552 8550->8549 8551->8550 8553 e24595 8552->8553 8554 e3a805 2 API calls 8553->8554 8555 e245da GetProcAddress 8554->8555 8556 e38251 2 API calls 8555->8556 8557 e24613 8556->8557 8558 e24623 GetCurrentProcess 8557->8558 8559 e2463a 8557->8559 8558->8559 8559->8181 8560 e3c0de GetWindowsDirectoryA 8559->8560 8561 e3c125 8560->8561 8562 e3a805 2 API calls 8561->8562 8567 e3c1b6 8561->8567 8563 e3c164 8562->8563 8564 e38251 2 API calls 8563->8564 8565 e3c1a4 8564->8565 8566 e442b6 lstrlen 8565->8566 8566->8567 8567->8180 8569 e2848a 8568->8569 8588 e24f47 8569->8588 8573 e2c62f 8572->8573 8574 e2b7cd WaitForSingleObject 8573->8574 8575 e2c686 8574->8575 8576 e2c6b3 8575->8576 8577 e2c6ef CreateFileA 8575->8577 8578 e24eb1 ReleaseMutex 8576->8578 8580 e2c75d 8577->8580 8582 e2c79f Mailbox 8577->8582 8587 e28c6e 8578->8587 8581 e24eb1 ReleaseMutex 8580->8581 8581->8587 8583 e2c8fa WriteFile 8582->8583 8583->8582 8584 e2c94e FindCloseChangeNotification 8583->8584 8617 e24eb1 ReleaseMutex 8584->8617 8587->8193 8587->8194 8589 e24f6e 8588->8589 8590 e442b6 lstrlen 8589->8590 8591 e24f99 8590->8591 8594 e42f94 8591->8594 8593 e24fa3 8593->8189 8597 e494ec 8594->8597 8596 e42fac Mailbox 8596->8593 8598 e49509 Mailbox 8597->8598 8600 e4950e Mailbox 8598->8600 8601 e2f821 8598->8601 8600->8596 8602 e2f845 8601->8602 8603 e2f85a Mailbox 8602->8603 8605 e37f29 8602->8605 8603->8600 8606 e37f48 Mailbox 8605->8606 8607 e38135 8606->8607 8608 e3802a 8606->8608 8613 e38109 Mailbox 8606->8613 8614 e490f1 8607->8614 8610 e423a6 Mailbox 2 API calls 8608->8610 8611 e38057 Mailbox 8610->8611 8612 e2de5a Mailbox 2 API calls 8611->8612 8612->8613 8613->8603 8615 e49152 GetProcessHeap HeapAlloc 8614->8615 8616 e4912b GetProcessHeap RtlReAllocateHeap 8614->8616 8615->8613 8616->8613 8618 e24ecb 8617->8618 8618->8587 8620 e3114d 8619->8620 8621 e311d9 CreateFileA 8620->8621 8622 e31219 8621->8622 8623 e315a4 8622->8623 8624 e3124b ReadFile CloseHandle 8622->8624 8623->8338 8625 e3129d 8624->8625 8626 e312bd GetTickCount 8625->8626 8646 e251ca 8626->8646 8628 e312de 8629 e442b6 lstrlen 8628->8629 8630 e31310 8629->8630 8631 e3a805 2 API calls 8630->8631 8632 e31378 8631->8632 8633 e38251 2 API calls 8632->8633 8636 e31416 8633->8636 8635 e3154f 8635->8623 8637 e31564 WriteFile CloseHandle 8635->8637 8638 e3a805 2 API calls 8636->8638 8645 e314e0 CreateFileA 8636->8645 8637->8623 8639 e3147e 8638->8639 8640 e442b6 lstrlen 8639->8640 8641 e314a0 8640->8641 8642 e3074e wvsprintfA 8641->8642 8643 e314a9 8642->8643 8644 e38251 2 API calls 8643->8644 8644->8645 8645->8635 8647 e251ea 8646->8647 8648 e442b6 lstrlen 8647->8648 8649 e25235 8648->8649 8649->8628 8651 e49883 8 API calls 8650->8651 8652 e26983 8651->8652 8652->8378 8654 e48577 8653->8654 8655 e3a805 2 API calls 8654->8655 8656 e48652 8655->8656 8657 e38251 2 API calls 8656->8657 8658 e486d5 GetProcessHeap 8657->8658 8659 e48711 8658->8659 8671 e3b7c4 8658->8671 8660 e3a805 2 API calls 8659->8660 8661 e48739 LoadLibraryA 8660->8661 8663 e38251 2 API calls 8661->8663 8664 e4878f 8663->8664 8665 e3a805 2 API calls 8664->8665 8664->8671 8666 e48837 GetProcAddress 8665->8666 8667 e38251 2 API calls 8666->8667 8668 e4886e 8667->8668 8669 e48886 FreeLibrary 8668->8669 8670 e488ac HeapAlloc 8668->8670 8669->8671 8672 e48926 8670->8672 8673 e488fb FreeLibrary 8670->8673 8671->8381 8674 e4896c HeapFree 8672->8674 8678 e48a27 8672->8678 8673->8671 8675 e4898e HeapAlloc 8674->8675 8677 e489fb FreeLibrary 8675->8677 8675->8678 8677->8671 8679 e3a805 2 API calls 8678->8679 8687 e48d26 Mailbox 8678->8687 8681 e48ac3 8679->8681 8680 e49094 HeapFree FreeLibrary 8680->8671 8682 e38251 2 API calls 8681->8682 8683 e48b17 8682->8683 8684 e3a805 2 API calls 8683->8684 8683->8687 8685 e48d41 8684->8685 8686 e38251 2 API calls 8685->8686 8686->8687 8687->8680 8745 e323e9 8688->8745 8691 e25724 8692 e2573e Mailbox 8691->8692 8693 e49883 8 API calls 8692->8693 8694 e25789 8693->8694 8694->8386 8697 e23d0f Mailbox 8695->8697 8696 e3a805 2 API calls 8698 e23d74 8696->8698 8697->8696 8699 e38251 2 API calls 8698->8699 8700 e23db8 8699->8700 8701 e24d07 8700->8701 8702 e24d1f 8701->8702 8703 e442b6 lstrlen 8702->8703 8704 e24d4c 8703->8704 8704->8438 8706 e36020 8705->8706 8707 e3a805 2 API calls 8706->8707 8708 e3604e 8707->8708 8709 e3a805 2 API calls 8708->8709 8710 e36067 8709->8710 8711 e3a805 2 API calls 8710->8711 8712 e360be 8711->8712 8713 e38251 2 API calls 8712->8713 8714 e360d2 8713->8714 8715 e3a805 2 API calls 8714->8715 8716 e36144 8715->8716 8717 e38251 2 API calls 8716->8717 8718 e361a1 8717->8718 8719 e38251 2 API calls 8718->8719 8731 e3621c 8719->8731 8720 e36a70 8721 e38251 2 API calls 8720->8721 8725 e36b1c Mailbox 8721->8725 8722 e36983 8722->8720 8728 e307f5 8 API calls 8722->8728 8754 e25071 8722->8754 8723 e307f5 8 API calls 8729 e3664d Mailbox 8723->8729 8725->8450 8726 e25071 9 API calls 8726->8729 8727 e25071 9 API calls 8727->8731 8728->8722 8729->8720 8729->8722 8729->8723 8729->8726 8731->8727 8731->8729 8751 e307f5 8731->8751 8733 e494ec Mailbox 8 API calls 8732->8733 8734 e4970e 8733->8734 8734->8452 8736 e49898 Mailbox 8735->8736 8737 e494ec Mailbox 8 API calls 8736->8737 8738 e498a3 Mailbox 8737->8738 8738->8454 8740 e2ee52 8739->8740 8764 e31da2 8740->8764 8742 e2ee71 Mailbox 8743 e49883 8 API calls 8742->8743 8744 e2ef9f 8742->8744 8743->8744 8744->8456 8746 e323f5 8745->8746 8747 e442b6 lstrlen 8746->8747 8748 e32488 8747->8748 8749 e42f94 8 API calls 8748->8749 8750 e30ba0 8749->8750 8750->8691 8760 e2ba10 8751->8760 8753 e30802 8753->8731 8755 e2acbe 8754->8755 8756 e442b6 lstrlen 8755->8756 8757 e2ad02 8756->8757 8758 e49883 8 API calls 8757->8758 8759 e2ad0c 8758->8759 8759->8722 8761 e2ba25 Mailbox 8760->8761 8762 e494ec Mailbox 8 API calls 8761->8762 8763 e2ba30 Mailbox 8762->8763 8763->8753 8769 e2db48 8764->8769 8766 e31db4 8767 e31e43 8766->8767 8773 e2bece 8766->8773 8767->8742 8770 e2db5b Mailbox 8769->8770 8771 e2db9f 8769->8771 8772 e49707 Mailbox 8 API calls 8770->8772 8771->8766 8772->8771 8774 e2bf08 8773->8774 8775 e2b7cd WaitForSingleObject 8774->8775 8776 e2bfa2 8775->8776 8777 e3a805 2 API calls 8776->8777 8781 e2c09d 8776->8781 8778 e2bfe5 GetProcAddress 8777->8778 8779 e3a805 2 API calls 8778->8779 8782 e2c033 8779->8782 8780 e24eb1 ReleaseMutex 8783 e2c2bd 8780->8783 8781->8780 8784 e38251 2 API calls 8782->8784 8783->8766 8785 e2c06d GetProcAddress 8784->8785 8786 e38251 2 API calls 8785->8786 8786->8781 8788 e39b85 8787->8788 8789 e49707 Mailbox 8 API calls 8788->8789 8790 e39c02 8789->8790 8791 e2b7cd WaitForSingleObject 8790->8791 8792 e39c24 CreateFileA 8791->8792 8793 e39c5a 8792->8793 8797 e39c78 Mailbox 8792->8797 8795 e24eb1 ReleaseMutex 8793->8795 8794 e39c8b ReadFile 8794->8797 8803 e39e2f Mailbox 8795->8803 8796 e37f29 Mailbox 8 API calls 8796->8797 8797->8794 8797->8796 8798 e39e6a CloseHandle 8797->8798 8799 e49883 8 API calls 8797->8799 8800 e39dbc CloseHandle 8797->8800 8798->8793 8799->8797 8801 e39dd9 8800->8801 8802 e24eb1 ReleaseMutex 8801->8802 8802->8803 8803->8467 8806 e491e0 8804->8806 8805 e448e6 8808 e2ea59 CloseHandle 8805->8808 8806->8805 8807 e492ba WriteFile 8806->8807 8807->8805 8809 e2ea8e 8808->8809 8809->8527 8811 e3bfa3 8810->8811 8811->8535 9089 e24e3c 9090 e24e47 9089->9090 9091 e356c6 8 API calls 9090->9091 9092 e24e9b 9091->9092 9010 e37686 9013 e2fc1b 9010->9013 9014 e494b4 Mailbox 2 API calls 9013->9014 9015 e2fc29 9014->9015 9194 e2ad87 9195 e2ada3 9194->9195 9250 e2501c 9195->9250 9197 e2ae0e 9198 e4443e 4 API calls 9197->9198 9203 e2b26c Mailbox 9197->9203 9199 e2aeff 9198->9199 9200 e3a805 2 API calls 9199->9200 9201 e2af15 9200->9201 9202 e2846d 9 API calls 9201->9202 9204 e2af2d 9202->9204 9205 e38251 2 API calls 9204->9205 9206 e2af56 9205->9206 9253 e42306 9206->9253 9211 e25724 8 API calls 9212 e2af88 Mailbox 9211->9212 9213 e3a805 2 API calls 9212->9213 9214 e2afc5 9213->9214 9215 e30b92 9 API calls 9214->9215 9216 e2afe2 9215->9216 9217 e25724 8 API calls 9216->9217 9218 e2afee Mailbox 9217->9218 9219 e38251 2 API calls 9218->9219 9220 e2b00f 9219->9220 9221 e2fe4b 8 API calls 9220->9221 9222 e2b02d 9221->9222 9223 e25724 8 API calls 9222->9223 9224 e2b036 Mailbox 9223->9224 9225 e31c14 8 API calls 9224->9225 9226 e2b066 9225->9226 9259 e260ad 9226->9259 9228 e2b085 Mailbox 9229 e35fba 9 API calls 9228->9229 9230 e2b0c9 9229->9230 9313 e27ef1 9230->9313 9233 e3a805 2 API calls 9234 e2b0f8 9233->9234 9235 e30b92 9 API calls 9234->9235 9236 e2b149 9235->9236 9237 e25724 8 API calls 9236->9237 9238 e2b155 Mailbox 9237->9238 9239 e38251 2 API calls 9238->9239 9240 e2b174 Mailbox 9239->9240 9241 e49883 8 API calls 9240->9241 9242 e2b19a 9241->9242 9243 e49707 Mailbox 8 API calls 9242->9243 9244 e2b1ea 9243->9244 9245 e3a805 2 API calls 9244->9245 9246 e2b217 9245->9246 9317 e38695 9246->9317 9248 e2b235 9249 e38251 2 API calls 9248->9249 9249->9203 9251 e49883 8 API calls 9250->9251 9252 e25042 SetEvent 9251->9252 9252->9197 9417 e24f0b 9253->9417 9256 e31bc3 9257 e47848 8 API calls 9256->9257 9258 e2af7c 9257->9258 9258->9211 9260 e26101 9259->9260 9261 e3a805 2 API calls 9260->9261 9266 e2623b Mailbox 9260->9266 9262 e261a7 9261->9262 9263 e2846d 9 API calls 9262->9263 9264 e261d6 9263->9264 9265 e38251 2 API calls 9264->9265 9265->9266 9267 e26321 9266->9267 9268 e263fd 9266->9268 9269 e3a805 2 API calls 9267->9269 9274 e3a805 2 API calls 9268->9274 9270 e2635d 9269->9270 9271 e2846d 9 API calls 9270->9271 9272 e26381 9271->9272 9273 e38251 2 API calls 9272->9273 9275 e2639c Mailbox 9273->9275 9276 e26487 Mailbox 9274->9276 9275->9228 9425 e37ab8 9276->9425 9279 e38251 2 API calls 9280 e264eb 9279->9280 9281 e26598 9280->9281 9282 e2651c 9280->9282 9437 e28036 9281->9437 9284 e3a805 2 API calls 9282->9284 9286 e26532 9284->9286 9289 e2846d 9 API calls 9286->9289 9287 e265cb 9293 e3a805 2 API calls 9287->9293 9288 e26668 9290 e2ddd3 lstrlen 9288->9290 9291 e26548 9289->9291 9292 e266a4 9290->9292 9294 e38251 2 API calls 9291->9294 9441 e3ae3b 9292->9441 9295 e265f2 9293->9295 9294->9275 9297 e2846d 9 API calls 9295->9297 9299 e26612 9297->9299 9301 e38251 2 API calls 9299->9301 9301->9275 9303 e3a805 2 API calls 9304 e26718 9303->9304 9305 e38251 2 API calls 9304->9305 9306 e26775 9305->9306 9307 e442b6 lstrlen 9306->9307 9308 e267c4 9307->9308 9309 e2c622 5 API calls 9308->9309 9310 e267e3 9309->9310 9449 e4d831 9310->9449 9314 e27f14 9313->9314 9315 e2dd8f 8 API calls 9314->9315 9316 e27f37 9315->9316 9316->9233 9318 e386b6 9317->9318 9319 e23e8c GetSystemTimeAsFileTime 9318->9319 9320 e38873 9319->9320 9321 e442b6 lstrlen 9320->9321 9326 e388d0 9321->9326 9322 e442b6 lstrlen 9324 e38a48 9322->9324 9323 e39185 Mailbox 9323->9248 9325 e442b6 lstrlen 9324->9325 9327 e38a56 9325->9327 9326->9322 9326->9323 9327->9323 9328 e3a805 2 API calls 9327->9328 9329 e38ad5 9328->9329 9330 e2846d 9 API calls 9329->9330 9331 e38b0f 9330->9331 9332 e38251 2 API calls 9331->9332 9333 e38b3d Mailbox 9332->9333 9334 e3a805 2 API calls 9333->9334 9347 e38d19 9333->9347 9336 e38b9e 9334->9336 9335 e30b92 9 API calls 9337 e38dbe 9335->9337 9339 e323e9 9 API calls 9336->9339 9338 e25724 8 API calls 9337->9338 9340 e38dca Mailbox 9338->9340 9341 e38bc8 Mailbox 9339->9341 9342 e3a805 2 API calls 9340->9342 9344 e38251 2 API calls 9341->9344 9343 e38ded 9342->9343 9345 e30b92 9 API calls 9343->9345 9350 e38bf7 9344->9350 9346 e38e04 9345->9346 9348 e25724 8 API calls 9346->9348 9347->9335 9349 e38e10 Mailbox 9348->9349 9352 e38251 2 API calls 9349->9352 9350->9347 9351 e31c14 8 API calls 9350->9351 9353 e38c77 9351->9353 9354 e38e3b 9352->9354 9355 e3a805 2 API calls 9353->9355 9356 e30b92 9 API calls 9354->9356 9357 e38cbd 9355->9357 9358 e38e8b 9356->9358 9360 e2846d 9 API calls 9357->9360 9359 e25724 8 API calls 9358->9359 9363 e38e9a Mailbox 9359->9363 9361 e38cff 9360->9361 9362 e38251 2 API calls 9361->9362 9362->9347 9365 e3a805 2 API calls 9363->9365 9400 e39051 Mailbox 9363->9400 9364 e3a805 2 API calls 9366 e39087 9364->9366 9367 e38f09 9365->9367 9369 e30b92 9 API calls 9366->9369 9368 e30b92 9 API calls 9367->9368 9370 e38f23 9368->9370 9371 e390d7 9369->9371 9372 e25724 8 API calls 9370->9372 9373 e25724 8 API calls 9371->9373 9375 e38f32 Mailbox 9372->9375 9374 e390e3 Mailbox 9373->9374 9377 e38251 2 API calls 9374->9377 9376 e3a805 2 API calls 9375->9376 9378 e38f5b 9376->9378 9379 e390fd 9377->9379 9381 e38251 2 API calls 9378->9381 9380 e39142 socket 9379->9380 9382 e25724 8 API calls 9379->9382 9380->9323 9384 e39197 9380->9384 9383 e38fbc Mailbox 9381->9383 9382->9380 9388 e3074e wvsprintfA 9383->9388 9385 e391f3 gethostbyname 9384->9385 9386 e391bb setsockopt 9384->9386 9385->9323 9389 e39289 inet_ntoa inet_addr 9385->9389 9386->9385 9390 e38fdd 9388->9390 9393 e392f9 htons connect 9389->9393 9394 e392ef 9389->9394 9392 e38251 2 API calls 9390->9392 9395 e38ff4 9392->9395 9393->9323 9399 e3932f Mailbox 9393->9399 9394->9393 9396 e30b92 9 API calls 9395->9396 9397 e39042 9396->9397 9398 e25724 8 API calls 9397->9398 9398->9400 9401 e3939f send 9399->9401 9400->9364 9402 e393bb Mailbox 9401->9402 9402->9323 9403 e49707 Mailbox 8 API calls 9402->9403 9416 e393df Mailbox 9403->9416 9404 e3946b recv 9404->9416 9405 e39784 closesocket 9405->9323 9408 e397e1 9405->9408 9409 e31c14 8 API calls 9408->9409 9409->9323 9410 e37f29 Mailbox 8 API calls 9410->9416 9411 e49883 8 API calls 9411->9416 9412 e38251 GetProcessHeap RtlFreeHeap 9412->9416 9414 e3a805 GetProcessHeap RtlAllocateHeap 9414->9416 9415 e323e9 9 API calls 9415->9416 9416->9404 9416->9405 9416->9410 9416->9411 9416->9412 9416->9414 9416->9415 9647 e4d5e8 9416->9647 9651 e2f1bd 9416->9651 9418 e24f16 9417->9418 9421 e2e739 9418->9421 9422 e2e751 9421->9422 9423 e2dd8f 8 API calls 9422->9423 9424 e24f36 9423->9424 9424->9256 9427 e37ae2 9425->9427 9426 e264bc 9426->9279 9427->9426 9478 e46c12 9427->9478 9432 e37d11 9436 e37c94 Mailbox 9432->9436 9488 e3bff6 9432->9488 9434 e37dab 9495 e370e6 9434->9495 9505 e3761b 9436->9505 9438 e2804b GetModuleFileNameA 9437->9438 9440 e265c2 9438->9440 9440->9287 9440->9288 9442 e3ae5e 9441->9442 9443 e266de 9442->9443 9444 e2bece 8 API calls 9442->9444 9445 e43ca3 9443->9445 9444->9443 9446 e26702 9445->9446 9447 e43cd9 9445->9447 9446->9303 9447->9446 9448 e3ae3b 8 API calls 9447->9448 9448->9447 9450 e4d84e Mailbox 9449->9450 9451 e4d94f CreatePipe 9450->9451 9452 e4d9ad SetHandleInformation 9451->9452 9453 e4d999 9451->9453 9457 e4da12 9452->9457 9458 e4da3b CreatePipe 9452->9458 9454 e49707 Mailbox 8 API calls 9453->9454 9456 e26894 DeleteFileA 9453->9456 9454->9456 9456->9275 9457->9458 9459 e4da66 SetHandleInformation 9458->9459 9460 e4da52 9458->9460 9463 e4da9a Mailbox 9459->9463 9461 e4de64 CloseHandle 9460->9461 9461->9453 9462 e4de7b CloseHandle 9461->9462 9462->9453 9464 e4db76 CreateProcessA 9463->9464 9465 e4dc04 WriteFile 9464->9465 9466 e4dbe0 CloseHandle 9464->9466 9465->9466 9468 e4dc3e CloseHandle CloseHandle 9465->9468 9469 e4ddd2 CloseHandle 9466->9469 9472 e4dca1 9468->9472 9469->9461 9640 e44101 9472->9640 9476 e4dd6c CloseHandle CloseHandle 9476->9469 9479 e46c2d 9478->9479 9480 e24088 4 API calls 9479->9480 9481 e46cb8 9480->9481 9482 e286e2 4 API calls 9481->9482 9483 e37c5d 9481->9483 9482->9483 9483->9436 9484 e286e2 9483->9484 9485 e286f8 9484->9485 9486 e24088 4 API calls 9485->9486 9487 e2873e Mailbox 9486->9487 9487->9432 9508 e27bf8 9488->9508 9492 e3c05c 9520 e2774c 9492->9520 9494 e3c089 Mailbox 9494->9434 9496 e370f3 9495->9496 9502 e371ef 9496->9502 9532 e3a4b9 9496->9532 9499 e3745e 9501 e3a805 2 API calls 9499->9501 9499->9502 9500 e3a805 2 API calls 9503 e3740b 9500->9503 9501->9502 9502->9436 9503->9502 9504 e38251 2 API calls 9503->9504 9504->9499 9506 e4572d 2 API calls 9505->9506 9507 e37661 9506->9507 9507->9426 9509 e27c25 9508->9509 9510 e3a805 2 API calls 9509->9510 9511 e27c4e Mailbox 9510->9511 9512 e38251 2 API calls 9511->9512 9513 e27c82 9512->9513 9514 e30ce6 9513->9514 9515 e30d32 Mailbox 9514->9515 9517 e30ecd 9515->9517 9518 e31054 Mailbox 9515->9518 9526 e30113 9515->9526 9517->9518 9519 e30113 4 API calls 9517->9519 9518->9492 9519->9517 9521 e277a8 Mailbox 9520->9521 9522 e30ce6 4 API calls 9521->9522 9523 e27a60 9522->9523 9524 e30ce6 4 API calls 9523->9524 9525 e27ab2 9524->9525 9525->9494 9527 e30132 Mailbox 9526->9527 9528 e3a805 2 API calls 9527->9528 9529 e30318 9528->9529 9530 e38251 2 API calls 9529->9530 9531 e305f9 9530->9531 9531->9517 9533 e3a506 9532->9533 9534 e46c12 4 API calls 9533->9534 9536 e3a539 9534->9536 9535 e4572d 2 API calls 9540 e3719b 9535->9540 9537 e3a563 9536->9537 9538 e3a58e 9536->9538 9542 e3a5e4 9536->9542 9539 e4572d 2 API calls 9537->9539 9543 e269a8 9538->9543 9539->9540 9540->9499 9540->9500 9540->9502 9542->9535 9544 e269c7 Mailbox 9543->9544 9545 e24088 4 API calls 9544->9545 9555 e276f7 9544->9555 9546 e26c45 9545->9546 9547 e24088 4 API calls 9546->9547 9571 e270f3 9546->9571 9551 e26c6a 9547->9551 9548 e276cf 9549 e276e7 9548->9549 9550 e276fc 9548->9550 9553 e4572d 2 API calls 9549->9553 9554 e4572d 2 API calls 9550->9554 9556 e24088 4 API calls 9551->9556 9551->9571 9552 e4572d 2 API calls 9552->9571 9553->9555 9554->9555 9555->9542 9557 e26c97 9556->9557 9558 e286e2 4 API calls 9557->9558 9568 e26cb9 Mailbox 9557->9568 9557->9571 9559 e26d18 9558->9559 9559->9571 9578 e2dec6 9559->9578 9561 e26e4c 9564 e285a4 4 API calls 9561->9564 9562 e26e3d 9565 e42405 4 API calls 9562->9565 9567 e26e47 9564->9567 9565->9567 9569 e285a4 4 API calls 9567->9569 9568->9561 9568->9562 9568->9571 9570 e26ec5 9569->9570 9570->9571 9572 e24088 4 API calls 9570->9572 9571->9548 9571->9552 9573 e26f71 9572->9573 9573->9571 9574 e285a4 4 API calls 9573->9574 9577 e26f9e 9574->9577 9575 e24088 4 API calls 9575->9577 9576 e285a4 4 API calls 9576->9577 9577->9571 9577->9575 9577->9576 9579 e2df1f 9578->9579 9580 e24088 4 API calls 9579->9580 9581 e26d62 9579->9581 9580->9581 9581->9571 9582 e42405 9581->9582 9583 e42431 9582->9583 9590 e29903 9583->9590 9585 e424b6 9585->9568 9586 e42450 9586->9585 9587 e2e4e4 4 API calls 9586->9587 9588 e4248c 9586->9588 9587->9586 9588->9585 9630 e36d72 9588->9630 9591 e29924 9590->9591 9592 e29a10 9591->9592 9593 e299a4 9591->9593 9596 e29952 9591->9596 9598 e285a4 4 API calls 9592->9598 9594 e299c4 9593->9594 9595 e286e2 4 API calls 9593->9595 9594->9596 9597 e285a4 4 API calls 9594->9597 9623 e299ea 9594->9623 9595->9594 9596->9586 9597->9623 9600 e29a45 9598->9600 9599 e4572d 2 API calls 9599->9596 9601 e285a4 4 API calls 9600->9601 9600->9623 9602 e29aaa 9601->9602 9603 e24088 4 API calls 9602->9603 9602->9623 9604 e29aed 9603->9604 9605 e286e2 4 API calls 9604->9605 9604->9623 9606 e29b25 9605->9606 9607 e24088 4 API calls 9606->9607 9606->9623 9608 e29b46 9607->9608 9609 e24088 4 API calls 9608->9609 9608->9623 9610 e29b73 9609->9610 9611 e2dec6 4 API calls 9610->9611 9613 e29c7b 9610->9613 9610->9623 9612 e29c56 9611->9612 9615 e2dec6 4 API calls 9612->9615 9612->9623 9614 e2dec6 4 API calls 9613->9614 9613->9623 9616 e29d47 9614->9616 9615->9613 9617 e36d72 4 API calls 9616->9617 9624 e29e51 9616->9624 9617->9616 9618 e2a66b 9619 e285a4 4 API calls 9618->9619 9620 e2a6fa 9618->9620 9619->9620 9622 e285a4 4 API calls 9620->9622 9620->9623 9621 e286e2 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9621->9624 9622->9623 9623->9596 9623->9599 9624->9618 9624->9621 9624->9623 9625 e2534c GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9624->9625 9626 e2dec6 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9624->9626 9627 e36d72 4 API calls 9624->9627 9628 e285a4 4 API calls 9624->9628 9629 e2e4e4 4 API calls 9624->9629 9625->9624 9626->9624 9627->9624 9628->9624 9629->9624 9631 e36d97 9630->9631 9632 e36f07 9631->9632 9633 e36dd4 9631->9633 9634 e2b38e 4 API calls 9632->9634 9635 e36e66 9633->9635 9636 e36df4 9633->9636 9639 e36e24 9634->9639 9638 e458f9 4 API calls 9635->9638 9637 e458f9 4 API calls 9636->9637 9637->9639 9638->9639 9639->9588 9642 e4410e 9640->9642 9641 e49707 Mailbox 8 API calls 9645 e4419c 9641->9645 9642->9641 9643 e441f1 ReadFile 9644 e44256 WaitForSingleObject 9643->9644 9643->9645 9644->9476 9645->9643 9645->9644 9646 e49883 8 API calls 9645->9646 9646->9645 9648 e4d5ff 9647->9648 9649 e23e8c GetSystemTimeAsFileTime 9648->9649 9650 e4d628 9648->9650 9649->9650 9650->9416 9652 e2f206 9651->9652 9653 e3a805 2 API calls 9652->9653 9654 e2f22f 9653->9654 9655 e323e9 9 API calls 9654->9655 9656 e2f250 Mailbox 9655->9656 9657 e38251 2 API calls 9656->9657 9658 e2f28d 9657->9658 9659 e3a805 2 API calls 9658->9659 9664 e2f2a5 9658->9664 9660 e2f2cb 9659->9660 9661 e323e9 9 API calls 9660->9661 9662 e2f2e2 Mailbox 9661->9662 9663 e38251 2 API calls 9662->9663 9663->9664 9664->9416 9093 e4d01d 9094 e4d03a 9093->9094 9100 e45d58 9094->9100 9098 e4d067 9099 e4d108 ExitProcess 9098->9099 9101 e45d93 9100->9101 9111 e2565e 9101->9111 9103 e45dbb 9104 e35d50 9103->9104 9105 e35d87 GetStdHandle 9104->9105 9106 e35d74 9104->9106 9107 e35db3 9105->9107 9108 e35dc5 GetStdHandle 9105->9108 9106->9105 9107->9108 9109 e35dfa GetStdHandle 9108->9109 9109->9098 9112 e256c5 GetProcessHeap HeapAlloc 9111->9112 9113 e25695 9111->9113 9112->9103 9113->9112 9675 e2519e 9676 e423a6 Mailbox 2 API calls 9675->9676 9677 e251b3 9676->9677

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 00E3FF25 Relevance: 63.3, APIs: 29, Strings: 6, Instructions: 2027synchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 00E40590
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00E405E4
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00E40629
                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00E40649
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00E406E6
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 00E40873
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateMutex$CommandCountEnvironmentLineTickVariable
                                                                                                                                                                                                            • String ID: 241$C:\Windows\system32\config\systemprofile$HO$^d/$wb_m$~z0
                                                                                                                                                                                                            • API String ID: 3327569919-55223334
                                                                                                                                                                                                            • Opcode ID: 66f77002b8374a8446bf543dfe05c8b552c4a88e9e820c5473f837c7b82e1921
                                                                                                                                                                                                            • Instruction ID: fdba1d0eecd5ea52e35fd1ba2cc64e9dd3b892f730208bad5abce052eedc70e1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 66f77002b8374a8446bf543dfe05c8b552c4a88e9e820c5473f837c7b82e1921
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 570396B6504300DFD70CDF66FD9696A37F4FB44307B54192AE902BA2B1EB709988CB15
                                                                                                                                                                                                            Function 00E288A8 Relevance: 30.6, APIs: 12, Strings: 5, Instructions: 877fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 490 e288a8-e288de call e257a9 493 e288e0 490->493 494 e288ea-e2898e GetVersionExA call e2e769 call e2457c 490->494 493->494 499 e28990-e2899a 494->499 500 e2899c-e289c2 494->500 501 e289d7-e289dd 499->501 500->501 502 e289c4-e289d1 500->502 503 e289e3-e28add call e3c0de call e2f38b CreateDirectoryA call e3a805 501->503 504 e28b3f-e28b5f 501->504 502->501 518 e28ae2-e28b3d call e2f38b call e38251 503->518 505 e28b65-e28b77 504->505 507 e28ba9-e28bb0 505->507 508 e28b79-e28b93 505->508 510 e28bb6-e28c17 call e3a805 call e2846d call e38251 507->510 508->510 511 e28b95-e28ba7 508->511 526 e28c19-e28c2b 510->526 527 e28c2d-e28c3f 510->527 511->510 518->505 529 e28c4b-e28c73 call e2c9ba call e4d492 call e2c622 526->529 528 e28c41 527->528 527->529 528->529 536 e28c79-e28ccc 529->536 537 e28d6f-e28e0c call e3c0de call e2f38b CreateDirectoryA call e45eaf 529->537 538 e28cfe-e28d29 DeleteFileA 536->538 539 e28cce-e28cec 536->539 549 e28e1a 537->549 550 e28e0e-e28e18 537->550 543 e28d2b-e28d37 538->543 544 e28d3d-e28d65 RemoveDirectoryA 538->544 539->538 542 e28cee-e28cf8 539->542 542->538 543->544 544->537 551 e28e24-e28e26 549->551 550->551 552 e28e44 551->552 553 e28e28-e28e42 551->553 554 e28e46-e28e73 call e2f793 552->554 553->554 557 e28e75-e28e87 554->557 558 e28e89-e28e8e 554->558 559 e28e94-e28f2f CreateDirectoryA call e3a805 call e2f38b call e3a805 557->559 558->559 566 e28f31-e28f57 559->566 567 e28f64-e28fcf call e38251 call e2846d call e38251 call e2c9ba call e4d492 call e2c622 559->567 566->567 568 e28f59-e28f5e 566->568 581 e28fd5-e28fe6 567->581 582 e29769-e297f8 call e2f793 SetFileAttributesA call e306af 567->582 568->567 584 e2906c-e290da call e3a805 call e3074e call e38251 581->584 585 e28fec-e2906a call e3a805 call e3074e call e38251 581->585 596 e297fa-e29815 582->596 597 e2981b-e29826 call e25017 582->597 605 e290e0-e2910d 584->605 585->605 596->597 606 e29132-e29192 call e2f38b CreateDirectoryA call e45eaf 605->606 607 e2910f-e29126 605->607 613 e291c1-e29257 call e2f793 CreateDirectoryA call e3a805 call e2f38b call e3a805 606->613 614 e29194-e291a0 606->614 607->606 608 e29128 607->608 608->606 624 e29272-e292a4 call e38251 call e2846d 613->624 625 e29259-e2926c 613->625 614->613 615 e291a2-e291bb 614->615 615->613 630 e292c0-e292e7 624->630 631 e292a6-e292be 624->631 625->624 632 e292ff-e2933b call e38251 call e2c9ba call e4d492 call e2c622 630->632 633 e292e9-e292f9 630->633 631->632 642 e29341-e293c2 GetTempPathA call e442b6 632->642 643 e29756-e29763 632->643 633->632 646 e293ea-e293ec 642->646 643->582 647 e293c4-e293dd 646->647 648 e293ee 646->648 650 e293f0-e29412 647->650 651 e293df-e293e9 647->651 649 e2946e-e294fb call e45eaf call e2f793 CreateDirectoryA 648->649 659 e2950d-e29557 call e3a805 call e2f38b 649->659 660 e294fd-e29507 649->660 652 e29422-e29453 650->652 653 e29414-e2941c 650->653 651->646 652->649 655 e29455-e29469 652->655 653->652 655->649 665 e2956b-e29610 call e3a805 call e38251 call e2846d call e38251 call e2c9ba call e4d492 call e2c622 659->665 666 e29559-e29565 659->666 660->659 681 e29736-e29751 665->681 682 e29616-e29627 665->682 666->665 681->643 683 e29633-e296ce GetTempPathA call e45eaf call e3a805 682->683 684 e29629 682->684 689 e296d0 683->689 690 e296da-e296fe call e2f38b 683->690 684->683 689->690 693 e29700-e2970a 690->693 694 e2970f-e2972a call e38251 690->694 693->694 694->681 697 e2972c 694->697 697->681
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersionExA.KERNEL32(00E5B028), ref: 00E2893E
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00E28AB6
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?,00000000), ref: 00E28D05
                                                                                                                                                                                                            • RemoveDirectoryA.KERNELBASE(00000000), ref: 00E28D5F
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00E28DD9
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00E28E9C
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00E29158
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00E291F4
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?,?,?,?,00000000), ref: 00E2936E
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(0000005C,00000000,?,?,?,?,?,?,00000000), ref: 00E294DA
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,0000005C,?,?,?,00000000), ref: 00E2963F
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 00E297B0
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                            • String ID: C:\Windows\system32\config\systemprofile$C:\hjflhukc\$Ua-W$\$gKV`
                                                                                                                                                                                                            • API String ID: 1691758827-3231860264
                                                                                                                                                                                                            • Opcode ID: eadfd9fbbaf1472ff634a6d8c105211fbe28589ceed56c8c99c780ff6f350ecd
                                                                                                                                                                                                            • Instruction ID: f5e3910b0c2fb98ca37e89baca95eb9794afeb62cd0538c559ff5df04e6b6c6a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: eadfd9fbbaf1472ff634a6d8c105211fbe28589ceed56c8c99c780ff6f350ecd
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0682DFB2501314CFC70CDB66FD969AA37B8FB54303B44592AE502F62B2EB34998DCB15
                                                                                                                                                                                                            Function 00E3571F Relevance: 6.2, APIs: 4, Instructions: 213processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 727 e3571f-e3574f 728 e35751-e3576b 727->728 729 e3577f-e35796 727->729 728->729 730 e3576d-e35779 728->730 731 e357b6-e357d1 729->731 732 e35798-e357aa 729->732 730->729 734 e357d3 731->734 735 e357dd-e35826 CreateToolhelp32Snapshot 731->735 732->731 733 e357ac 732->733 733->731 734->735 736 e35828-e3584d 735->736 737 e3584f-e35865 735->737 738 e3586b-e3586d 736->738 737->738 739 e35873-e358b1 738->739 740 e35ab1-e35af0 call e306af 738->740 741 e358b3-e358c6 739->741 742 e358da-e35908 Process32First 739->742 741->742 744 e358c8-e358d4 741->744 745 e3590e-e35934 742->745 746 e35a6c-e35a93 FindCloseChangeNotification 742->746 744->742 748 e35952 745->748 749 e35936-e35950 745->749 750 e35aa1-e35aab 746->750 751 e35a95-e35a9f 746->751 752 e3595c-e35992 call e45eaf call e320d8 748->752 749->752 750->740 751->740 756 e35997-e359c0 call e47406 752->756 759 e359c2-e35a08 Process32Next 756->759 760 e35a2b-e35a42 756->760 763 e35a21-e35a23 759->763 764 e35a0a-e35a1c 759->764 761 e35a62 760->761 762 e35a44-e35a53 760->762 761->746 762->746 766 e35a55-e35a60 762->766 763->745 765 e35a29 763->765 764->763 765->746 766->746
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E35804
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00E358E2
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00E359E8
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00E35A7E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3243318325-0
                                                                                                                                                                                                            • Opcode ID: b9a7f258e4d2fcb2f51aeda892c00b21f6675bff8e2ed16c3d4650f0e37fca3b
                                                                                                                                                                                                            • Instruction ID: 442f836800f7d896626e547f3c62b497cfcf89bee8a084da918aac289294e74d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b9a7f258e4d2fcb2f51aeda892c00b21f6675bff8e2ed16c3d4650f0e37fca3b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E391A876605700CFC70C9B2AFDAA5A93BF4B748317B105D2AE846F62A1EB309959CB10
                                                                                                                                                                                                            Function 00E3B046 Relevance: 9.2, APIs: 6, Instructions: 184filetimeCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 698 e3b046-e3b066 699 e3b068-e3b09f 698->699 700 e3b0ac-e3b0cc 698->700 699->700 701 e3b0a1-e3b0a7 699->701 702 e3b0d9-e3b0ea 700->702 703 e3b0ce-e3b0d3 700->703 701->700 704 e3b0f6-e3b119 CreateFileA 702->704 705 e3b0ec 702->705 703->702 706 e3b142-e3b175 GetFileTime 704->706 707 e3b11b-e3b133 704->707 705->704 709 e3b1c7-e3b202 706->709 710 e3b177-e3b191 706->710 708 e3b13a-e3b13d 707->708 711 e3b35a-e3b35f 708->711 714 e3b210-e3b222 709->714 715 e3b204-e3b20e 709->715 712 e3b193-e3b1ac 710->712 713 e3b1b1-e3b1c2 CloseHandle 710->713 712->713 713->708 717 e3b224-e3b246 714->717 718 e3b248 714->718 716 e3b252-e3b2f2 call e2e909 GetFileSize CloseHandle 715->716 721 e3b323-e3b334 716->721 722 e3b2f4-e3b2fe 716->722 717->716 718->716 725 e3b336-e3b353 721->725 726 e3b358 721->726 723 e3b300-e3b30a 722->723 724 e3b314 722->724 723->724 724->721 725->726 726->711
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00E3B104
                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00E3B16D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00E3B1B2
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E3B25F
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00E3B2AB
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00E3B2D8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3236713533-0
                                                                                                                                                                                                            • Opcode ID: 4fe4bbadac858d17a5374dbde906a7043c80b65cbc1e98a651de2bd68524dcc4
                                                                                                                                                                                                            • Instruction ID: 9845d2e1adaa769df6e6c18216bed0e434c5112af9786bb994b967561ab68eb9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4fe4bbadac858d17a5374dbde906a7043c80b65cbc1e98a651de2bd68524dcc4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2571A876601300CFC74CCF2AED958BA3BB4F74431BB101A1AE956F76A1E7348988CB11
                                                                                                                                                                                                            Function 00E2C622 Relevance: 4.7, APIs: 3, Instructions: 206fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 767 e2c622-e2c69d call e4dfa1 call e2b7cd 772 e2c6a9-e2c6b1 767->772 773 e2c69f 767->773 774 e2c6b3-e2c6ea call e24eb1 772->774 775 e2c6ef-e2c709 772->775 773->772 785 e2c9b6-e2c9b9 774->785 777 e2c737-e2c75b CreateFileA 775->777 778 e2c70b-e2c71a 775->778 779 e2c79f-e2c7b3 777->779 780 e2c75d-e2c784 call e24eb1 777->780 778->777 782 e2c71c-e2c731 778->782 784 e2c7b8-e2c7d2 779->784 789 e2c786-e2c792 780->789 790 e2c798-e2c79a 780->790 782->777 787 e2c7d4-e2c7f4 784->787 788 e2c7f9-e2c7fb 784->788 787->788 791 e2c81b-e2c82d 788->791 792 e2c7fd-e2c819 788->792 789->790 793 e2c9b5 790->793 794 e2c837-e2c8a2 call e385e7 call e4970f 791->794 792->794 793->785 799 e2c8d6-e2c8ee 794->799 800 e2c8a4-e2c8d4 794->800 801 e2c8fa-e2c948 WriteFile 799->801 802 e2c8f0 799->802 800->801 801->784 803 e2c94e-e2c962 801->803 802->801 804 e2c970-e2c97c 803->804 805 e2c964-e2c96e 803->805 806 e2c982-e2c9a2 FindCloseChangeNotification call e24eb1 804->806 805->806 808 e2c9a7-e2c9b4 806->808 808->793
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00E2B7CD: WaitForSingleObject.KERNEL32(00E3AEAC,00004E20,00000001,?,00E2BFA2,00000001,-AF16B4FB,?,00E3AEAC,00E266DE), ref: 00E2B81D
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(00000004,40000000,00000000,00000000,00000002,00000000,00000000,?,00E267E3,?,00000004,?,00000000,?), ref: 00E2C746
                                                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,?,00000001,00000001,00000000,?,?,?,?,?,00000001), ref: 00E2C90B
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00000001), ref: 00E2C983
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$ChangeCloseCreateFindNotificationObjectSingleWaitWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2552625159-0
                                                                                                                                                                                                            • Opcode ID: 93b1877ed281e71d7750d3947a5b675d07b4d0b45115b940a5eaec643396c655
                                                                                                                                                                                                            • Instruction ID: c7581e62e0ac5efa7e2655004ac6c578585ccb86fd262b97df7e4936b9fd7eed
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 93b1877ed281e71d7750d3947a5b675d07b4d0b45115b940a5eaec643396c655
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F91A7B2511311DFC70CCF2AFE955697BB4FB88316B60591AE506FB2B1E7309948CB14
                                                                                                                                                                                                            Function 00E2E769 Relevance: 4.6, APIs: 3, Instructions: 101memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 809 e2e769-e2e79c 810 e2e7b9-e2e7ce 809->810 811 e2e79e-e2e7b7 809->811 812 e2e7d4-e2e807 810->812 811->812 813 e2e81a-e2e82f 812->813 814 e2e809-e2e818 812->814 815 e2e83b-e2e881 AllocateAndInitializeSid 813->815 816 e2e831 813->816 814->815 817 e2e883-e2e89d CheckTokenMembership 815->817 818 e2e8ef-e2e908 815->818 816->815 819 e2e8c9-e2e8e9 FreeSid 817->819 820 e2e89f-e2e8c2 817->820 819->818 820->819
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(00E28954,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00E28954), ref: 00E2E865
                                                                                                                                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E2E895
                                                                                                                                                                                                            • FreeSid.ADVAPI32(?), ref: 00E2E8DC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3429775523-0
                                                                                                                                                                                                            • Opcode ID: a3271e3b3040c1f39cd54a7fb8a51c01c7888464c461c787cfbbd2c159e122ee
                                                                                                                                                                                                            • Instruction ID: 4e5e806a36f5119159ab528cc0e97a0d3302532ade72a94ea69e1f650f5a4753
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3271e3b3040c1f39cd54a7fb8a51c01c7888464c461c787cfbbd2c159e122ee
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FA415275905314EFCB0CCFA7FD856A977B4FB08306B84581AE442F7261E7349988CB65
                                                                                                                                                                                                            Function 00E320D8 Relevance: 3.0, APIs: 2, Instructions: 27stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 821 e320d8-e3210d lstrlen 822 e3211b-e32127 821->822 823 e3210f-e32119 821->823 824 e3212d-e3214f CharLowerBuffA 822->824 823->824
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • lstrlen.KERNEL32(?,?,00E309C2,?,?,?), ref: 00E320F0
                                                                                                                                                                                                            • CharLowerBuffA.USER32(?,00000000,?,00E309C2,?,?,?), ref: 00E32131
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 794975171-0
                                                                                                                                                                                                            • Opcode ID: a833a050c4fd9b65a682ee5720566d0465ea0f156c6b90f22cb870d6121fc40f
                                                                                                                                                                                                            • Instruction ID: 4560b4d4b240ce72ee4cdd20f05e9ac5fecd183e99490c3d45fc817dd097c7e7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a833a050c4fd9b65a682ee5720566d0465ea0f156c6b90f22cb870d6121fc40f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2FF0C731110300CFCB0C8F47EA0A4763BF2F704302B50081AF806AA231E7349D88EB62
                                                                                                                                                                                                            Function 00E423A6 Relevance: 3.0, APIs: 2, Instructions: 23memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 825 e423a6-e423be 826 e423c0-e423d6 825->826 827 e423e2-e42404 GetProcessHeap RtlAllocateHeap 825->827 826->827 828 e423d8 826->828 828->827
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00E4A3A7,?,?,?,00E4D0BE), ref: 00E423F6
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,00E4A3A7,?,?,?,00E4D0BE), ref: 00E423FD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: 0019a10b51494a3b621f93de86a3eb9e38f932968cceb57cfe3731f719a2b4ec
                                                                                                                                                                                                            • Instruction ID: cd98e8a27ba0cae2d46f4c1561701368d84739e1451b4a16c77bffdf501a506a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0019a10b51494a3b621f93de86a3eb9e38f932968cceb57cfe3731f719a2b4ec
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07F0E5765003019FCB048FABFC4A94A37B4F39470AB610802F145FA0B1D778E85C8FA0
                                                                                                                                                                                                            Function 00E2DE5A Relevance: 3.0, APIs: 2, Instructions: 17memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 829 e2de5a-e2de88 GetProcessHeap RtlFreeHeap 830 e2de9a-e2de9b 829->830 831 e2de8a-e2de94 829->831 831->830
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00E38109,?,00E38109,00000000), ref: 00E2DE6C
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,00E38109,00000000), ref: 00E2DE73
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                            • Opcode ID: 436c4e54945f4fc9e72a78d26d0b02ad1e5445340a3a37ad6b1207ba5c510361
                                                                                                                                                                                                            • Instruction ID: 6a10078fb418b0ea3be3db1746f41642909ddfae293800aff382342156b3433f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 436c4e54945f4fc9e72a78d26d0b02ad1e5445340a3a37ad6b1207ba5c510361
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 54E08C729053449FEE088BE7FD4AA053BE8FB2174AB008911F205EA1B1C72195888A84

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 00E4D831 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 388pipeprocessfileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 852 e4d831-e4d84c 853 e4d84e 852->853 854 e4d858-e4d877 852->854 853->854 855 e4d885-e4d8a6 854->855 856 e4d879-e4d883 854->856 857 e4d8ac-e4d92b call e306af 855->857 856->857 860 e4d944-e4d949 857->860 861 e4d92d-e4d942 857->861 862 e4d94f-e4d997 CreatePipe 860->862 861->862 863 e4d9ad-e4d9cb 862->863 864 e4d999-e4d9a8 862->864 866 e4d9e1-e4d9ef 863->866 867 e4d9cd-e4d9df 863->867 865 e4de92-e4decb call e49707 864->865 873 e4ded7-e4def1 865->873 874 e4decd 865->874 869 e4d9f4-e4da10 SetHandleInformation 866->869 867->869 871 e4da12-e4da23 869->871 872 e4da3b-e4da50 CreatePipe 869->872 875 e4da25-e4da2f 871->875 876 e4da31 871->876 877 e4da66-e4dad7 SetHandleInformation call e306af * 2 872->877 878 e4da52-e4da61 872->878 874->873 875->872 876->872 886 e4db10-e4db56 877->886 887 e4dad9-e4daf4 877->887 879 e4de64-e4de79 CloseHandle 878->879 881 e4de84-e4de90 879->881 882 e4de7b-e4de7e CloseHandle 879->882 881->865 881->873 882->881 889 e4db76-e4dbde CreateProcessA 886->889 890 e4db58-e4db71 886->890 887->886 888 e4daf6-e4db09 887->888 888->886 891 e4dc04-e4dc24 WriteFile 889->891 892 e4dbe0-e4dc02 889->892 890->889 894 e4dc26 891->894 895 e4dc3e-e4dc52 891->895 893 e4dc30-e4dc39 CloseHandle 892->893 896 e4ddfe-e4de08 893->896 894->893 897 e4dc54-e4dc5e 895->897 898 e4dc63-e4dc9f CloseHandle * 2 895->898 899 e4de3e-e4de5d CloseHandle 896->899 900 e4de0a-e4de1f 896->900 897->898 901 e4dca1 898->901 902 e4dcab-e4dcc0 898->902 899->879 903 e4de21-e4de37 900->903 904 e4de39 900->904 901->902 905 e4dcc2-e4dccc 902->905 906 e4dcce-e4dce6 902->906 903->899 904->899 907 e4dd09-e4dd25 call e44101 905->907 906->907 908 e4dce8-e4dd03 906->908 911 e4dd47-e4dd6a WaitForSingleObject 907->911 912 e4dd27-e4dd42 907->912 908->907 913 e4dd6c-e4dd88 911->913 914 e4dd8a-e4dd96 911->914 912->911 915 e4dd9c-e4ddd0 CloseHandle * 2 913->915 914->915 916 e4ddd2-e4dde6 915->916 917 e4dded-e4ddf9 915->917 916->917 917->896
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreatePipe.KERNEL32(00000000,?,?,00000000,?,00000001,?), ref: 00E4D98F
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00E4D9F9
                                                                                                                                                                                                            • CreatePipe.KERNEL32(?,?,?,00000000), ref: 00E4DA48
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 00E4DA7E
                                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 00E4DBCC
                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000020,00000020,00000000), ref: 00E4DC1C
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00E4DC33
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00E4DC66
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00E4DC89
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00002710), ref: 00E4DD4F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00E4DD9F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00E4DDB2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00E4DE41
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00E4DE67
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00E4DE7E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 1130065513-2746444292
                                                                                                                                                                                                            • Opcode ID: 1f57556406250252b280d72b1557c1dc7ee10297fecc49294e560273c75c3e12
                                                                                                                                                                                                            • Instruction ID: 6f359919072893aeb6ba5dd88d8467f61a6958aca5747ab0d00b757a7af422c1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1f57556406250252b280d72b1557c1dc7ee10297fecc49294e560273c75c3e12
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24028776914704DFCB0CCF6AFD929A97BB4FB48306B14591AE802F7271EB309998CB11
                                                                                                                                                                                                            Function 00E435AD Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1338 e435ad-e435f1 1339 e43602-e43642 1338->1339 1340 e435f3-e435fd 1338->1340 1341 e43644-e43654 1339->1341 1342 e43681-e436a3 OpenSCManagerA 1339->1342 1340->1339 1343 e43656-e43675 1341->1343 1344 e43677 1341->1344 1345 e4393f-e43959 1342->1345 1346 e436a9-e436ea CreateServiceA 1342->1346 1343->1342 1344->1342 1347 e43777-e43786 1346->1347 1348 e436f0-e43707 1346->1348 1351 e437b6-e437c2 1347->1351 1352 e43788-e4379f 1347->1352 1349 e43709-e43715 1348->1349 1350 e4371b-e43772 ChangeServiceConfig2A StartServiceA CloseServiceHandle 1348->1350 1349->1350 1353 e4388e-e438d9 CloseServiceHandle 1350->1353 1355 e437c8-e437e9 OpenServiceA 1351->1355 1354 e437a1-e437b4 1352->1354 1352->1355 1356 e43901-e4390d 1353->1356 1357 e438db-e438eb 1353->1357 1354->1355 1358 e4380d-e4380f 1355->1358 1359 e437eb-e43806 1355->1359 1361 e43935 1356->1361 1362 e4390f-e43933 1356->1362 1357->1345 1360 e438ed-e438ff 1357->1360 1363 e43866-e43873 1358->1363 1364 e43811-e43861 StartServiceA CloseServiceHandle 1358->1364 1359->1358 1360->1345 1361->1345 1362->1345 1363->1353 1365 e43875-e43889 1363->1365 1364->1363 1365->1353
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00E43685
                                                                                                                                                                                                            • CreateServiceA.ADVAPI32(00000000,009A2F68,009A2F68,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00E436D6
                                                                                                                                                                                                            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00E43728
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00E4374C
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00E4375D
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,00000010), ref: 00E437D1
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00E43836
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00E43847
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00E438B1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                            • String ID: 3ch$qh~B
                                                                                                                                                                                                            • API String ID: 3525021261-274300185
                                                                                                                                                                                                            • Opcode ID: b938b0dcc4ef0adffb0ec82bcd06c4ed41d67db6a23de5a1dd7b6a2f090ad87d
                                                                                                                                                                                                            • Instruction ID: 076064c58267f2b5ba1db27ff78b9f12a7baebde2917f0141f69c404ae85b193
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b938b0dcc4ef0adffb0ec82bcd06c4ed41d67db6a23de5a1dd7b6a2f090ad87d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 469185BA514700DEC70C8F2AFD96979B7B8F7483077444D1AE902BB2B1EB749989CB50
                                                                                                                                                                                                            Function 00E3111E Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 289fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1366 e3111e-e3114b 1367 e3114d-e31161 1366->1367 1368 e3117c-e31186 1366->1368 1369 e31163-e3117a 1367->1369 1370 e3118b-e311a3 1367->1370 1368->1370 1369->1370 1371 e311a5-e311b6 1370->1371 1372 e311ce-e31217 call e4d787 CreateFileA 1370->1372 1371->1372 1373 e311b8-e311c7 1371->1373 1376 e31242-e31245 1372->1376 1377 e31219-e3123b 1372->1377 1373->1372 1378 e315c3-e315e4 call e3a689 1376->1378 1379 e3124b-e3129b ReadFile CloseHandle 1376->1379 1377->1376 1381 e312af-e312f9 call e47d24 GetTickCount call e251ca 1379->1381 1382 e3129d-e312a9 1379->1382 1388 e312fb-e31305 1381->1388 1389 e3130a-e3131f call e442b6 1381->1389 1382->1381 1388->1389 1392 e31321-e31330 1389->1392 1393 e31336-e313cf call e2f38b call e3a805 call e2f38b 1389->1393 1392->1393 1400 e313d1-e313e6 1393->1400 1401 e3140e-e3142c call e38251 1393->1401 1400->1401 1402 e313e8-e31408 1400->1402 1405 e31432-e31441 1401->1405 1406 e3150d-e31519 1401->1406 1402->1401 1409 e31443-e3145e 1405->1409 1410 e31460-e3146c 1405->1410 1407 e3151b-e31527 1406->1407 1408 e3152d-e3154d CreateFileA 1406->1408 1407->1408 1411 e3155f-e31562 1408->1411 1412 e3154f-e31559 1408->1412 1413 e31472-e314bb call e3a805 call e442b6 call e3074e 1409->1413 1410->1413 1414 e315a4-e315bc 1411->1414 1415 e31564-e3159f WriteFile CloseHandle 1411->1415 1412->1411 1422 e314d8-e31507 call e38251 1413->1422 1423 e314bd-e314cc 1413->1423 1414->1378 1415->1414 1422->1406 1423->1422 1424 e314ce 1423->1424 1424->1422
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E311F7
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00E31267
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00E3128B
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00E312D1
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00E3153B
                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00E3157E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00E3158F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                            • String ID: Ra);
                                                                                                                                                                                                            • API String ID: 3478262135-4229484525
                                                                                                                                                                                                            • Opcode ID: a69dda924ea5afc35171ba6b283ed71b267f1dff2cc0cd86221ea84ef4c68a9e
                                                                                                                                                                                                            • Instruction ID: 832c22a9a193ec84256a07aa2e98ba146b578f1b381fe2a22604438d9639a049
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a69dda924ea5afc35171ba6b283ed71b267f1dff2cc0cd86221ea84ef4c68a9e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EAB1EDB2505700DED71C8F2AFD9697A3BF8FB48317B10091AE501F62B2EB748948CB25
                                                                                                                                                                                                            Function 00E31636 Relevance: 10.8, APIs: 7, Instructions: 279processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1901 e31636-e316d2 CreateToolhelp32Snapshot 1902 e31780-e317a3 1901->1902 1903 e316d8-e31716 call e3a805 1901->1903 1904 e317b6-e317ce Process32First 1902->1904 1905 e317a5-e317b1 1902->1905 1911 e3174a-e3177b call e25071 call e38251 1903->1911 1912 e31718-e3173e 1903->1912 1907 e31ae2-e31ae4 1904->1907 1905->1904 1909 e317d3-e317f3 1907->1909 1910 e31aea-e31b0d CloseHandle 1907->1910 1914 e317f5 1909->1914 1915 e317ff-e31833 call e442b6 1909->1915 1916 e31b0e-e31b13 1910->1916 1911->1916 1912->1911 1917 e31740 1912->1917 1914->1915 1923 e31839-e318c2 call e3a805 call e3074e call e38251 1915->1923 1924 e3190f-e31999 CreateToolhelp32Snapshot Module32First 1915->1924 1917->1911 1944 e318c4-e318d6 1923->1944 1945 e318ee-e31909 call e25071 1923->1945 1925 e3199b-e319c6 call e25071 1924->1925 1926 e319c8-e31a39 call e3a805 call e25071 call e38251 1924->1926 1936 e31a3a-e31a9a call e307f5 CloseHandle 1925->1936 1926->1936 1946 e31ac6-e31adc Process32Next 1936->1946 1947 e31a9c-e31aa9 1936->1947 1948 e318e4 1944->1948 1949 e318d8-e318e2 1944->1949 1945->1924 1946->1907 1947->1946 1951 e31aab-e31ac0 1947->1951 1948->1945 1949->1945 1951->1946
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E316B2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00E317BE
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00E31932
                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00E31991
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,0000000A), ref: 00E31A6A
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00E31ACE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00E31AF5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 930127669-0
                                                                                                                                                                                                            • Opcode ID: c1b1f0bf965d6c6ddde096b2c83832190a1f6b3b957385f6e5a3558771602451
                                                                                                                                                                                                            • Instruction ID: bdc91f667e0a37ef9179566c5dcf2f74ea53df9c3722ef390978f3541cbc6353
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c1b1f0bf965d6c6ddde096b2c83832190a1f6b3b957385f6e5a3558771602451
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AFC1FDB6501700CFD70CCB66FD9AAB937B4FB44317F04195AE906F62A1EB349988CB44
                                                                                                                                                                                                            Function 00E39F24 Relevance: 7.8, APIs: 5, Instructions: 329serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00E39FF7
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,?), ref: 00E3A049
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00E3A061
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 00E3A162
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00E3A3B6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1579346331-0
                                                                                                                                                                                                            • Opcode ID: b5816311642071612d5d187abe2efc2963fe3a0fd5f71039cbd0e3183b07b4e4
                                                                                                                                                                                                            • Instruction ID: 0a4f38691cf00507ce4284dce37fbbeb05c5cc1a271e274142b13187698e1694
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b5816311642071612d5d187abe2efc2963fe3a0fd5f71039cbd0e3183b07b4e4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 97D1CCB6901700DFC70CCF66FD99A697BF4FB54316B19192AE801B72B0EB349988CB51
                                                                                                                                                                                                            Function 00E25C39 Relevance: 7.7, APIs: 5, Instructions: 247filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 00E25DEC
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 00E25EB2
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00E25FE2
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 00E26020
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00E26042
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: b6e647c30c41142dac67b4c0591a7f821a60aae3b2e4c3a1332c0814d70ef158
                                                                                                                                                                                                            • Instruction ID: 360eb872d3cc9380faff206afa7752dfad24c14d9b7442f807258f1c2dd897f4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b6e647c30c41142dac67b4c0591a7f821a60aae3b2e4c3a1332c0814d70ef158
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 55A1DFB6611B14CFC30CCB67FE965A937B8F708307B04191AE406FA6B1EB349989CB51
                                                                                                                                                                                                            Function 00E2C9ED Relevance: 12.2, APIs: 8, Instructions: 196registrysynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1873 e2c9ed-e2ca6d 1874 e2ca6f-e2ca7b 1873->1874 1875 e2ca9c-e2caa6 1873->1875 1876 e2caab-e2cb0d RegisterServiceCtrlHandlerA 1874->1876 1877 e2ca7d-e2ca9a 1874->1877 1875->1876 1878 e2cb13-e2cb37 1876->1878 1879 e2cdba-e2cdd1 1876->1879 1877->1876 1880 e2cb57-e2cbcb SetServiceStatus CreateEventA 1878->1880 1881 e2cb39-e2cb51 1878->1881 1882 e2cbde-e2cbfe SetServiceStatus 1880->1882 1883 e2cbcd-e2cbd8 1880->1883 1881->1880 1884 e2cc30-e2cc3c 1882->1884 1885 e2cc00-e2cc13 1882->1885 1883->1882 1888 e2cc42-e2cc6d WaitForSingleObject 1884->1888 1886 e2cc15-e2cc27 1885->1886 1887 e2cc29-e2cc2e 1885->1887 1886->1888 1887->1888 1888->1888 1889 e2cc6f-e2ccff call e2b7cd SetServiceStatus CloseHandle 1888->1889 1892 e2cd10-e2cd21 1889->1892 1893 e2cd01-e2cd0b 1889->1893 1894 e2cd23-e2cd2d 1892->1894 1895 e2cd2f-e2cd3c 1892->1895 1893->1892 1896 e2cd42-e2cd69 1894->1896 1895->1896 1897 e2cd6b-e2cd7b 1896->1897 1898 e2cd88-e2cda5 SetServiceStatus 1896->1898 1897->1898 1900 e2cd7d-e2cd83 1897->1900 1898->1879 1899 e2cda7-e2cdb4 1898->1899 1899->1879 1900->1898
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(Function_0000BA72), ref: 00E2CAF2
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00E5B2DC), ref: 00E2CB64
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E2CB78
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00E5B2DC), ref: 00E2CBE5
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00001388), ref: 00E2CC62
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00E5B2DC), ref: 00E2CCAF
                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 00E2CCC5
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00E5B2DC), ref: 00E2CD8F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3399922960-0
                                                                                                                                                                                                            • Opcode ID: e9e21bf4ff3ae0afd32d73c117cbabeb20d334b56696180bee9bf36c2fab1a4b
                                                                                                                                                                                                            • Instruction ID: edc1536ffec7e1cc6f89d158f77b6a2dad5bcdc433b4d57697c76326da211665
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e9e21bf4ff3ae0afd32d73c117cbabeb20d334b56696180bee9bf36c2fab1a4b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 32910CB51113118FC31CCF2BFE9A8297BB5F70830B7505D2AE446BA2B1EB709889CB10
                                                                                                                                                                                                            Function 00E30806 Relevance: 10.7, APIs: 7, Instructions: 195processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E308C2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00E30966
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E30A15
                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,000000FF), ref: 00E30A64
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00E30A82
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00E30AD2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00E30B10
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2696918072-0
                                                                                                                                                                                                            • Opcode ID: 101d1f0149dd85fb4654c73f51c3f3e17820ef0df32e3768d5c89e6e0a9ae315
                                                                                                                                                                                                            • Instruction ID: 6d3dc2bee3e2b8aeafd35499fd6a96c8b486f3612a01ec59eb056c120b76c906
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 101d1f0149dd85fb4654c73f51c3f3e17820ef0df32e3768d5c89e6e0a9ae315
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6281A9725117119FC30CCF2AFD96A6A77B8FB48317B40091AE846F66B1EB348998CB44
                                                                                                                                                                                                            Function 00E44589 Relevance: 7.6, APIs: 5, Instructions: 104synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000002,?,00E2D583,Function_0000AD87,00000002,00000000), ref: 00E44637
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000002,?,00000000,00000000), ref: 00E44655
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000002,?,00E2D583,Function_0000AD87,00000002,00000000), ref: 00E4468D
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000002,?,00E2D583,Function_0000AD87,00000002,00000000), ref: 00E446A1
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,00000002,?,00E2D583,Function_0000AD87,00000002,00000000), ref: 00E44712
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1404307249-0
                                                                                                                                                                                                            • Opcode ID: 3e94680a8e10043c0290aa5ba3c83fbb07c27b13dc3ac593860b65732bfba043
                                                                                                                                                                                                            • Instruction ID: c7add2c1db95b83b0f9089aeb741071b052acf4d72a7f651aa1e105100fac328
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3e94680a8e10043c0290aa5ba3c83fbb07c27b13dc3ac593860b65732bfba043
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE4174B6111340DFC31C8F2AFD899263BB5F7897177604C2AE456E66B1E330A85ACB11
                                                                                                                                                                                                            Function 00E44927 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323sleepfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00E44CBC
                                                                                                                                                                                                              • Part of subcall function 00E3074E: wvsprintfA.USER32(?,?,?), ref: 00E307C3
                                                                                                                                                                                                            • Sleep.KERNEL32(00015F90), ref: 00E44E60
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00E44E7F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$DeleteModuleNameSleepwvsprintf
                                                                                                                                                                                                            • String ID: KU
                                                                                                                                                                                                            • API String ID: 4183770253-1793860563
                                                                                                                                                                                                            • Opcode ID: b09bae2435004d7b55420c3db02da010316b1930d4d4aacf3a5191242bffcf98
                                                                                                                                                                                                            • Instruction ID: 90df0b8c3a6e6614baefdf31e3617fe45b02a1ea52d283b2bcdf03992c499705
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b09bae2435004d7b55420c3db02da010316b1930d4d4aacf3a5191242bffcf98
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7CD1D1766107048EC70CDF66FD96AA577F8FB44302B441D1AE906FB2B1EB349988CB51
                                                                                                                                                                                                            Function 00E354D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNEL32(?,00E2DA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00E35628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00E2DA33,?,?,?,?,00000000), ref: 00E35652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00E35665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: a5aed7ae42c47f0e66f46b5cf9c1b43dd91487e257f60e813c60e51d34bdbe2a
                                                                                                                                                                                                            • Instruction ID: 6d3a1083af13643b7c14c8a6c877bdd6c51b6e88c56bfcbe0a4581d49b821e84
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a5aed7ae42c47f0e66f46b5cf9c1b43dd91487e257f60e813c60e51d34bdbe2a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CD41B072501705DFCB1CDF97FE9A9BA7BB4FB84306B00581AE502B62B1EB705848DB11
                                                                                                                                                                                                            Function 00E39B78 Relevance: 6.2, APIs: 4, Instructions: 201fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E39C43
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00E39CA8
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00E39DC7
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00E39E86
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateRead
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2564258376-0
                                                                                                                                                                                                            • Opcode ID: 6a90d49a9483e444d8a4e6b72c5242241cd4cc5ff2fe71817f8b7aae07d2d540
                                                                                                                                                                                                            • Instruction ID: 8dc7a7f5a04d483ff998d094efafcb3b372c7ed68f2774742cef6193a8ab1bc0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a90d49a9483e444d8a4e6b72c5242241cd4cc5ff2fe71817f8b7aae07d2d540
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3581A9756013008FC718EF62FD9667A37E8FB44307F10291AE506B62A2EB748888CB55
                                                                                                                                                                                                            Function 00E490F1 Relevance: 6.0, APIs: 4, Instructions: 38memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00E38146,00000000,?,?,?,?,?,00E2F85A,?,?,?,00E49573), ref: 00E49143
                                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,00E38146,00000000), ref: 00E4914A
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,00E38146,00000000,?,?,?,?,?,00E2F85A,?,?,?,00E49573,?), ref: 00E49174
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00E38146,00000000,?,?,?,?,?,00E2F85A,?,?,?,00E49573,?,00000001), ref: 00E4917B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2721684791.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E20000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721656789.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721735736.0000000000E4F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721765279.0000000000E50000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721795710.0000000000E53000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2721825615.0000000000E5C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_e20000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1154092256-0
                                                                                                                                                                                                            • Opcode ID: 467804b0b927c0805b365f659dcb042cf92dee564e77881c7abdb9a9eb15e606
                                                                                                                                                                                                            • Instruction ID: 4d035da7cb33316534fff7edc7ab02cfa8d67c2accf67a7f990b507cd8de476f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 467804b0b927c0805b365f659dcb042cf92dee564e77881c7abdb9a9eb15e606
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 73011A7A540704DFDB0C9FA2FC696693BA4FB09306F844815F90AA6672E775A44CCB40