Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bEsOrli29K.exe

Overview

General Information

Sample name:bEsOrli29K.exe
Analysis ID:1503014
MD5:a3247152e18ba6e88311f082a86515d3
SHA1:80da2f14bb17f2d3ff1df6faf25622ebb8cf00c8
SHA256:02c6f9163a5d988cee3ab12c11e03b18329c26d6b4863004f943133654693e97
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Modifies existing windows services
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

  • System is w10x64
  • bEsOrli29K.exe (PID: 5344 cmdline: "C:\Users\user\Desktop\bEsOrli29K.exe" MD5: A3247152E18BA6E88311F082A86515D3)
    • cmd.exe (PID: 2672 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\edgikboy\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6488 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pwdgvjcm.exe" C:\Windows\SysWOW64\edgikboy\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7060 cmdline: "C:\Windows\System32\sc.exe" create edgikboy binPath= "C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d\"C:\Users\user\Desktop\bEsOrli29K.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3620 cmdline: "C:\Windows\System32\sc.exe" description edgikboy "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6056 cmdline: "C:\Windows\System32\sc.exe" start edgikboy MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 1848 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 5520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 5552 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1032 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • pwdgvjcm.exe (PID: 5496 cmdline: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d"C:\Users\user\Desktop\bEsOrli29K.exe" MD5: A0F884B02EE655DEE8140FACC411FA01)
    • svchost.exe (PID: 3552 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 3008 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 392 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 5712 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 1784 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5344 -ip 5344 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5248 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5496 -ip 5496 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 1576 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
00000000.00000003.2140290785.00000000005F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000000.00000003.2140290785.00000000005F0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    00000000.00000003.2140290785.00000000005F0000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
    • 0xed10:$s2: loader_id
    • 0xed40:$s3: start_srv
    • 0xed70:$s4: lid_file_upd
    • 0xed64:$s5: localcfg
    • 0xf494:$s6: Incorrect respons
    • 0xf574:$s7: mx connect error
    • 0xf4f0:$s8: Error sending command (sent = %d/%d)
    • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    0000000C.00000002.2281554914.0000000000623000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x990:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      0.3.bEsOrli29K.exe.5f0000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.3.bEsOrli29K.exe.5f0000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      0.3.bEsOrli29K.exe.5f0000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        0.3.bEsOrli29K.exe.5f0000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        0.3.bEsOrli29K.exe.5f0000.0.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
        • 0xed10:$s2: loader_id
        • 0xed40:$s3: start_srv
        • 0xed70:$s4: lid_file_upd
        • 0xed64:$s5: localcfg
        • 0xf494:$s6: Incorrect respons
        • 0xf574:$s7: mx connect error
        • 0xf4f0:$s8: Error sending command (sent = %d/%d)
        • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        Click to see the 39 entries

        System Summary

        barindex
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d"C:\Users\user\Desktop\bEsOrli29K.exe", ParentImage: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe, ParentProcessId: 5496, ParentProcessName: pwdgvjcm.exe, ProcessCommandLine: svchost.exe, ProcessId: 3552, ProcessName: svchost.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create edgikboy binPath= "C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d\"C:\Users\user\Desktop\bEsOrli29K.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create edgikboy binPath= "C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d\"C:\Users\user\Desktop\bEsOrli29K.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\bEsOrli29K.exe", ParentImage: C:\Users\user\Desktop\bEsOrli29K.exe, ParentProcessId: 5344, ParentProcessName: bEsOrli29K.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create edgikboy binPath= "C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d\"C:\Users\user\Desktop\bEsOrli29K.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7060, ProcessName: sc.exe
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.11.0, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 3552, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49713
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d"C:\Users\user\Desktop\bEsOrli29K.exe", ParentImage: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe, ParentProcessId: 5496, ParentProcessName: pwdgvjcm.exe, ProcessCommandLine: svchost.exe, ProcessId: 3552, ProcessName: svchost.exe
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 3552, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\edgikboy
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create edgikboy binPath= "C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d\"C:\Users\user\Desktop\bEsOrli29K.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create edgikboy binPath= "C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d\"C:\Users\user\Desktop\bEsOrli29K.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\bEsOrli29K.exe", ParentImage: C:\Users\user\Desktop\bEsOrli29K.exe, ParentProcessId: 5344, ParentProcessName: bEsOrli29K.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create edgikboy binPath= "C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d\"C:\Users\user\Desktop\bEsOrli29K.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7060, ProcessName: sc.exe
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 5712, ProcessName: svchost.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: bEsOrli29K.exeAvira: detected
        Source: jotunheim.name:443Avira URL Cloud: Label: malware
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Source: C:\Users\user\AppData\Local\Temp\pwdgvjcm.exeAvira: detection malicious, Label: HEUR/AGEN.1316832
        Source: 0.3.bEsOrli29K.exe.5f0000.0.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
        Source: C:\Users\user\AppData\Local\Temp\pwdgvjcm.exeJoe Sandbox ML: detected
        Source: bEsOrli29K.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Source: C:\Users\user\Desktop\bEsOrli29K.exeUnpacked PE file: 0.2.bEsOrli29K.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeUnpacked PE file: 12.2.pwdgvjcm.exe.400000.0.unpack
        Source: bEsOrli29K.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\bEsOrli29K.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\edgikboyJump to behavior

        Networking

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.184.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.77 25Jump to behavior
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 52.101.11.0 52.101.11.0
        Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
        Source: Joe Sandbox ViewIP Address: 67.195.204.77 67.195.204.77
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: Joe Sandbox ViewASN Name: YAHOO-3US YAHOO-3US
        Source: global trafficTCP traffic: 192.168.2.5:49713 -> 52.101.11.0:25
        Source: global trafficTCP traffic: 192.168.2.5:49715 -> 67.195.204.77:25
        Source: global trafficTCP traffic: 192.168.2.5:49717 -> 64.233.184.26:25
        Source: global trafficTCP traffic: 192.168.2.5:49720 -> 217.69.139.150:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta7.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
        Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
        Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 0.3.bEsOrli29K.exe.5f0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.pwdgvjcm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.pwdgvjcm.exe.5f0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.pwdgvjcm.exe.5f0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.pwdgvjcm.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bEsOrli29K.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.pwdgvjcm.exe.5d0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.pwdgvjcm.exe.5f0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bEsOrli29K.exe.540e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bEsOrli29K.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000003.2140290785.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2279300378.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2281500674.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bEsOrli29K.exe PID: 5344, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: pwdgvjcm.exe PID: 5496, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3552, type: MEMORYSTR

        System Summary

        barindex
        Source: 0.3.bEsOrli29K.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.bEsOrli29K.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.bEsOrli29K.exe.5f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.bEsOrli29K.exe.5f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.pwdgvjcm.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.pwdgvjcm.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.bEsOrli29K.exe.540e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.bEsOrli29K.exe.540e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.pwdgvjcm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.pwdgvjcm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 19.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 19.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.pwdgvjcm.exe.5f0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.pwdgvjcm.exe.5f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.pwdgvjcm.exe.5f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.pwdgvjcm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.pwdgvjcm.exe.5f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.pwdgvjcm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 19.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 19.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.pwdgvjcm.exe.5d0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.pwdgvjcm.exe.5d0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.bEsOrli29K.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.bEsOrli29K.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.pwdgvjcm.exe.5d0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.pwdgvjcm.exe.5d0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.pwdgvjcm.exe.5f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.pwdgvjcm.exe.5f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.bEsOrli29K.exe.540e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.bEsOrli29K.exe.540e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.bEsOrli29K.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.bEsOrli29K.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000003.2140290785.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.2140290785.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2281554914.0000000000623000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000003.2279300378.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2279300378.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2281500674.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2281500674.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2181701002.000000000069A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\edgikboy\Jump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_004278610_2_00427861
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_0042A2100_2_0042A210
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_0042731D0_2_0042731D
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00426DD90_2_00426DD9
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00429BEB0_2_00429BEB
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeCode function: 12_2_0040C91312_2_0040C913
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeCode function: 12_2_0042786112_2_00427861
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeCode function: 12_2_0042A21012_2_0042A210
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeCode function: 12_2_0042731D12_2_0042731D
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeCode function: 12_2_00426DD912_2_00426DD9
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeCode function: 12_2_00429BEB12_2_00429BEB
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_004CC91319_2_004CC913
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: String function: 005427AB appears 35 times
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5344 -ip 5344
        Source: bEsOrli29K.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 0.3.bEsOrli29K.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.bEsOrli29K.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.bEsOrli29K.exe.5f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.bEsOrli29K.exe.5f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.pwdgvjcm.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.pwdgvjcm.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.bEsOrli29K.exe.540e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.bEsOrli29K.exe.540e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.pwdgvjcm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.pwdgvjcm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 19.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 19.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.pwdgvjcm.exe.5f0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.pwdgvjcm.exe.5f0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.pwdgvjcm.exe.5f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.pwdgvjcm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.pwdgvjcm.exe.5f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.pwdgvjcm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 19.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 19.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.pwdgvjcm.exe.5d0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.pwdgvjcm.exe.5d0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.bEsOrli29K.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.bEsOrli29K.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.pwdgvjcm.exe.5d0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.pwdgvjcm.exe.5d0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.pwdgvjcm.exe.5f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.pwdgvjcm.exe.5f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.bEsOrli29K.exe.540e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.bEsOrli29K.exe.540e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.bEsOrli29K.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.bEsOrli29K.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000003.2140290785.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.2140290785.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2281554914.0000000000623000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000003.2279300378.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2279300378.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2281500674.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2281500674.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2181701002.000000000069A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: classification engineClassification label: mal100.troj.evad.winEXE@32/3@9/5
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,CloseHandle,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_0069B00E CreateToolhelp32Snapshot,Module32First,0_2_0069B00E
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_004C9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,19_2_004C9A6B
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:1784:64:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5520:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3920:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5248:64:WilError_03
        Source: C:\Users\user\Desktop\bEsOrli29K.exeFile created: C:\Users\user\AppData\Local\Temp\pwdgvjcm.exeJump to behavior
        Source: bEsOrli29K.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\bEsOrli29K.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeFile read: C:\Users\user\Desktop\bEsOrli29K.exeJump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-17036
        Source: unknownProcess created: C:\Users\user\Desktop\bEsOrli29K.exe "C:\Users\user\Desktop\bEsOrli29K.exe"
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\edgikboy\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pwdgvjcm.exe" C:\Windows\SysWOW64\edgikboy\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create edgikboy binPath= "C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d\"C:\Users\user\Desktop\bEsOrli29K.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description edgikboy "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start edgikboy
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d"C:\Users\user\Desktop\bEsOrli29K.exe"
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5344 -ip 5344
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1032
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5496 -ip 5496
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 392
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\edgikboy\Jump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pwdgvjcm.exe" C:\Windows\SysWOW64\edgikboy\Jump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create edgikboy binPath= "C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d\"C:\Users\user\Desktop\bEsOrli29K.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description edgikboy "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start edgikboyJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5344 -ip 5344Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1032Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5496 -ip 5496Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 392Jump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\bEsOrli29K.exeUnpacked PE file: 0.2.bEsOrli29K.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeUnpacked PE file: 12.2.pwdgvjcm.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\bEsOrli29K.exeUnpacked PE file: 0.2.bEsOrli29K.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeUnpacked PE file: 12.2.pwdgvjcm.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_0069E2F6 push 0000002Bh; iretd 0_2_0069E2FC
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeCode function: 12_2_00626CA6 push 0000002Bh; iretd 12_2_00626CAC

        Persistence and Installation Behavior

        barindex
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe
        Source: C:\Users\user\Desktop\bEsOrli29K.exeFile created: C:\Users\user\AppData\Local\Temp\pwdgvjcm.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\edgikboyJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create edgikboy binPath= "C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d\"C:\Users\user\Desktop\bEsOrli29K.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\besorli29k.exeJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,19_2_004C199C
        Source: C:\Users\user\Desktop\bEsOrli29K.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-18050
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_19-6432
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-18368
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_19-6140
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-17421
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_19-7325
        Source: C:\Users\user\Desktop\bEsOrli29K.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-17398
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_19-7419
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-17051
        Source: C:\Users\user\Desktop\bEsOrli29K.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-16973
        Source: C:\Users\user\Desktop\bEsOrli29K.exeAPI coverage: 6.0 %
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeAPI coverage: 4.8 %
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_004250B9 GetSystemTimes followed by cmp: cmp dword ptr [0043e834h], 0ah and CTI: jne 00425244h0_2_004250B9
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeCode function: 12_2_004250B9 GetSystemTimes followed by cmp: cmp dword ptr [0043e834h], 0ah and CTI: jne 00425244h12_2_004250B9
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 00000013.00000002.3293295066.0000000002A00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
        Source: C:\Users\user\Desktop\bEsOrli29K.exeAPI call chain: ExitProcess graph end nodegraph_0-17401

        Anti Debugging

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_19-7665
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_12-18429
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_0054092B mov eax, dword ptr fs:[00000030h]0_2_0054092B
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00540D90 mov eax, dword ptr fs:[00000030h]0_2_00540D90
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_0069A8EB push dword ptr fs:[00000030h]0_2_0069A8EB
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeCode function: 12_2_005D092B mov eax, dword ptr fs:[00000030h]12_2_005D092B
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeCode function: 12_2_005D0D90 mov eax, dword ptr fs:[00000030h]12_2_005D0D90
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeCode function: 12_2_0062329B push dword ptr fs:[00000030h]12_2_0062329B
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_004C9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,19_2_004C9A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.184.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.77 25Jump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 4C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4C0000Jump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 243008Jump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\edgikboy\Jump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pwdgvjcm.exe" C:\Windows\SysWOW64\edgikboy\Jump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create edgikboy binPath= "C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d\"C:\Users\user\Desktop\bEsOrli29K.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description edgikboy "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start edgikboyJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5344 -ip 5344Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1032Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5496 -ip 5496Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 392Jump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\bEsOrli29K.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Users\user\Desktop\bEsOrli29K.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 0.3.bEsOrli29K.exe.5f0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.pwdgvjcm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.pwdgvjcm.exe.5f0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.pwdgvjcm.exe.5f0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.pwdgvjcm.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bEsOrli29K.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.pwdgvjcm.exe.5d0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.pwdgvjcm.exe.5f0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bEsOrli29K.exe.540e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bEsOrli29K.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000003.2140290785.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2279300378.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2281500674.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bEsOrli29K.exe PID: 5344, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: pwdgvjcm.exe PID: 5496, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3552, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 0.3.bEsOrli29K.exe.5f0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.pwdgvjcm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.pwdgvjcm.exe.5f0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.pwdgvjcm.exe.5f0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.pwdgvjcm.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bEsOrli29K.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.pwdgvjcm.exe.5d0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.pwdgvjcm.exe.5f0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bEsOrli29K.exe.540e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bEsOrli29K.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000003.2140290785.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2279300378.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2281500674.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bEsOrli29K.exe PID: 5344, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: pwdgvjcm.exe PID: 5496, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3552, type: MEMORYSTR
        Source: C:\Users\user\Desktop\bEsOrli29K.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_004C88B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,19_2_004C88B0
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts
        41
        Native API
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        3
        Disable or Modify Tools
        OS Credential Dumping12
        System Time Discovery
        Remote Services1
        Archive Collected Data
        1
        Ingress Tool Transfer
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter
        1
        Valid Accounts
        1
        Valid Accounts
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory1
        Account Discovery
        Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution
        14
        Windows Service
        1
        Access Token Manipulation
        2
        Obfuscated Files or Information
        Security Account Manager1
        File and Directory Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service
        2
        Software Packing
        NTDS15
        System Information Discovery
        Distributed Component Object ModelInput Capture112
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection
        1
        DLL Side-Loading
        LSA Secrets111
        Security Software Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion
        Cached Domain Credentials1
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading
        DCSync1
        Process Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts
        Proc Filesystem1
        System Owner/User Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Virtualization/Sandbox Evasion
        /etc/passwd and /etc/shadow1
        System Network Configuration Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1503014 Sample: bEsOrli29K.exe Startdate: 02/09/2024 Architecture: WINDOWS Score: 100 53 yahoo.com 2->53 55 vanaheim.cn 2->55 57 6 other IPs or domains 2->57 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 10 other signatures 2->71 8 pwdgvjcm.exe 2->8         started        11 bEsOrli29K.exe 2 2->11         started        14 svchost.exe 6 6 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 file5 81 Detected unpacking (changes PE section rights) 8->81 83 Detected unpacking (overwrites its own PE header) 8->83 85 Found API chain indicative of debugger detection 8->85 91 3 other signatures 8->91 18 svchost.exe 1 8->18         started        22 WerFault.exe 2 8->22         started        51 C:\Users\user\AppData\Local\...\pwdgvjcm.exe, PE32 11->51 dropped 87 Uses netsh to modify the Windows network and firewall settings 11->87 89 Modifies the windows firewall 11->89 24 cmd.exe 1 11->24         started        27 netsh.exe 2 11->27         started        29 cmd.exe 2 11->29         started        35 4 other processes 11->35 31 WerFault.exe 2 14->31         started        33 WerFault.exe 2 14->33         started        signatures6 process7 dnsIp8 59 mta7.am0.yahoodns.net 67.195.204.77, 25 YAHOO-3US United States 18->59 61 microsoft-com.mail.protection.outlook.com 52.101.11.0, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->61 63 3 other IPs or domains 18->63 73 System process connects to network (likely due to code injection or exploit) 18->73 75 Found API chain indicative of debugger detection 18->75 77 Deletes itself after installation 18->77 79 Adds extensions / path to Windows Defender exclusion list (Registry) 18->79 49 C:\Windows\SysWOW64\...\pwdgvjcm.exe (copy), PE32 24->49 dropped 37 conhost.exe 24->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 35->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        file9 signatures10 process11

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        bEsOrli29K.exe100%AviraHEUR/AGEN.1316832
        bEsOrli29K.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\pwdgvjcm.exe100%AviraHEUR/AGEN.1316832
        C:\Users\user\AppData\Local\Temp\pwdgvjcm.exe100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        jotunheim.name:443100%Avira URL Cloudmalware
        vanaheim.cn:443100%Avira URL Cloudphishing
        NameIPActiveMaliciousAntivirus DetectionReputation
        mxs.mail.ru
        217.69.139.150
        truetrue
          unknown
          mta7.am0.yahoodns.net
          67.195.204.77
          truetrue
            unknown
            microsoft-com.mail.protection.outlook.com
            52.101.11.0
            truetrue
              unknown
              vanaheim.cn
              77.232.41.29
              truetrue
                unknown
                smtp.google.com
                64.233.184.26
                truefalse
                  unknown
                  google.com
                  unknown
                  unknowntrue
                    unknown
                    yahoo.com
                    unknown
                    unknowntrue
                      unknown
                      mail.ru
                      unknown
                      unknowntrue
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        vanaheim.cn:443true
                        • Avira URL Cloud: phishing
                        unknown
                        jotunheim.name:443true
                        • Avira URL Cloud: malware
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        52.101.11.0
                        microsoft-com.mail.protection.outlook.comUnited States
                        8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                        64.233.184.26
                        smtp.google.comUnited States
                        15169GOOGLEUSfalse
                        217.69.139.150
                        mxs.mail.ruRussian Federation
                        47764MAILRU-ASMailRuRUtrue
                        67.195.204.77
                        mta7.am0.yahoodns.netUnited States
                        26101YAHOO-3UStrue
                        77.232.41.29
                        vanaheim.cnRussian Federation
                        28968EUT-ASEUTIPNetworkRUtrue
                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1503014
                        Start date and time:2024-09-02 16:59:55 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 44s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:24
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:bEsOrli29K.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@32/3@9/5
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 64
                        • Number of non-executed functions: 268
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 20.236.44.162, 20.76.201.171, 20.70.246.20, 20.231.239.246, 20.112.250.133
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtEnumerateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: bEsOrli29K.exe
                        TimeTypeDescription
                        11:01:55API Interceptor2x Sleep call for process: svchost.exe modified
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        52.101.11.0SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                          vyrcclmm.exeGet hashmaliciousTofseeBrowse
                            AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                              DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                  Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                    L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                      file.exeGet hashmaliciousTofseeBrowse
                                        sorteado!!.com.exeGet hashmaliciousUnknownBrowse
                                          U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                            217.69.139.150Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                              SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                  ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                    SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                      vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                        AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                          I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                            lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                              dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                67.195.204.77m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                  vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                    file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                      l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                                        data.log.exeGet hashmaliciousUnknownBrowse
                                                                          message.elm.exeGet hashmaliciousUnknownBrowse
                                                                            message.txt.exeGet hashmaliciousUnknownBrowse
                                                                              test.dat.exeGet hashmaliciousUnknownBrowse
                                                                                Update-KB78-x86.exeGet hashmaliciousUnknownBrowse
                                                                                  Update-KB9504-x86.exeGet hashmaliciousUnknownBrowse
                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    microsoft-com.mail.protection.outlook.comEduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.8.49
                                                                                    igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.40.26
                                                                                    fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.42.0
                                                                                    SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.11.0
                                                                                    .exeGet hashmaliciousUnknownBrowse
                                                                                    • 52.101.40.26
                                                                                    Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.42.0
                                                                                    ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.8.49
                                                                                    rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.42.0
                                                                                    setup.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.40.26
                                                                                    m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                    • 104.47.53.36
                                                                                    vanaheim.cnEduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                    • 213.226.112.95
                                                                                    igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                    • 213.226.112.95
                                                                                    fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                    • 213.226.112.95
                                                                                    SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                    • 213.226.112.95
                                                                                    Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                    • 213.226.112.95
                                                                                    ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                    • 213.226.112.95
                                                                                    rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                    • 213.226.112.95
                                                                                    setup.exeGet hashmaliciousTofseeBrowse
                                                                                    • 185.218.0.41
                                                                                    m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                    • 195.133.13.231
                                                                                    SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                    • 195.133.13.231
                                                                                    mta7.am0.yahoodns.netEduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.228.109
                                                                                    setup.exeGet hashmaliciousTofseeBrowse
                                                                                    • 98.136.96.76
                                                                                    m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.204.77
                                                                                    SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.204.74
                                                                                    AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.228.94
                                                                                    dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.228.94
                                                                                    rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                    • 98.136.96.91
                                                                                    SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeGet hashmaliciousPhorpiexBrowse
                                                                                    • 67.195.228.94
                                                                                    SecuriteInfo.com.Win32.BotX-gen.31335.5127.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.204.73
                                                                                    file.exeGet hashmaliciousPhorpiexBrowse
                                                                                    • 67.195.228.111
                                                                                    mxs.mail.ruEduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                    • 94.100.180.31
                                                                                    fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                    • 94.100.180.31
                                                                                    SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                    • 94.100.180.31
                                                                                    setup.exeGet hashmaliciousTofseeBrowse
                                                                                    • 94.100.180.31
                                                                                    5CxmQXL0LD.exeGet hashmaliciousSystemBCBrowse
                                                                                    • 94.100.180.31
                                                                                    m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                    • 94.100.180.31
                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    MAILRU-ASMailRuRUhttp://manga-netflix10737.tinyblogging.com.xx3.kz/Get hashmaliciousUnknownBrowse
                                                                                    • 94.100.180.209
                                                                                    SecuriteInfo.com.Trojan.Crypt.23519.13317.exeGet hashmaliciousUnknownBrowse
                                                                                    • 188.93.63.129
                                                                                    SecuriteInfo.com.Trojan.Crypt.23519.13317.exeGet hashmaliciousUnknownBrowse
                                                                                    • 188.93.63.180
                                                                                    Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                    • 94.100.180.31
                                                                                    fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                    • 94.100.180.31
                                                                                    SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    SecuriteInfo.com.Trojan.Crypt.28917.30010.exeGet hashmaliciousUnknownBrowse
                                                                                    • 5.61.236.163
                                                                                    IISz6QDXkY.elfGet hashmaliciousMiraiBrowse
                                                                                    • 5.61.23.77
                                                                                    YAHOO-3USfirmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                                                                    • 74.6.99.126
                                                                                    Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.204.73
                                                                                    ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.204.74
                                                                                    arm7.elfGet hashmaliciousMiraiBrowse
                                                                                    • 98.139.166.43
                                                                                    https://www.ima-india.com/index.phpGet hashmaliciousUnknownBrowse
                                                                                    • 74.6.138.67
                                                                                    https://www.ima-india.com/index.phpGet hashmaliciousUnknownBrowse
                                                                                    • 74.6.138.67
                                                                                    https://www.ima-india.com/index.php?option=com_content&view=article&id=1092&Itemid=483Get hashmaliciousUnknownBrowse
                                                                                    • 74.6.138.65
                                                                                    D8OieODwpn.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                    • 72.30.110.165
                                                                                    m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.204.77
                                                                                    SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.204.74
                                                                                    MICROSOFT-CORP-MSN-AS-BLOCKUS1RGKUwuqi0.exeGet hashmaliciousRemcos, PureLog Stealer, XRedBrowse
                                                                                    • 13.107.246.57
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.246.73
                                                                                    3.dllGet hashmaliciousUnknownBrowse
                                                                                    • 20.42.65.92
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.246.73
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.246.60
                                                                                    1Td9Py5FAy.xlsGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.246.67
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.246.60
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.246.57
                                                                                    REQST_PRC 410240.exeGet hashmaliciousFormBookBrowse
                                                                                    • 20.2.249.7
                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                    • 52.123.243.70
                                                                                    No context
                                                                                    No context
                                                                                    Process:C:\Users\user\Desktop\bEsOrli29K.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):14984704
                                                                                    Entropy (8bit):4.9830233944354125
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:4LqN3Bt36iM/ofpKhn9nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn:4WN3X363H
                                                                                    MD5:A0F884B02EE655DEE8140FACC411FA01
                                                                                    SHA1:CB93EDC0386F266F4B49B1EE99A206E2ACEDF8A8
                                                                                    SHA-256:4F107BE1DBED955B6EA91A5708FBAFE2D8700B49872526C52A90445024AA0219
                                                                                    SHA-512:9DE9571B13D0648AAE33AADFE56DE6C035966569A9C2FFD37CD3C814359F35D1A87CFB5A340CC1C9A08E187F1F3783426D7F4CD24082A8EB9A6F59D7C679298A
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-*..iK..iK..iK....|.hK..w.n.KK..w...pK..w.i..K..N...lK..iK...K..w.`.hK..w.~.hK..w.{.hK..RichiK..................PE..L....x.d............................I.............@..................................h..........................................<........o...........................................................................................................text.............................. ..`.rdata...$.......&..................@..@.data....).......&..................@....rsrc....o..........................@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):14984704
                                                                                    Entropy (8bit):4.9830233944354125
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:4LqN3Bt36iM/ofpKhn9nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn:4WN3X363H
                                                                                    MD5:A0F884B02EE655DEE8140FACC411FA01
                                                                                    SHA1:CB93EDC0386F266F4B49B1EE99A206E2ACEDF8A8
                                                                                    SHA-256:4F107BE1DBED955B6EA91A5708FBAFE2D8700B49872526C52A90445024AA0219
                                                                                    SHA-512:9DE9571B13D0648AAE33AADFE56DE6C035966569A9C2FFD37CD3C814359F35D1A87CFB5A340CC1C9A08E187F1F3783426D7F4CD24082A8EB9A6F59D7C679298A
                                                                                    Malicious:true
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-*..iK..iK..iK....|.hK..w.n.KK..w...pK..w.i..K..N...lK..iK...K..w.`.hK..w.~.hK..w.{.hK..RichiK..................PE..L....x.d............................I.............@..................................h..........................................<........o...........................................................................................................text.............................. ..`.rdata...$.......&..................@..@.data....).......&..................@....rsrc....o..........................@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                                    Process:C:\Windows\SysWOW64\netsh.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):3773
                                                                                    Entropy (8bit):4.7109073551842435
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                    MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                    SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                    SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                    SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                    Malicious:false
                                                                                    Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):5.860638527068354
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:bEsOrli29K.exe
                                                                                    File size:218'624 bytes
                                                                                    MD5:a3247152e18ba6e88311f082a86515d3
                                                                                    SHA1:80da2f14bb17f2d3ff1df6faf25622ebb8cf00c8
                                                                                    SHA256:02c6f9163a5d988cee3ab12c11e03b18329c26d6b4863004f943133654693e97
                                                                                    SHA512:b09fc49d7126b37c37f499be522c4b57e7538d2f64600bd789c93d90a315a023f0fbed9466c6069a38bb8c80bc9a6b250fcaec03b59ecfb3a40754c235c3e6d8
                                                                                    SSDEEP:3072:AOFL8HN3BB33u/iMUk6efofpWqX2hnesi5kb:tLqN3Bt36iM/ofpKhn9
                                                                                    TLSH:2524BE213AA1F032D1A745709970FAE06A7B783222B5C0CB7FA41B7F6E602D15A1735F
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-*..iK..iK..iK....|.hK..w.n.KK..w...pK..w.i..K..N...lK..iK...K..w.`.hK..w.~.hK..w.{.hK..RichiK..................PE..L....x.d...
                                                                                    Icon Hash:73a733b18b8383cc
                                                                                    Entrypoint:0x401749
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x64D978D5 [Mon Aug 14 00:44:05 2023 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:5
                                                                                    OS Version Minor:0
                                                                                    File Version Major:5
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:5
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:48018783cf28f3141db6304599edb5a2
                                                                                    Instruction
                                                                                    call 00007FC384F0E9C5h
                                                                                    jmp 00007FC384F0A52Eh
                                                                                    mov edi, edi
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    sub esp, 00000328h
                                                                                    mov dword ptr [0042FF58h], eax
                                                                                    mov dword ptr [0042FF54h], ecx
                                                                                    mov dword ptr [0042FF50h], edx
                                                                                    mov dword ptr [0042FF4Ch], ebx
                                                                                    mov dword ptr [0042FF48h], esi
                                                                                    mov dword ptr [0042FF44h], edi
                                                                                    mov word ptr [0042FF70h], ss
                                                                                    mov word ptr [0042FF64h], cs
                                                                                    mov word ptr [0042FF40h], ds
                                                                                    mov word ptr [0042FF3Ch], es
                                                                                    mov word ptr [0042FF38h], fs
                                                                                    mov word ptr [0042FF34h], gs
                                                                                    pushfd
                                                                                    pop dword ptr [0042FF68h]
                                                                                    mov eax, dword ptr [ebp+00h]
                                                                                    mov dword ptr [0042FF5Ch], eax
                                                                                    mov eax, dword ptr [ebp+04h]
                                                                                    mov dword ptr [0042FF60h], eax
                                                                                    lea eax, dword ptr [ebp+08h]
                                                                                    mov dword ptr [0042FF6Ch], eax
                                                                                    mov eax, dword ptr [ebp-00000320h]
                                                                                    mov dword ptr [0042FEA8h], 00010001h
                                                                                    mov eax, dword ptr [0042FF60h]
                                                                                    mov dword ptr [0042FE5Ch], eax
                                                                                    mov dword ptr [0042FE50h], C0000409h
                                                                                    mov dword ptr [0042FE54h], 00000001h
                                                                                    mov eax, dword ptr [0042E004h]
                                                                                    mov dword ptr [ebp-00000328h], eax
                                                                                    mov eax, dword ptr [0042E008h]
                                                                                    mov dword ptr [ebp-00000324h], eax
                                                                                    call dword ptr [000000A4h]
                                                                                    Programming Language:
                                                                                    • [C++] VS2008 build 21022
                                                                                    • [ASM] VS2008 build 21022
                                                                                    • [ C ] VS2008 build 21022
                                                                                    • [IMP] VS2005 build 50727
                                                                                    • [RES] VS2008 build 21022
                                                                                    • [LNK] VS2008 build 21022
                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2cb8c0x3c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x410000x6fb8.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x1a0.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x295cb0x296000e492b32e175e9c3c43624614dc9d116False0.5475535781722054data5.9689030476065525IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x2b0000x24b00x26008a4650538da98cbdbe21505d67522f62False0.36944901315789475data5.432191623802317IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0x2e0000x129c80x260023538072e22f8730f3a503bc5f6b23e0False0.216796875data2.335729383671652IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rsrc0x410000x6fb80x7000473eb0a900d01c016c9446aef32ca7d4False0.48814174107142855data4.9548090688116115IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_ICON0x413400xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.35980810234541577
                                                                                    RT_ICON0x421e80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.569043321299639
                                                                                    RT_ICON0x42a900x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6100230414746544
                                                                                    RT_ICON0x431580x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6640173410404624
                                                                                    RT_ICON0x436c00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.43060165975103737
                                                                                    RT_ICON0x45c680x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.5360655737704918
                                                                                    RT_ICON0x465f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.5212765957446809
                                                                                    RT_STRING0x46cb80x66data0.6274509803921569
                                                                                    RT_STRING0x46d200x21edata0.5055350553505535
                                                                                    RT_STRING0x46f400x608data0.43976683937823835
                                                                                    RT_STRING0x475480xcedata0.5825242718446602
                                                                                    RT_STRING0x476180x78edata0.41985522233712513
                                                                                    RT_STRING0x47da80x210data0.5151515151515151
                                                                                    RT_GROUP_ICON0x46a580x68dataTurkishTurkey0.7115384615384616
                                                                                    RT_VERSION0x46ac00x1f8data0.5694444444444444
                                                                                    DLLImport
                                                                                    KERNEL32.dllGetComputerNameA, GetFullPathNameA, GetNumaProcessorNode, GetProcessIoCounters, OpenJobObjectA, UnlockFile, GetTimeFormatA, GetModuleHandleW, GetTickCount, GetDateFormatA, GetSystemTimes, GlobalAlloc, LoadLibraryW, FormatMessageW, InitAtomTable, HeapCreate, FlushInstructionCache, GetProcAddress, GetNumaHighestNodeNumber, GetAtomNameA, LoadLibraryA, InterlockedExchangeAdd, SetCalendarInfoW, VirtualLock, HeapLock, GetCommMask, GetCurrentConsoleFont, SetCommMask, FoldStringA, lstrcatW, FreeEnvironmentStringsW, VirtualProtect, EnumDateFormatsW, SetFileShortNameA, DebugBreak, GetModuleHandleA, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, ReadFile, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetLastError, InterlockedDecrement, Sleep, HeapSize, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, VirtualFree, HeapFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, VirtualAlloc, HeapReAlloc, RtlUnwind, MultiByteToWideChar, InitializeCriticalSectionAndSpinCount, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, CreateFileA, CloseHandle, RaiseException
                                                                                    USER32.dllInflateRect, GetActiveWindow, LoadIconA
                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    TurkishTurkey
                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Sep 2, 2024 17:01:12.894964933 CEST4971325192.168.2.552.101.11.0
                                                                                    Sep 2, 2024 17:01:13.899575949 CEST4971325192.168.2.552.101.11.0
                                                                                    Sep 2, 2024 17:01:15.915163994 CEST4971325192.168.2.552.101.11.0
                                                                                    Sep 2, 2024 17:01:16.052149057 CEST49714443192.168.2.577.232.41.29
                                                                                    Sep 2, 2024 17:01:16.052184105 CEST4434971477.232.41.29192.168.2.5
                                                                                    Sep 2, 2024 17:01:16.052258015 CEST49714443192.168.2.577.232.41.29
                                                                                    Sep 2, 2024 17:01:19.930856943 CEST4971325192.168.2.552.101.11.0
                                                                                    Sep 2, 2024 17:01:27.930934906 CEST4971325192.168.2.552.101.11.0
                                                                                    Sep 2, 2024 17:01:32.932591915 CEST4971525192.168.2.567.195.204.77
                                                                                    Sep 2, 2024 17:01:33.930762053 CEST4971525192.168.2.567.195.204.77
                                                                                    Sep 2, 2024 17:01:35.930895090 CEST4971525192.168.2.567.195.204.77
                                                                                    Sep 2, 2024 17:01:39.930913925 CEST4971525192.168.2.567.195.204.77
                                                                                    Sep 2, 2024 17:01:47.930753946 CEST4971525192.168.2.567.195.204.77
                                                                                    Sep 2, 2024 17:01:53.267651081 CEST4971725192.168.2.564.233.184.26
                                                                                    Sep 2, 2024 17:01:54.274552107 CEST4971725192.168.2.564.233.184.26
                                                                                    Sep 2, 2024 17:01:56.040247917 CEST49714443192.168.2.577.232.41.29
                                                                                    Sep 2, 2024 17:01:56.040330887 CEST4434971477.232.41.29192.168.2.5
                                                                                    Sep 2, 2024 17:01:56.040410995 CEST49714443192.168.2.577.232.41.29
                                                                                    Sep 2, 2024 17:01:56.150238991 CEST49718443192.168.2.577.232.41.29
                                                                                    Sep 2, 2024 17:01:56.150276899 CEST4434971877.232.41.29192.168.2.5
                                                                                    Sep 2, 2024 17:01:56.150420904 CEST49718443192.168.2.577.232.41.29
                                                                                    Sep 2, 2024 17:01:56.274487019 CEST4971725192.168.2.564.233.184.26
                                                                                    Sep 2, 2024 17:02:00.290184021 CEST4971725192.168.2.564.233.184.26
                                                                                    Sep 2, 2024 17:02:08.305799007 CEST4971725192.168.2.564.233.184.26
                                                                                    Sep 2, 2024 17:02:13.327121019 CEST4972025192.168.2.5217.69.139.150
                                                                                    Sep 2, 2024 17:02:14.321377039 CEST4972025192.168.2.5217.69.139.150
                                                                                    Sep 2, 2024 17:02:16.337065935 CEST4972025192.168.2.5217.69.139.150
                                                                                    Sep 2, 2024 17:02:20.352616072 CEST4972025192.168.2.5217.69.139.150
                                                                                    Sep 2, 2024 17:02:28.352631092 CEST4972025192.168.2.5217.69.139.150
                                                                                    Sep 2, 2024 17:02:36.166172028 CEST49718443192.168.2.577.232.41.29
                                                                                    Sep 2, 2024 17:02:36.166285038 CEST4434971877.232.41.29192.168.2.5
                                                                                    Sep 2, 2024 17:02:36.166354895 CEST49718443192.168.2.577.232.41.29
                                                                                    Sep 2, 2024 17:02:36.300311089 CEST49721443192.168.2.577.232.41.29
                                                                                    Sep 2, 2024 17:02:36.300357103 CEST4434972177.232.41.29192.168.2.5
                                                                                    Sep 2, 2024 17:02:36.300431967 CEST49721443192.168.2.577.232.41.29
                                                                                    Sep 2, 2024 17:02:54.775134087 CEST4972325192.168.2.552.101.11.0
                                                                                    Sep 2, 2024 17:02:55.774413109 CEST4972325192.168.2.552.101.11.0
                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Sep 2, 2024 17:01:12.840128899 CEST6128453192.168.2.51.1.1.1
                                                                                    Sep 2, 2024 17:01:12.894134998 CEST53612841.1.1.1192.168.2.5
                                                                                    Sep 2, 2024 17:01:15.775536060 CEST6040553192.168.2.51.1.1.1
                                                                                    Sep 2, 2024 17:01:16.051440001 CEST53604051.1.1.1192.168.2.5
                                                                                    Sep 2, 2024 17:01:32.900233984 CEST6093253192.168.2.51.1.1.1
                                                                                    Sep 2, 2024 17:01:32.921876907 CEST53609321.1.1.1192.168.2.5
                                                                                    Sep 2, 2024 17:01:32.922560930 CEST5422453192.168.2.51.1.1.1
                                                                                    Sep 2, 2024 17:01:32.932095051 CEST53542241.1.1.1192.168.2.5
                                                                                    Sep 2, 2024 17:01:52.946901083 CEST5553653192.168.2.51.1.1.1
                                                                                    Sep 2, 2024 17:01:53.256279945 CEST53555361.1.1.1192.168.2.5
                                                                                    Sep 2, 2024 17:01:53.257189989 CEST6458753192.168.2.51.1.1.1
                                                                                    Sep 2, 2024 17:01:53.267031908 CEST53645871.1.1.1192.168.2.5
                                                                                    Sep 2, 2024 17:02:13.259567022 CEST5780153192.168.2.51.1.1.1
                                                                                    Sep 2, 2024 17:02:13.266614914 CEST53578011.1.1.1192.168.2.5
                                                                                    Sep 2, 2024 17:02:13.267452955 CEST5014553192.168.2.51.1.1.1
                                                                                    Sep 2, 2024 17:02:13.325735092 CEST53501451.1.1.1192.168.2.5
                                                                                    Sep 2, 2024 17:02:54.765754938 CEST5486253192.168.2.51.1.1.1
                                                                                    Sep 2, 2024 17:02:54.774537086 CEST53548621.1.1.1192.168.2.5
                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Sep 2, 2024 17:01:12.840128899 CEST192.168.2.51.1.1.10x9eacStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:15.775536060 CEST192.168.2.51.1.1.10x8151Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:32.900233984 CEST192.168.2.51.1.1.10xa4d7Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:32.922560930 CEST192.168.2.51.1.1.10xc111Standard query (0)mta7.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:52.946901083 CEST192.168.2.51.1.1.10x37f5Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:53.257189989 CEST192.168.2.51.1.1.10xd676Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:02:13.259567022 CEST192.168.2.51.1.1.10x4d0dStandard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 2, 2024 17:02:13.267452955 CEST192.168.2.51.1.1.10x4d3Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:02:54.765754938 CEST192.168.2.51.1.1.10x556aStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Sep 2, 2024 17:01:12.894134998 CEST1.1.1.1192.168.2.50x9eacNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:12.894134998 CEST1.1.1.1192.168.2.50x9eacNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:12.894134998 CEST1.1.1.1192.168.2.50x9eacNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:12.894134998 CEST1.1.1.1192.168.2.50x9eacNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:16.051440001 CEST1.1.1.1192.168.2.50x8151No error (0)vanaheim.cn77.232.41.29A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:32.921876907 CEST1.1.1.1192.168.2.50xa4d7No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:32.921876907 CEST1.1.1.1192.168.2.50xa4d7No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:32.921876907 CEST1.1.1.1192.168.2.50xa4d7No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:32.932095051 CEST1.1.1.1192.168.2.50xc111No error (0)mta7.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:32.932095051 CEST1.1.1.1192.168.2.50xc111No error (0)mta7.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:32.932095051 CEST1.1.1.1192.168.2.50xc111No error (0)mta7.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:32.932095051 CEST1.1.1.1192.168.2.50xc111No error (0)mta7.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:32.932095051 CEST1.1.1.1192.168.2.50xc111No error (0)mta7.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:32.932095051 CEST1.1.1.1192.168.2.50xc111No error (0)mta7.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:32.932095051 CEST1.1.1.1192.168.2.50xc111No error (0)mta7.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:32.932095051 CEST1.1.1.1192.168.2.50xc111No error (0)mta7.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:53.256279945 CEST1.1.1.1192.168.2.50x37f5No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:53.267031908 CEST1.1.1.1192.168.2.50xd676No error (0)smtp.google.com64.233.184.26A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:53.267031908 CEST1.1.1.1192.168.2.50xd676No error (0)smtp.google.com74.125.206.27A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:53.267031908 CEST1.1.1.1192.168.2.50xd676No error (0)smtp.google.com74.125.206.26A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:53.267031908 CEST1.1.1.1192.168.2.50xd676No error (0)smtp.google.com142.251.173.26A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:01:53.267031908 CEST1.1.1.1192.168.2.50xd676No error (0)smtp.google.com142.251.173.27A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:02:13.266614914 CEST1.1.1.1192.168.2.50x4d0dNo error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                    Sep 2, 2024 17:02:13.325735092 CEST1.1.1.1192.168.2.50x4d3No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:02:13.325735092 CEST1.1.1.1192.168.2.50x4d3No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:02:54.774537086 CEST1.1.1.1192.168.2.50x556aNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:02:54.774537086 CEST1.1.1.1192.168.2.50x556aNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:02:54.774537086 CEST1.1.1.1192.168.2.50x556aNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                    Sep 2, 2024 17:02:54.774537086 CEST1.1.1.1192.168.2.50x556aNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false

                                                                                    Click to jump to process

                                                                                    Click to jump to process

                                                                                    Click to dive into process behavior distribution

                                                                                    Click to jump to process

                                                                                    Target ID:0
                                                                                    Start time:11:00:48
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Users\user\Desktop\bEsOrli29K.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\bEsOrli29K.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:218'624 bytes
                                                                                    MD5 hash:A3247152E18BA6E88311F082A86515D3
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.2140290785.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.2140290785.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.2140290785.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2181701002.000000000069A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    Target ID:2
                                                                                    Start time:11:00:58
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\edgikboy\
                                                                                    Imagebase:0x790000
                                                                                    File size:236'544 bytes
                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:3
                                                                                    Start time:11:00:58
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff6d64d0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:4
                                                                                    Start time:11:00:59
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pwdgvjcm.exe" C:\Windows\SysWOW64\edgikboy\
                                                                                    Imagebase:0x790000
                                                                                    File size:236'544 bytes
                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:5
                                                                                    Start time:11:00:59
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff6d64d0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:6
                                                                                    Start time:11:00:59
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\sc.exe" create edgikboy binPath= "C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d\"C:\Users\user\Desktop\bEsOrli29K.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                    Imagebase:0xa90000
                                                                                    File size:61'440 bytes
                                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    Target ID:7
                                                                                    Start time:11:00:59
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff6d64d0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:8
                                                                                    Start time:11:01:00
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\sc.exe" description edgikboy "wifi internet conection"
                                                                                    Imagebase:0xa90000
                                                                                    File size:61'440 bytes
                                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    Target ID:9
                                                                                    Start time:11:01:00
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff6d64d0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:10
                                                                                    Start time:11:01:00
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\sc.exe" start edgikboy
                                                                                    Imagebase:0xa90000
                                                                                    File size:61'440 bytes
                                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    Target ID:11
                                                                                    Start time:11:01:00
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff6d64d0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:12
                                                                                    Start time:11:01:00
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe /d"C:\Users\user\Desktop\bEsOrli29K.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:14'984'704 bytes
                                                                                    MD5 hash:A0F884B02EE655DEE8140FACC411FA01
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2281554914.0000000000623000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.2279300378.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.2279300378.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.2279300378.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2281500674.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2281500674.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2281500674.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    Target ID:13
                                                                                    Start time:11:01:01
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\SysWOW64\netsh.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                    Imagebase:0x1080000
                                                                                    File size:82'432 bytes
                                                                                    MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:14
                                                                                    Start time:11:01:01
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff6d64d0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Target ID:15
                                                                                    Start time:11:01:01
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                    Imagebase:0x7ff7e52b0000
                                                                                    File size:55'320 bytes
                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    Target ID:16
                                                                                    Start time:11:01:01
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5344 -ip 5344
                                                                                    Imagebase:0x70000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Target ID:17
                                                                                    Start time:11:01:01
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1032
                                                                                    Imagebase:0x70000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Target ID:19
                                                                                    Start time:11:01:11
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:svchost.exe
                                                                                    Imagebase:0x790000
                                                                                    File size:46'504 bytes
                                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    Has exited:false

                                                                                    Target ID:20
                                                                                    Start time:11:01:11
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5496 -ip 5496
                                                                                    Imagebase:0x70000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Target ID:21
                                                                                    Start time:11:01:11
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 392
                                                                                    Imagebase:0x70000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Target ID:23
                                                                                    Start time:11:01:34
                                                                                    Start date:02/09/2024
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                    Imagebase:0x7ff7e52b0000
                                                                                    File size:55'320 bytes
                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:3.4%
                                                                                      Dynamic/Decrypted Code Coverage:2.2%
                                                                                      Signature Coverage:25.8%
                                                                                      Total number of Nodes:1598
                                                                                      Total number of Limit Nodes:28
                                                                                      execution_graph 16926 69a86e 16927 69a87d 16926->16927 16930 69b00e 16927->16930 16933 69b029 16930->16933 16931 69b032 CreateToolhelp32Snapshot 16932 69b04e Module32First 16931->16932 16931->16933 16934 69b05d 16932->16934 16935 69a886 16932->16935 16933->16931 16933->16932 16937 69accd 16934->16937 16938 69acf8 16937->16938 16939 69ad09 VirtualAlloc 16938->16939 16940 69ad41 16938->16940 16939->16940 16940->16940 16941 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 17059 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 16941->17059 16943 409a95 16944 409aa3 GetModuleHandleA GetModuleFileNameA 16943->16944 16950 40a3c7 16943->16950 16957 409ac4 16944->16957 16945 40a41c CreateThread WSAStartup 17227 40e52e 16945->17227 18105 40405e CreateEventA 16945->18105 16947 409afd GetCommandLineA 16958 409b22 16947->16958 16948 40a406 DeleteFileA 16948->16950 16951 40a40d 16948->16951 16949 40a445 17246 40eaaf 16949->17246 16950->16945 16950->16948 16950->16951 16953 40a3ed GetLastError 16950->16953 16951->16945 16953->16951 16955 40a3f8 Sleep 16953->16955 16954 40a44d 17250 401d96 16954->17250 16955->16948 16957->16947 16961 409b47 16958->16961 16962 409c0c 16958->16962 16959 40a457 17298 4080c9 16959->17298 16972 409b96 lstrlenA 16961->16972 16975 409b58 16961->16975 17060 4096aa 16962->17060 16969 40a1d2 16976 40a1e3 GetCommandLineA 16969->16976 16970 409c39 16973 40a167 GetModuleHandleA GetModuleFileNameA 16970->16973 17066 404280 CreateEventA 16970->17066 16972->16975 16974 409c05 ExitProcess 16973->16974 16978 40a189 16973->16978 16975->16974 16982 40675c 21 API calls 16975->16982 17002 40a205 16976->17002 16978->16974 16984 40a1b2 GetDriveTypeA 16978->16984 16985 409be3 16982->16985 16984->16974 16987 40a1c5 16984->16987 16985->16974 17164 406a60 CreateFileA 16985->17164 17208 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 16987->17208 16993 40a491 16994 40a49f GetTickCount 16993->16994 16996 40a4be Sleep 16993->16996 17001 40a4b7 GetTickCount 16993->17001 17344 40c913 16993->17344 16994->16993 16994->16996 16996->16993 16998 409ca0 GetTempPathA 16999 409e3e 16998->16999 17000 409cba 16998->17000 17005 409e6b GetEnvironmentVariableA 16999->17005 17009 409e04 16999->17009 17120 4099d2 lstrcpyA 17000->17120 17001->16996 17006 40a285 lstrlenA 17002->17006 17018 40a239 17002->17018 17005->17009 17010 409e7d 17005->17010 17006->17018 17203 40ec2e 17009->17203 17011 4099d2 16 API calls 17010->17011 17012 409e9d 17011->17012 17012->17009 17017 409eb0 lstrcpyA lstrlenA 17012->17017 17015 409d5f 17183 406cc9 17015->17183 17016 40a3c2 17220 4098f2 17016->17220 17021 409ef4 17017->17021 17216 406ec3 17018->17216 17025 406dc2 6 API calls 17021->17025 17027 409f03 17021->17027 17022 40a39d StartServiceCtrlDispatcherA 17022->17016 17024 40a35f 17024->17016 17024->17024 17030 40a37b 17024->17030 17025->17027 17026 409cf6 17127 409326 17026->17127 17028 409f32 RegOpenKeyExA 17027->17028 17029 409f48 RegSetValueExA RegCloseKey 17028->17029 17033 409f70 17028->17033 17029->17033 17030->17022 17039 409f9d GetModuleHandleA GetModuleFileNameA 17033->17039 17034 409e0c DeleteFileA 17034->16999 17035 409dde GetFileAttributesExA 17035->17034 17037 409df7 17035->17037 17037->17009 17038 409dff 17037->17038 17193 4096ff 17038->17193 17041 409fc2 17039->17041 17042 40a093 17039->17042 17041->17042 17047 409ff1 GetDriveTypeA 17041->17047 17043 40a103 CreateProcessA 17042->17043 17046 40a0a4 wsprintfA 17042->17046 17044 40a13a 17043->17044 17045 40a12a DeleteFileA 17043->17045 17044->17009 17051 4096ff 3 API calls 17044->17051 17045->17044 17199 402544 17046->17199 17047->17042 17049 40a00d 17047->17049 17054 40a02d lstrcatA 17049->17054 17051->17009 17055 40a046 17054->17055 17056 40a052 lstrcatA 17055->17056 17057 40a064 lstrcatA 17055->17057 17056->17057 17057->17042 17058 40a081 lstrcatA 17057->17058 17058->17042 17059->16943 17061 4096b9 17060->17061 17447 4073ff 17061->17447 17063 4096e2 17064 4096f7 17063->17064 17467 40704c 17063->17467 17064->16969 17064->16970 17067 4042a5 17066->17067 17068 40429d 17066->17068 17492 403ecd 17067->17492 17068->16973 17093 40675c 17068->17093 17070 4042b0 17496 404000 17070->17496 17073 4043c1 CloseHandle 17073->17068 17074 4042ce 17502 403f18 WriteFile 17074->17502 17079 4043ba CloseHandle 17079->17073 17080 404318 17081 403f18 4 API calls 17080->17081 17082 404331 17081->17082 17083 403f18 4 API calls 17082->17083 17084 40434a 17083->17084 17510 40ebcc GetProcessHeap RtlAllocateHeap 17084->17510 17087 403f18 4 API calls 17088 404389 17087->17088 17089 40ec2e codecvt 4 API calls 17088->17089 17090 40438f 17089->17090 17091 403f8c 4 API calls 17090->17091 17092 40439f CloseHandle CloseHandle 17091->17092 17092->17068 17094 406784 CreateFileA 17093->17094 17095 40677a SetFileAttributesA 17093->17095 17096 4067a4 CreateFileA 17094->17096 17097 4067b5 17094->17097 17095->17094 17096->17097 17098 4067c5 17097->17098 17099 4067ba SetFileAttributesA 17097->17099 17100 406977 17098->17100 17101 4067cf GetFileSize 17098->17101 17099->17098 17100->16973 17100->16998 17100->16999 17102 4067e5 17101->17102 17119 406922 17101->17119 17104 4067ed ReadFile 17102->17104 17102->17119 17103 40696e CloseHandle 17103->17100 17105 406811 SetFilePointer 17104->17105 17104->17119 17106 40682a ReadFile 17105->17106 17105->17119 17107 406848 SetFilePointer 17106->17107 17106->17119 17108 406867 17107->17108 17107->17119 17109 4068d5 17108->17109 17110 406878 ReadFile 17108->17110 17109->17103 17112 40ebcc 4 API calls 17109->17112 17111 4068d0 17110->17111 17113 406891 17110->17113 17111->17109 17114 4068f8 17112->17114 17113->17110 17113->17111 17115 406900 SetFilePointer 17114->17115 17114->17119 17116 40695a 17115->17116 17117 40690d ReadFile 17115->17117 17118 40ec2e codecvt 4 API calls 17116->17118 17117->17116 17117->17119 17118->17119 17119->17103 17121 4099eb 17120->17121 17122 409a2f lstrcatA 17121->17122 17123 40ee2a 17122->17123 17124 409a4b lstrcatA 17123->17124 17125 406a60 13 API calls 17124->17125 17126 409a60 17125->17126 17126->16999 17126->17026 17177 406dc2 17126->17177 17516 401910 17127->17516 17130 40934a GetModuleHandleA GetModuleFileNameA 17132 40937f 17130->17132 17133 4093a4 17132->17133 17134 4093d9 17132->17134 17135 4093c3 wsprintfA 17133->17135 17136 409401 wsprintfA 17134->17136 17138 409415 17135->17138 17136->17138 17137 4094a0 17518 406edd 17137->17518 17138->17137 17140 406cc9 5 API calls 17138->17140 17147 409439 17140->17147 17141 4094ac 17142 40962f 17141->17142 17143 4094e8 RegOpenKeyExA 17141->17143 17148 409646 17142->17148 17546 401820 17142->17546 17145 409502 17143->17145 17146 4094fb 17143->17146 17150 40951f RegQueryValueExA 17145->17150 17146->17142 17152 40958a 17146->17152 17531 40ef1e lstrlenA 17147->17531 17157 4095d6 17148->17157 17526 4091eb 17148->17526 17154 409530 17150->17154 17155 409539 17150->17155 17152->17148 17153 409593 17152->17153 17153->17157 17533 40f0e4 17153->17533 17158 40956e RegCloseKey 17154->17158 17159 409556 RegQueryValueExA 17155->17159 17156 409462 17160 40947e wsprintfA 17156->17160 17157->17034 17157->17035 17158->17146 17159->17154 17159->17158 17160->17137 17162 4095bb 17162->17157 17540 4018e0 17162->17540 17165 406b8c GetLastError 17164->17165 17166 406a8f GetDiskFreeSpaceA 17164->17166 17168 406b86 17165->17168 17167 406ac5 17166->17167 17176 406ad7 17166->17176 17594 40eb0e 17167->17594 17168->16974 17172 406b56 CloseHandle 17172->17168 17175 406b65 GetLastError CloseHandle 17172->17175 17173 406b36 GetLastError CloseHandle 17174 406b7f DeleteFileA 17173->17174 17174->17168 17175->17174 17588 406987 17176->17588 17178 406e24 17177->17178 17179 406dd7 17177->17179 17178->17015 17180 406cc9 5 API calls 17179->17180 17181 406ddc 17180->17181 17181->17178 17181->17181 17182 406e02 GetVolumeInformationA 17181->17182 17182->17178 17184 406cdc GetModuleHandleA GetProcAddress 17183->17184 17185 406dbe lstrcpyA lstrcatA lstrcatA 17183->17185 17186 406d12 GetSystemDirectoryA 17184->17186 17187 406cfd 17184->17187 17185->17026 17188 406d27 GetWindowsDirectoryA 17186->17188 17189 406d1e 17186->17189 17187->17186 17190 406d8b 17187->17190 17192 406d42 17188->17192 17189->17188 17189->17190 17190->17185 17191 40ef1e lstrlenA 17191->17190 17192->17191 17194 402544 17193->17194 17195 40972d RegOpenKeyExA 17194->17195 17196 409740 17195->17196 17197 409765 17195->17197 17198 40974f RegDeleteValueA RegCloseKey 17196->17198 17197->17009 17198->17197 17200 402554 lstrcatA 17199->17200 17201 40ee2a 17200->17201 17202 40a0ec lstrcatA 17201->17202 17202->17043 17204 40ec37 17203->17204 17205 40a15d 17203->17205 17602 40eba0 17204->17602 17205->16973 17205->16974 17209 402544 17208->17209 17210 40919e wsprintfA 17209->17210 17211 4091bb 17210->17211 17605 409064 GetTempPathA 17211->17605 17214 4091d5 ShellExecuteA 17215 4091e7 17214->17215 17215->16974 17217 406ed5 17216->17217 17218 406ecc 17216->17218 17217->17024 17219 406e36 2 API calls 17218->17219 17219->17217 17221 4098f6 17220->17221 17222 404280 30 API calls 17221->17222 17223 409904 Sleep 17221->17223 17224 409915 17221->17224 17222->17221 17223->17221 17223->17224 17225 409947 17224->17225 17612 40977c 17224->17612 17225->16950 17634 40dd05 GetTickCount 17227->17634 17229 40e538 17641 40dbcf 17229->17641 17231 40e544 17232 40e555 GetFileSize 17231->17232 17236 40e5b8 17231->17236 17233 40e5b1 CloseHandle 17232->17233 17234 40e566 17232->17234 17233->17236 17651 40db2e 17234->17651 17660 40e3ca RegOpenKeyExA 17236->17660 17238 40e576 ReadFile 17238->17233 17240 40e58d 17238->17240 17655 40e332 17240->17655 17243 40e5f2 17244 40e3ca 19 API calls 17243->17244 17245 40e629 17243->17245 17244->17245 17245->16949 17247 40eabe 17246->17247 17249 40eaba 17246->17249 17248 40dd05 6 API calls 17247->17248 17247->17249 17248->17249 17249->16954 17251 40ee2a 17250->17251 17252 401db4 GetVersionExA 17251->17252 17253 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 17252->17253 17255 401e24 17253->17255 17256 401e16 GetCurrentProcess 17253->17256 17713 40e819 17255->17713 17256->17255 17258 401e3d 17259 40e819 11 API calls 17258->17259 17260 401e4e 17259->17260 17261 401e77 17260->17261 17720 40df70 17260->17720 17729 40ea84 17261->17729 17265 401e6c 17266 40df70 12 API calls 17265->17266 17266->17261 17267 40e819 11 API calls 17268 401e93 17267->17268 17733 40199c inet_addr LoadLibraryA 17268->17733 17271 40e819 11 API calls 17272 401eb9 17271->17272 17273 401ed8 17272->17273 17275 40f04e 4 API calls 17272->17275 17274 40e819 11 API calls 17273->17274 17277 401eee 17274->17277 17276 401ec9 17275->17276 17278 40ea84 30 API calls 17276->17278 17279 401f0a 17277->17279 17746 401b71 17277->17746 17278->17273 17281 40e819 11 API calls 17279->17281 17283 401f23 17281->17283 17282 401efd 17284 40ea84 30 API calls 17282->17284 17285 401f3f 17283->17285 17750 401bdf 17283->17750 17284->17279 17286 40e819 11 API calls 17285->17286 17289 401f5e 17286->17289 17291 401f77 17289->17291 17292 40ea84 30 API calls 17289->17292 17290 40ea84 30 API calls 17290->17285 17757 4030b5 17291->17757 17292->17291 17296 406ec3 2 API calls 17297 401f8e GetTickCount 17296->17297 17297->16959 17299 406ec3 2 API calls 17298->17299 17300 4080eb 17299->17300 17301 4080f9 17300->17301 17302 4080ef 17300->17302 17304 40704c 16 API calls 17301->17304 17805 407ee6 17302->17805 17306 408110 17304->17306 17305 408269 CreateThread 17323 405e6c 17305->17323 18134 40877e 17305->18134 17308 408156 RegOpenKeyExA 17306->17308 17309 4080f4 17306->17309 17307 40675c 21 API calls 17313 408244 17307->17313 17308->17309 17310 40816d RegQueryValueExA 17308->17310 17309->17305 17309->17307 17311 4081f7 17310->17311 17312 40818d 17310->17312 17314 40820d RegCloseKey 17311->17314 17316 40ec2e codecvt 4 API calls 17311->17316 17312->17311 17317 40ebcc 4 API calls 17312->17317 17313->17305 17315 40ec2e codecvt 4 API calls 17313->17315 17314->17309 17315->17305 17322 4081dd 17316->17322 17318 4081a0 17317->17318 17318->17314 17319 4081aa RegQueryValueExA 17318->17319 17319->17311 17320 4081c4 17319->17320 17321 40ebcc 4 API calls 17320->17321 17321->17322 17322->17314 17873 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 17323->17873 17325 405e71 17874 40e654 17325->17874 17327 405ec1 17328 403132 17327->17328 17329 40df70 12 API calls 17328->17329 17330 40313b 17329->17330 17331 40c125 17330->17331 17885 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 17331->17885 17333 40c12d 17334 40e654 13 API calls 17333->17334 17335 40c2bd 17334->17335 17336 40e654 13 API calls 17335->17336 17337 40c2c9 17336->17337 17338 40e654 13 API calls 17337->17338 17339 40a47a 17338->17339 17340 408db1 17339->17340 17341 408dbc 17340->17341 17342 40e654 13 API calls 17341->17342 17343 408dec Sleep 17342->17343 17343->16993 17345 40c92f 17344->17345 17346 40c93c 17345->17346 17886 40c517 17345->17886 17348 40ca2b 17346->17348 17349 40e819 11 API calls 17346->17349 17348->16993 17350 40c96a 17349->17350 17351 40e819 11 API calls 17350->17351 17352 40c97d 17351->17352 17353 40e819 11 API calls 17352->17353 17354 40c990 17353->17354 17355 40c9aa 17354->17355 17356 40ebcc 4 API calls 17354->17356 17355->17348 17903 402684 17355->17903 17356->17355 17361 40ca26 17910 40c8aa 17361->17910 17364 40ca44 17365 40ca4b closesocket 17364->17365 17366 40ca83 17364->17366 17365->17361 17367 40ea84 30 API calls 17366->17367 17368 40caac 17367->17368 17369 40f04e 4 API calls 17368->17369 17370 40cab2 17369->17370 17371 40ea84 30 API calls 17370->17371 17372 40caca 17371->17372 17373 40ea84 30 API calls 17372->17373 17374 40cad9 17373->17374 17918 40c65c 17374->17918 17377 40cb60 closesocket 17377->17348 17379 40dad2 closesocket 17380 40e318 23 API calls 17379->17380 17380->17348 17381 40df4c 20 API calls 17408 40cb70 17381->17408 17387 40e654 13 API calls 17387->17408 17392 40ea84 30 API calls 17392->17408 17393 40d569 closesocket Sleep 17965 40e318 17393->17965 17394 40d815 wsprintfA 17394->17408 17395 40cc1c GetTempPathA 17395->17408 17396 40c517 23 API calls 17396->17408 17398 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 17398->17408 17399 407ead 6 API calls 17399->17408 17400 40e8a1 30 API calls 17400->17408 17401 40d582 ExitProcess 17402 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 17402->17408 17403 40cfe3 GetSystemDirectoryA 17403->17408 17404 40cfad GetEnvironmentVariableA 17404->17408 17405 40675c 21 API calls 17405->17408 17406 40d027 GetSystemDirectoryA 17406->17408 17407 40d105 lstrcatA 17407->17408 17408->17379 17408->17381 17408->17387 17408->17392 17408->17393 17408->17394 17408->17395 17408->17396 17408->17398 17408->17399 17408->17400 17408->17402 17408->17403 17408->17404 17408->17405 17408->17406 17408->17407 17409 40ef1e lstrlenA 17408->17409 17410 40cc9f CreateFileA 17408->17410 17411 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 17408->17411 17413 40d15b CreateFileA 17408->17413 17418 40d149 SetFileAttributesA 17408->17418 17419 40d36e GetEnvironmentVariableA 17408->17419 17420 40d1bf SetFileAttributesA 17408->17420 17421 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 17408->17421 17423 40d22d GetEnvironmentVariableA 17408->17423 17425 40d3af lstrcatA 17408->17425 17426 40d3f2 CreateFileA 17408->17426 17428 407fcf 64 API calls 17408->17428 17434 40d3e0 SetFileAttributesA 17408->17434 17435 40d26e lstrcatA 17408->17435 17437 40d4b1 CreateProcessA 17408->17437 17438 40d2b1 CreateFileA 17408->17438 17440 40d452 SetFileAttributesA 17408->17440 17442 407ee6 64 API calls 17408->17442 17443 40d29f SetFileAttributesA 17408->17443 17446 40d31d SetFileAttributesA 17408->17446 17926 40c75d 17408->17926 17938 407e2f 17408->17938 17960 407ead 17408->17960 17970 4031d0 17408->17970 17987 403c09 17408->17987 17997 403a00 17408->17997 18001 40e7b4 17408->18001 18004 40c06c 17408->18004 18010 406f5f GetUserNameA 17408->18010 18021 40e854 17408->18021 18031 407dd6 17408->18031 17409->17408 17410->17408 17412 40ccc6 WriteFile 17410->17412 17411->17408 17414 40cdcc CloseHandle 17412->17414 17415 40cced CloseHandle 17412->17415 17413->17408 17416 40d182 WriteFile CloseHandle 17413->17416 17414->17408 17422 40cd2f 17415->17422 17416->17408 17417 40cd16 wsprintfA 17417->17422 17418->17413 17419->17408 17420->17408 17421->17408 17422->17417 17947 407fcf 17422->17947 17423->17408 17425->17408 17425->17426 17426->17408 17429 40d415 WriteFile CloseHandle 17426->17429 17428->17408 17429->17408 17430 40cd81 WaitForSingleObject CloseHandle CloseHandle 17432 40f04e 4 API calls 17430->17432 17431 40cda5 17433 407ee6 64 API calls 17431->17433 17432->17431 17436 40cdbd DeleteFileA 17433->17436 17434->17426 17435->17408 17435->17438 17436->17408 17437->17408 17439 40d4e8 CloseHandle CloseHandle 17437->17439 17438->17408 17441 40d2d8 WriteFile CloseHandle 17438->17441 17439->17408 17440->17408 17441->17408 17442->17408 17443->17438 17446->17408 17448 40741b 17447->17448 17449 406dc2 6 API calls 17448->17449 17450 40743f 17449->17450 17451 407469 RegOpenKeyExA 17450->17451 17453 4077f9 17451->17453 17462 407487 ___ascii_stricmp 17451->17462 17452 407703 RegEnumKeyA 17454 407714 RegCloseKey 17452->17454 17452->17462 17453->17063 17454->17453 17455 4074d2 RegOpenKeyExA 17455->17462 17456 40772c 17458 407742 RegCloseKey 17456->17458 17459 40774b 17456->17459 17457 407521 RegQueryValueExA 17457->17462 17458->17459 17460 4077ec RegCloseKey 17459->17460 17460->17453 17461 4076e4 RegCloseKey 17461->17462 17462->17452 17462->17455 17462->17456 17462->17457 17462->17461 17464 40f1a5 lstrlenA 17462->17464 17465 40777e GetFileAttributesExA 17462->17465 17466 407769 17462->17466 17463 4077e3 RegCloseKey 17463->17460 17464->17462 17465->17466 17466->17463 17468 407073 17467->17468 17469 4070b9 RegOpenKeyExA 17468->17469 17470 4070d0 17469->17470 17484 4071b8 17469->17484 17471 406dc2 6 API calls 17470->17471 17474 4070d5 17471->17474 17472 40719b RegEnumValueA 17473 4071af RegCloseKey 17472->17473 17472->17474 17473->17484 17474->17472 17476 4071d0 17474->17476 17490 40f1a5 lstrlenA 17474->17490 17477 407205 RegCloseKey 17476->17477 17478 407227 17476->17478 17477->17484 17479 4072b8 ___ascii_stricmp 17478->17479 17480 40728e RegCloseKey 17478->17480 17481 4072cd RegCloseKey 17479->17481 17482 4072dd 17479->17482 17480->17484 17481->17484 17483 407311 RegCloseKey 17482->17483 17486 407335 17482->17486 17483->17484 17484->17064 17485 4073d5 RegCloseKey 17487 4073e4 17485->17487 17486->17485 17488 40737e GetFileAttributesExA 17486->17488 17489 407397 17486->17489 17488->17489 17489->17485 17491 40f1c3 17490->17491 17491->17474 17493 403ee2 17492->17493 17494 403edc 17492->17494 17493->17070 17495 406dc2 6 API calls 17494->17495 17495->17493 17497 40400b CreateFileA 17496->17497 17498 40402c GetLastError 17497->17498 17499 404052 17497->17499 17498->17499 17500 404037 17498->17500 17499->17068 17499->17073 17499->17074 17500->17499 17501 404041 Sleep 17500->17501 17501->17497 17501->17499 17503 403f4e GetLastError 17502->17503 17505 403f7c 17502->17505 17504 403f5b WaitForSingleObject GetOverlappedResult 17503->17504 17503->17505 17504->17505 17506 403f8c ReadFile 17505->17506 17507 403ff0 17506->17507 17508 403fc2 GetLastError 17506->17508 17507->17079 17507->17080 17508->17507 17509 403fcf WaitForSingleObject GetOverlappedResult 17508->17509 17509->17507 17513 40eb74 17510->17513 17514 40eb7b GetProcessHeap HeapSize 17513->17514 17515 404350 17513->17515 17514->17515 17515->17087 17517 401924 GetVersionExA 17516->17517 17517->17130 17519 406f55 17518->17519 17520 406eef AllocateAndInitializeSid 17518->17520 17519->17141 17521 406f44 17520->17521 17522 406f1c CheckTokenMembership 17520->17522 17521->17519 17552 406e36 GetUserNameW 17521->17552 17523 406f3b FreeSid 17522->17523 17524 406f2e 17522->17524 17523->17521 17524->17523 17527 409308 17526->17527 17529 40920e 17526->17529 17527->17157 17528 4092f1 Sleep 17528->17529 17529->17527 17529->17528 17529->17529 17530 4092bf ShellExecuteA 17529->17530 17530->17527 17530->17529 17532 40ef32 17531->17532 17532->17156 17534 40f0f1 17533->17534 17535 40f0ed 17533->17535 17536 40f119 17534->17536 17537 40f0fa lstrlenA SysAllocStringByteLen 17534->17537 17535->17162 17538 40f11c MultiByteToWideChar 17536->17538 17537->17538 17539 40f117 17537->17539 17538->17539 17539->17162 17541 401820 17 API calls 17540->17541 17543 4018f2 17541->17543 17542 4018f9 17542->17157 17543->17542 17555 401280 17543->17555 17545 401908 17545->17157 17567 401000 17546->17567 17548 401839 17549 401851 GetCurrentProcess 17548->17549 17550 40183d 17548->17550 17551 401864 17549->17551 17550->17148 17551->17148 17553 406e5f LookupAccountNameW 17552->17553 17554 406e97 17552->17554 17553->17554 17554->17519 17556 4012e1 17555->17556 17557 4016f9 GetLastError 17556->17557 17564 4013a8 17556->17564 17558 401699 17557->17558 17558->17545 17559 401570 lstrlenW 17559->17564 17560 4015be GetStartupInfoW 17560->17564 17561 4015ff CreateProcessWithLogonW 17562 4016bf GetLastError 17561->17562 17563 40163f WaitForSingleObject 17561->17563 17562->17558 17563->17564 17565 401659 CloseHandle 17563->17565 17564->17558 17564->17559 17564->17560 17564->17561 17566 401668 CloseHandle 17564->17566 17565->17564 17566->17564 17568 40100d LoadLibraryA 17567->17568 17577 401023 17567->17577 17569 401021 17568->17569 17568->17577 17569->17548 17570 4010b5 GetProcAddress 17571 4010d1 GetProcAddress 17570->17571 17572 40127b 17570->17572 17571->17572 17573 4010f0 GetProcAddress 17571->17573 17572->17548 17573->17572 17574 401110 GetProcAddress 17573->17574 17574->17572 17575 401130 GetProcAddress 17574->17575 17575->17572 17576 40114f GetProcAddress 17575->17576 17576->17572 17578 40116f GetProcAddress 17576->17578 17577->17570 17587 4010ae 17577->17587 17578->17572 17579 40118f GetProcAddress 17578->17579 17579->17572 17580 4011ae GetProcAddress 17579->17580 17580->17572 17581 4011ce GetProcAddress 17580->17581 17581->17572 17582 4011ee GetProcAddress 17581->17582 17582->17572 17583 401209 GetProcAddress 17582->17583 17583->17572 17584 401225 GetProcAddress 17583->17584 17584->17572 17585 401241 GetProcAddress 17584->17585 17585->17572 17586 40125c GetProcAddress 17585->17586 17586->17572 17587->17548 17591 4069b9 WriteFile 17588->17591 17590 4069ff 17592 406a3c 17590->17592 17593 406a10 WriteFile 17590->17593 17591->17590 17591->17592 17592->17172 17592->17173 17593->17590 17593->17592 17595 40eb17 17594->17595 17596 40eb21 17594->17596 17598 40eae4 17595->17598 17596->17176 17599 40eb02 GetProcAddress 17598->17599 17600 40eaed LoadLibraryA 17598->17600 17599->17596 17600->17599 17601 40eb01 17600->17601 17601->17596 17603 40eba7 GetProcessHeap HeapSize 17602->17603 17604 40ebbf GetProcessHeap HeapFree 17602->17604 17603->17604 17604->17205 17606 40908d 17605->17606 17607 4090e2 wsprintfA 17606->17607 17608 40ee2a 17607->17608 17609 4090fd CreateFileA 17608->17609 17610 40911a lstrlenA WriteFile CloseHandle 17609->17610 17611 40913f 17609->17611 17610->17611 17611->17214 17611->17215 17613 40ee2a 17612->17613 17614 409794 CreateProcessA 17613->17614 17615 4097c2 17614->17615 17616 4097bb 17614->17616 17617 4097d4 GetThreadContext 17615->17617 17616->17225 17618 409801 17617->17618 17619 4097f5 17617->17619 17626 40637c 17618->17626 17620 4097f6 TerminateProcess 17619->17620 17620->17616 17622 409816 17622->17620 17623 40981e WriteProcessMemory 17622->17623 17623->17619 17624 40983b SetThreadContext 17623->17624 17624->17619 17625 409858 ResumeThread 17624->17625 17625->17616 17627 406386 17626->17627 17628 40638a GetModuleHandleA VirtualAlloc 17626->17628 17627->17622 17629 4063b6 17628->17629 17630 4063f5 17628->17630 17631 4063be VirtualAllocEx 17629->17631 17630->17622 17631->17630 17632 4063d6 17631->17632 17633 4063df WriteProcessMemory 17632->17633 17633->17630 17635 40dd41 InterlockedExchange 17634->17635 17636 40dd20 GetCurrentThreadId 17635->17636 17637 40dd4a 17635->17637 17638 40dd53 GetCurrentThreadId 17636->17638 17639 40dd2e GetTickCount 17636->17639 17637->17638 17638->17229 17639->17637 17640 40dd39 Sleep 17639->17640 17640->17635 17642 40dbf0 17641->17642 17674 40db67 GetEnvironmentVariableA 17642->17674 17644 40dc19 17645 40dcda 17644->17645 17646 40db67 3 API calls 17644->17646 17645->17231 17647 40dc5c 17646->17647 17647->17645 17648 40db67 3 API calls 17647->17648 17649 40dc9b 17648->17649 17649->17645 17650 40db67 3 API calls 17649->17650 17650->17645 17652 40db55 17651->17652 17653 40db3a 17651->17653 17652->17233 17652->17238 17678 40ebed 17653->17678 17687 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 17655->17687 17657 40e3be 17657->17233 17658 40e342 17658->17657 17690 40de24 17658->17690 17661 40e528 17660->17661 17662 40e3f4 17660->17662 17661->17243 17663 40e434 RegQueryValueExA 17662->17663 17664 40e458 17663->17664 17665 40e51d RegCloseKey 17663->17665 17666 40e46e RegQueryValueExA 17664->17666 17665->17661 17666->17664 17667 40e488 17666->17667 17667->17665 17668 40db2e 8 API calls 17667->17668 17669 40e499 17668->17669 17669->17665 17670 40e4b9 RegQueryValueExA 17669->17670 17671 40e4e8 17669->17671 17670->17669 17670->17671 17671->17665 17672 40e332 14 API calls 17671->17672 17673 40e513 17672->17673 17673->17665 17675 40db89 lstrcpyA CreateFileA 17674->17675 17676 40dbca 17674->17676 17675->17644 17676->17644 17679 40ec01 17678->17679 17680 40ebf6 17678->17680 17681 40eba0 codecvt 2 API calls 17679->17681 17682 40ebcc 4 API calls 17680->17682 17683 40ec0a GetProcessHeap HeapReAlloc 17681->17683 17684 40ebfe 17682->17684 17685 40eb74 2 API calls 17683->17685 17684->17652 17686 40ec28 17685->17686 17686->17652 17701 40eb41 17687->17701 17691 40de3a 17690->17691 17695 40de4e 17691->17695 17705 40dd84 17691->17705 17694 40de9e 17694->17695 17697 40ebed 8 API calls 17694->17697 17695->17658 17696 40de76 17709 40ddcf 17696->17709 17699 40def6 17697->17699 17699->17695 17700 40ddcf lstrcmpA 17699->17700 17700->17695 17702 40eb54 17701->17702 17703 40eb4a 17701->17703 17702->17658 17704 40eae4 2 API calls 17703->17704 17704->17702 17706 40ddc5 17705->17706 17707 40dd96 17705->17707 17706->17694 17706->17696 17707->17706 17708 40ddad lstrcmpiA 17707->17708 17708->17706 17708->17707 17710 40de20 17709->17710 17711 40dddd 17709->17711 17710->17695 17711->17710 17712 40ddfa lstrcmpA 17711->17712 17712->17711 17714 40dd05 6 API calls 17713->17714 17715 40e821 17714->17715 17716 40dd84 lstrcmpiA 17715->17716 17717 40e82c 17716->17717 17719 40e844 17717->17719 17761 402480 17717->17761 17719->17258 17721 40dd05 6 API calls 17720->17721 17722 40df7c 17721->17722 17723 40dd84 lstrcmpiA 17722->17723 17727 40df89 17723->17727 17724 40dfc4 17724->17265 17725 40ddcf lstrcmpA 17725->17727 17726 40ec2e codecvt 4 API calls 17726->17727 17727->17724 17727->17725 17727->17726 17728 40dd84 lstrcmpiA 17727->17728 17728->17727 17730 40ea98 17729->17730 17770 40e8a1 17730->17770 17732 401e84 17732->17267 17734 4019d5 GetProcAddress GetProcAddress GetProcAddress 17733->17734 17737 4019ce 17733->17737 17735 401ab3 FreeLibrary 17734->17735 17736 401a04 17734->17736 17735->17737 17736->17735 17738 401a14 GetProcessHeap 17736->17738 17737->17271 17738->17737 17740 401a2e HeapAlloc 17738->17740 17740->17737 17741 401a42 17740->17741 17742 401a52 HeapReAlloc 17741->17742 17744 401a62 17741->17744 17742->17744 17743 401aa1 FreeLibrary 17743->17737 17744->17743 17745 401a96 HeapFree 17744->17745 17745->17743 17798 401ac3 LoadLibraryA 17746->17798 17749 401bcf 17749->17282 17751 401ac3 12 API calls 17750->17751 17752 401c09 17751->17752 17753 401c41 17752->17753 17754 401c0d GetComputerNameA 17752->17754 17753->17290 17755 401c45 GetVolumeInformationA 17754->17755 17756 401c1f 17754->17756 17755->17753 17756->17753 17756->17755 17758 40ee2a 17757->17758 17759 4030d0 gethostname gethostbyname 17758->17759 17760 401f82 17759->17760 17760->17296 17760->17297 17764 402419 lstrlenA 17761->17764 17763 402491 17763->17719 17765 40243d lstrlenA 17764->17765 17769 402474 17764->17769 17766 402464 lstrlenA 17765->17766 17767 40244e lstrcmpiA 17765->17767 17766->17765 17766->17769 17767->17766 17768 40245c 17767->17768 17768->17766 17768->17769 17769->17763 17771 40dd05 6 API calls 17770->17771 17772 40e8b4 17771->17772 17773 40dd84 lstrcmpiA 17772->17773 17774 40e8c0 17773->17774 17775 40e90a 17774->17775 17776 40e8c8 lstrcpynA 17774->17776 17778 402419 4 API calls 17775->17778 17786 40ea27 17775->17786 17777 40e8f5 17776->17777 17791 40df4c 17777->17791 17779 40e926 lstrlenA lstrlenA 17778->17779 17781 40e96a 17779->17781 17782 40e94c lstrlenA 17779->17782 17785 40ebcc 4 API calls 17781->17785 17781->17786 17782->17781 17783 40e901 17784 40dd84 lstrcmpiA 17783->17784 17784->17775 17787 40e98f 17785->17787 17786->17732 17787->17786 17788 40df4c 20 API calls 17787->17788 17789 40ea1e 17788->17789 17790 40ec2e codecvt 4 API calls 17789->17790 17790->17786 17792 40dd05 6 API calls 17791->17792 17793 40df51 17792->17793 17794 40f04e 4 API calls 17793->17794 17795 40df58 17794->17795 17796 40de24 10 API calls 17795->17796 17797 40df63 17796->17797 17797->17783 17799 401ae2 GetProcAddress 17798->17799 17804 401b68 GetComputerNameA GetVolumeInformationA 17798->17804 17800 401af5 17799->17800 17799->17804 17801 40ebed 8 API calls 17800->17801 17802 401b29 17800->17802 17801->17800 17802->17802 17803 40ec2e codecvt 4 API calls 17802->17803 17802->17804 17803->17804 17804->17749 17806 406ec3 2 API calls 17805->17806 17807 407ef4 17806->17807 17808 4073ff 17 API calls 17807->17808 17817 407fc9 17807->17817 17809 407f16 17808->17809 17809->17817 17818 407809 GetUserNameA 17809->17818 17811 407f63 17812 40ef1e lstrlenA 17811->17812 17811->17817 17813 407fa6 17812->17813 17814 40ef1e lstrlenA 17813->17814 17815 407fb7 17814->17815 17842 407a95 RegOpenKeyExA 17815->17842 17817->17309 17819 40783d LookupAccountNameA 17818->17819 17824 407a8d 17818->17824 17820 407874 GetLengthSid GetFileSecurityA 17819->17820 17819->17824 17821 4078a8 GetSecurityDescriptorOwner 17820->17821 17820->17824 17822 4078c5 EqualSid 17821->17822 17823 40791d GetSecurityDescriptorDacl 17821->17823 17822->17823 17825 4078dc LocalAlloc 17822->17825 17823->17824 17830 407941 17823->17830 17824->17811 17825->17823 17826 4078ef InitializeSecurityDescriptor 17825->17826 17828 407916 LocalFree 17826->17828 17829 4078fb SetSecurityDescriptorOwner 17826->17829 17827 40795b GetAce 17827->17830 17828->17823 17829->17828 17831 40790b SetFileSecurityA 17829->17831 17830->17824 17830->17827 17832 407980 EqualSid 17830->17832 17833 407a3d 17830->17833 17834 4079be EqualSid 17830->17834 17835 40799d DeleteAce 17830->17835 17831->17828 17832->17830 17833->17824 17836 407a43 LocalAlloc 17833->17836 17834->17830 17835->17830 17836->17824 17837 407a56 InitializeSecurityDescriptor 17836->17837 17838 407a62 SetSecurityDescriptorDacl 17837->17838 17839 407a86 LocalFree 17837->17839 17838->17839 17840 407a73 SetFileSecurityA 17838->17840 17839->17824 17840->17839 17841 407a83 17840->17841 17841->17839 17843 407ac4 17842->17843 17844 407acb GetUserNameA 17842->17844 17843->17817 17845 407da7 RegCloseKey 17844->17845 17846 407aed LookupAccountNameA 17844->17846 17845->17843 17846->17845 17847 407b24 RegGetKeySecurity 17846->17847 17847->17845 17848 407b49 GetSecurityDescriptorOwner 17847->17848 17849 407b63 EqualSid 17848->17849 17850 407bb8 GetSecurityDescriptorDacl 17848->17850 17849->17850 17852 407b74 LocalAlloc 17849->17852 17851 407da6 17850->17851 17863 407bdc 17850->17863 17851->17845 17852->17850 17853 407b8a InitializeSecurityDescriptor 17852->17853 17855 407bb1 LocalFree 17853->17855 17856 407b96 SetSecurityDescriptorOwner 17853->17856 17854 407bf8 GetAce 17854->17863 17855->17850 17856->17855 17857 407ba6 RegSetKeySecurity 17856->17857 17857->17855 17858 407c1d EqualSid 17858->17863 17859 407cd9 17859->17851 17862 407d5a LocalAlloc 17859->17862 17865 407cf2 RegOpenKeyExA 17859->17865 17860 407c5f EqualSid 17860->17863 17861 407c3a DeleteAce 17861->17863 17862->17851 17864 407d70 InitializeSecurityDescriptor 17862->17864 17863->17851 17863->17854 17863->17858 17863->17859 17863->17860 17863->17861 17866 407d7c SetSecurityDescriptorDacl 17864->17866 17867 407d9f LocalFree 17864->17867 17865->17862 17870 407d0f 17865->17870 17866->17867 17868 407d8c RegSetKeySecurity 17866->17868 17867->17851 17868->17867 17869 407d9c 17868->17869 17869->17867 17871 407d43 RegSetValueExA 17870->17871 17871->17862 17872 407d54 17871->17872 17872->17862 17873->17325 17875 40dd05 6 API calls 17874->17875 17878 40e65f 17875->17878 17876 40e6a5 17877 40ebcc 4 API calls 17876->17877 17883 40e6f5 17876->17883 17879 40e6b0 17877->17879 17878->17876 17880 40e68c lstrcmpA 17878->17880 17881 40e6b7 17879->17881 17882 40e6e0 lstrcpynA 17879->17882 17879->17883 17880->17878 17881->17327 17882->17883 17883->17881 17884 40e71d lstrcmpA 17883->17884 17884->17883 17885->17333 17887 40c525 17886->17887 17888 40c532 17886->17888 17887->17888 17891 40ec2e codecvt 4 API calls 17887->17891 17889 40c548 17888->17889 18038 40e7ff 17888->18038 17892 40e7ff lstrcmpiA 17889->17892 17899 40c54f 17889->17899 17891->17888 17893 40c615 17892->17893 17894 40ebcc 4 API calls 17893->17894 17893->17899 17894->17899 17895 40c5d1 17898 40ebcc 4 API calls 17895->17898 17897 40e819 11 API calls 17900 40c5b7 17897->17900 17898->17899 17899->17346 17901 40f04e 4 API calls 17900->17901 17902 40c5bf 17901->17902 17902->17889 17902->17895 17904 402692 inet_addr 17903->17904 17905 40268e 17903->17905 17904->17905 17906 40269e gethostbyname 17904->17906 17907 40f428 17905->17907 17906->17905 18041 40f315 17907->18041 17912 40c8d2 17910->17912 17911 40c907 17911->17348 17912->17911 17913 40c517 23 API calls 17912->17913 17913->17911 17914 40f43e 17915 40f473 recv 17914->17915 17916 40f458 17915->17916 17917 40f47c 17915->17917 17916->17915 17916->17917 17917->17364 17919 40c670 17918->17919 17921 40c67d 17918->17921 17920 40ebcc 4 API calls 17919->17920 17920->17921 17922 40ebcc 4 API calls 17921->17922 17924 40c699 17921->17924 17922->17924 17923 40c6f3 17923->17377 17923->17408 17924->17923 17925 40c73c send 17924->17925 17925->17923 17927 40c770 17926->17927 17928 40c77d 17926->17928 17929 40ebcc 4 API calls 17927->17929 17930 40c799 17928->17930 17931 40ebcc 4 API calls 17928->17931 17929->17928 17932 40c7b5 17930->17932 17934 40ebcc 4 API calls 17930->17934 17931->17930 17933 40f43e recv 17932->17933 17935 40c7cb 17933->17935 17934->17932 17936 40f43e recv 17935->17936 17937 40c7d3 17935->17937 17936->17937 17937->17408 18054 407db7 17938->18054 17941 40f04e 4 API calls 17944 407e4c 17941->17944 17942 407e96 17942->17408 17943 407e70 17943->17942 17945 40f04e 4 API calls 17943->17945 17944->17943 17946 40f04e 4 API calls 17944->17946 17945->17942 17946->17943 17948 406ec3 2 API calls 17947->17948 17949 407fdd 17948->17949 17950 4073ff 17 API calls 17949->17950 17959 4080c2 CreateProcessA 17949->17959 17951 407fff 17950->17951 17952 407809 21 API calls 17951->17952 17951->17959 17953 40804d 17952->17953 17954 40ef1e lstrlenA 17953->17954 17953->17959 17955 40809e 17954->17955 17956 40ef1e lstrlenA 17955->17956 17957 4080af 17956->17957 17958 407a95 24 API calls 17957->17958 17958->17959 17959->17430 17959->17431 17961 407db7 2 API calls 17960->17961 17962 407eb8 17961->17962 17963 40f04e 4 API calls 17962->17963 17964 407ece DeleteFileA 17963->17964 17964->17408 17966 40dd05 6 API calls 17965->17966 17967 40e31d 17966->17967 18058 40e177 17967->18058 17969 40e326 17969->17401 17971 4031f3 17970->17971 17981 4031ec 17970->17981 17972 40ebcc 4 API calls 17971->17972 17980 4031fc 17972->17980 17973 403459 17976 40f04e 4 API calls 17973->17976 17974 40349d 17975 40ec2e codecvt 4 API calls 17974->17975 17975->17981 17977 40345f 17976->17977 17979 4030fa 4 API calls 17977->17979 17978 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 17978->17980 17979->17981 17980->17978 17980->17981 17982 40344d 17980->17982 17985 40344b 17980->17985 17986 403141 lstrcmpiA 17980->17986 18084 4030fa GetTickCount 17980->18084 17981->17408 17983 40ec2e codecvt 4 API calls 17982->17983 17983->17985 17985->17973 17985->17974 17986->17980 17988 4030fa 4 API calls 17987->17988 17989 403c1a 17988->17989 17993 403ce6 17989->17993 18089 403a72 17989->18089 17992 403a72 9 API calls 17995 403c5e 17992->17995 17993->17408 17994 403a72 9 API calls 17994->17995 17995->17993 17995->17994 17996 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 17995->17996 17996->17995 17998 403a10 17997->17998 17999 4030fa 4 API calls 17998->17999 18000 403a1a 17999->18000 18000->17408 18002 40dd05 6 API calls 18001->18002 18003 40e7be 18002->18003 18003->17408 18005 40c105 18004->18005 18006 40c07e wsprintfA 18004->18006 18005->17408 18098 40bfce GetTickCount wsprintfA 18006->18098 18008 40c0ef 18099 40bfce GetTickCount wsprintfA 18008->18099 18011 407047 18010->18011 18012 406f88 LookupAccountNameA 18010->18012 18011->17408 18014 407025 18012->18014 18015 406fcb 18012->18015 18016 406edd 5 API calls 18014->18016 18017 406fdb ConvertSidToStringSidA 18015->18017 18018 40702a wsprintfA 18016->18018 18017->18014 18019 406ff1 18017->18019 18018->18011 18020 407013 LocalFree 18019->18020 18020->18014 18022 40dd05 6 API calls 18021->18022 18023 40e85c 18022->18023 18024 40dd84 lstrcmpiA 18023->18024 18025 40e867 18024->18025 18026 40e885 lstrcpyA 18025->18026 18100 4024a5 18025->18100 18103 40dd69 18026->18103 18032 407db7 2 API calls 18031->18032 18033 407de1 18032->18033 18034 407e16 18033->18034 18035 40f04e 4 API calls 18033->18035 18034->17408 18036 407df2 18035->18036 18036->18034 18037 40f04e 4 API calls 18036->18037 18037->18034 18039 40dd84 lstrcmpiA 18038->18039 18040 40c58e 18039->18040 18040->17889 18040->17895 18040->17897 18042 40f33b 18041->18042 18050 40ca1d 18041->18050 18043 40f347 htons socket 18042->18043 18044 40f382 ioctlsocket 18043->18044 18045 40f374 closesocket 18043->18045 18046 40f3aa connect select 18044->18046 18047 40f39d 18044->18047 18045->18050 18049 40f3f2 __WSAFDIsSet 18046->18049 18046->18050 18048 40f39f closesocket 18047->18048 18048->18050 18049->18048 18051 40f403 ioctlsocket 18049->18051 18050->17361 18050->17914 18053 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 18051->18053 18053->18050 18055 407dc8 InterlockedExchange 18054->18055 18056 407dc0 Sleep 18055->18056 18057 407dd4 18055->18057 18056->18055 18057->17941 18057->17943 18059 40e184 18058->18059 18060 40e2e4 18059->18060 18061 40e223 18059->18061 18074 40dfe2 18059->18074 18060->17969 18061->18060 18063 40dfe2 8 API calls 18061->18063 18068 40e23c 18063->18068 18064 40e1be 18064->18061 18065 40dbcf 3 API calls 18064->18065 18067 40e1d6 18065->18067 18066 40e21a CloseHandle 18066->18061 18067->18061 18067->18066 18069 40e1f9 WriteFile 18067->18069 18068->18060 18078 40e095 RegCreateKeyExA 18068->18078 18069->18066 18071 40e213 18069->18071 18071->18066 18072 40e2a3 18072->18060 18073 40e095 4 API calls 18072->18073 18073->18060 18075 40dffc 18074->18075 18077 40e024 18074->18077 18076 40db2e 8 API calls 18075->18076 18075->18077 18076->18077 18077->18064 18079 40e172 18078->18079 18081 40e0c0 18078->18081 18079->18072 18080 40e13d 18082 40e14e RegDeleteValueA RegCloseKey 18080->18082 18081->18080 18083 40e115 RegSetValueExA 18081->18083 18082->18079 18083->18080 18083->18081 18085 403122 InterlockedExchange 18084->18085 18086 40312e 18085->18086 18087 40310f GetTickCount 18085->18087 18086->17980 18087->18086 18088 40311a Sleep 18087->18088 18088->18085 18090 40f04e 4 API calls 18089->18090 18097 403a83 18090->18097 18091 403ac1 18091->17992 18091->17993 18092 403be6 18094 40ec2e codecvt 4 API calls 18092->18094 18093 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 18095 403bc0 18093->18095 18094->18091 18095->18092 18095->18093 18096 403b66 lstrlenA 18096->18091 18096->18097 18097->18091 18097->18095 18097->18096 18098->18008 18099->18005 18101 402419 4 API calls 18100->18101 18102 4024b6 18101->18102 18102->18026 18104 40dd79 lstrlenA 18103->18104 18104->17408 18106 404084 18105->18106 18107 40407d 18105->18107 18108 403ecd 6 API calls 18106->18108 18109 40408f 18108->18109 18110 404000 3 API calls 18109->18110 18112 404095 18110->18112 18111 404130 18113 403ecd 6 API calls 18111->18113 18112->18111 18117 403f18 4 API calls 18112->18117 18114 404159 CreateNamedPipeA 18113->18114 18115 404167 Sleep 18114->18115 18116 404188 ConnectNamedPipe 18114->18116 18115->18111 18118 404176 CloseHandle 18115->18118 18120 404195 GetLastError 18116->18120 18130 4041ab 18116->18130 18119 4040da 18117->18119 18118->18116 18121 403f8c 4 API calls 18119->18121 18122 40425e DisconnectNamedPipe 18120->18122 18120->18130 18123 4040ec 18121->18123 18122->18116 18124 404127 CloseHandle 18123->18124 18126 404101 18123->18126 18124->18111 18125 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 18125->18130 18127 403f18 4 API calls 18126->18127 18128 40411c ExitProcess 18127->18128 18129 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 18129->18130 18130->18116 18130->18122 18130->18125 18130->18129 18131 40426a CloseHandle CloseHandle 18130->18131 18132 40e318 23 API calls 18131->18132 18133 40427b 18132->18133 18133->18133 18135 408791 18134->18135 18136 40879f 18134->18136 18137 40f04e 4 API calls 18135->18137 18138 4087bc 18136->18138 18139 40f04e 4 API calls 18136->18139 18137->18136 18140 40e819 11 API calls 18138->18140 18139->18138 18141 4087d7 18140->18141 18150 408803 18141->18150 18156 4026b2 gethostbyaddr 18141->18156 18144 4087eb 18146 40e8a1 30 API calls 18144->18146 18144->18150 18146->18150 18149 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 18149->18150 18150->18149 18151 40e819 11 API calls 18150->18151 18152 4088a0 Sleep 18150->18152 18154 4026b2 2 API calls 18150->18154 18155 40e8a1 30 API calls 18150->18155 18161 408cee 18150->18161 18169 40c4d6 18150->18169 18172 40c4e2 18150->18172 18175 402011 18150->18175 18210 408328 18150->18210 18151->18150 18152->18150 18154->18150 18155->18150 18157 4026fb 18156->18157 18158 4026cd 18156->18158 18157->18144 18159 4026e1 inet_ntoa 18158->18159 18160 4026de 18158->18160 18159->18160 18160->18144 18162 408d02 GetTickCount 18161->18162 18163 408dae 18161->18163 18162->18163 18166 408d19 18162->18166 18163->18150 18164 408da1 GetTickCount 18164->18163 18166->18164 18168 408d89 18166->18168 18262 40a677 18166->18262 18265 40a688 18166->18265 18168->18164 18273 40c2dc 18169->18273 18173 40c2dc 141 API calls 18172->18173 18174 40c4ec 18173->18174 18174->18150 18176 402020 18175->18176 18177 40202e 18175->18177 18178 40f04e 4 API calls 18176->18178 18179 40204b 18177->18179 18180 40f04e 4 API calls 18177->18180 18178->18177 18181 40206e GetTickCount 18179->18181 18182 40f04e 4 API calls 18179->18182 18180->18179 18183 402090 18181->18183 18184 4020db GetTickCount 18181->18184 18187 402068 18182->18187 18188 4020d4 GetTickCount 18183->18188 18191 402684 2 API calls 18183->18191 18203 4020ce 18183->18203 18600 401978 18183->18600 18185 402132 GetTickCount GetTickCount 18184->18185 18186 4020e7 18184->18186 18189 40f04e 4 API calls 18185->18189 18190 40212b GetTickCount 18186->18190 18198 401978 15 API calls 18186->18198 18199 402125 18186->18199 18605 402ef8 18186->18605 18187->18181 18188->18184 18192 402159 18189->18192 18190->18185 18191->18183 18195 40e854 13 API calls 18192->18195 18207 4021b4 18192->18207 18194 40f04e 4 API calls 18201 4021d1 18194->18201 18197 40218e 18195->18197 18202 40e819 11 API calls 18197->18202 18198->18186 18199->18190 18200 4021f2 18200->18150 18201->18200 18204 40ea84 30 API calls 18201->18204 18205 40219c 18202->18205 18203->18188 18206 4021ec 18204->18206 18205->18207 18613 401c5f 18205->18613 18208 40f04e 4 API calls 18206->18208 18207->18194 18208->18200 18211 407dd6 6 API calls 18210->18211 18212 40833c 18211->18212 18213 406ec3 2 API calls 18212->18213 18221 408340 18212->18221 18214 40834f 18213->18214 18215 40835c 18214->18215 18219 40846b 18214->18219 18216 4073ff 17 API calls 18215->18216 18238 408373 18216->18238 18217 408626 GetTempPathA 18246 408638 18217->18246 18218 40675c 21 API calls 18230 4085df 18218->18230 18222 4084a7 RegOpenKeyExA 18219->18222 18250 408450 18219->18250 18221->18150 18223 4084c0 RegQueryValueExA 18222->18223 18224 40852f 18222->18224 18226 408521 RegCloseKey 18223->18226 18227 4084dd 18223->18227 18229 408564 RegOpenKeyExA 18224->18229 18241 4085a5 18224->18241 18225 4086ad 18228 408762 18225->18228 18231 407e2f 6 API calls 18225->18231 18226->18224 18227->18226 18233 40ebcc 4 API calls 18227->18233 18228->18221 18235 40ec2e codecvt 4 API calls 18228->18235 18232 408573 RegSetValueExA RegCloseKey 18229->18232 18229->18241 18230->18217 18230->18228 18230->18246 18242 4086bb 18231->18242 18232->18241 18237 4084f0 18233->18237 18234 40875b DeleteFileA 18234->18228 18235->18221 18237->18226 18240 4084f8 RegQueryValueExA 18237->18240 18238->18221 18239 4083ea RegOpenKeyExA 18238->18239 18238->18250 18243 4083fd RegQueryValueExA 18239->18243 18239->18250 18240->18226 18244 408515 18240->18244 18245 40ec2e codecvt 4 API calls 18241->18245 18241->18250 18242->18234 18251 4086e0 lstrcpyA lstrlenA 18242->18251 18247 40842d RegSetValueExA 18243->18247 18248 40841e 18243->18248 18249 40ec2e codecvt 4 API calls 18244->18249 18245->18250 18685 406ba7 IsBadCodePtr 18246->18685 18252 408447 RegCloseKey 18247->18252 18248->18247 18248->18252 18253 40851d 18249->18253 18250->18218 18250->18230 18254 407fcf 64 API calls 18251->18254 18252->18250 18253->18226 18255 408719 CreateProcessA 18254->18255 18256 40873d CloseHandle CloseHandle 18255->18256 18257 40874f 18255->18257 18256->18228 18258 407ee6 64 API calls 18257->18258 18259 408754 18258->18259 18260 407ead 6 API calls 18259->18260 18261 40875a 18260->18261 18261->18234 18268 40a63d 18262->18268 18264 40a685 18264->18166 18266 40a63d GetTickCount 18265->18266 18267 40a696 18266->18267 18267->18166 18269 40a645 18268->18269 18270 40a64d 18268->18270 18269->18264 18271 40a66e 18270->18271 18272 40a65e GetTickCount 18270->18272 18271->18264 18272->18271 18289 40a4c7 GetTickCount 18273->18289 18276 40c300 GetTickCount 18279 40c337 18276->18279 18277 40c326 18277->18279 18280 40c32b GetTickCount 18277->18280 18278 40c45e 18281 40c4d2 18278->18281 18282 40c4ab InterlockedIncrement CreateThread 18278->18282 18279->18278 18284 40c363 GetTickCount 18279->18284 18280->18279 18281->18150 18282->18281 18283 40c4cb CloseHandle 18282->18283 18294 40b535 18282->18294 18283->18281 18284->18278 18285 40c373 18284->18285 18286 40c378 GetTickCount 18285->18286 18287 40c37f 18285->18287 18286->18287 18288 40c43b GetTickCount 18287->18288 18288->18278 18290 40a4f7 InterlockedExchange 18289->18290 18291 40a500 18290->18291 18292 40a4e4 GetTickCount 18290->18292 18291->18276 18291->18277 18291->18278 18292->18291 18293 40a4ef Sleep 18292->18293 18293->18290 18295 40b566 18294->18295 18296 40ebcc 4 API calls 18295->18296 18297 40b587 18296->18297 18298 40ebcc 4 API calls 18297->18298 18325 40b590 18298->18325 18299 40bdcd InterlockedDecrement 18300 40bde2 18299->18300 18302 40ec2e codecvt 4 API calls 18300->18302 18303 40bdea 18302->18303 18304 40ec2e codecvt 4 API calls 18303->18304 18306 40bdf2 18304->18306 18305 40bdb7 Sleep 18305->18325 18307 40be05 18306->18307 18309 40ec2e codecvt 4 API calls 18306->18309 18308 40bdcc 18308->18299 18309->18307 18310 40ebed 8 API calls 18310->18325 18313 40b6b6 lstrlenA 18313->18325 18314 4030b5 2 API calls 18314->18325 18315 40b6ed lstrcpyA 18369 405ce1 18315->18369 18316 40e819 11 API calls 18316->18325 18319 40b731 lstrlenA 18319->18325 18320 40b71f lstrcmpA 18320->18319 18320->18325 18321 40b772 GetTickCount 18321->18325 18322 40bd49 InterlockedIncrement 18463 40a628 18322->18463 18325->18299 18325->18305 18325->18308 18325->18310 18325->18313 18325->18314 18325->18315 18325->18316 18325->18319 18325->18320 18325->18321 18325->18322 18326 40bc5b InterlockedIncrement 18325->18326 18327 40b7ce InterlockedIncrement 18325->18327 18330 40b912 GetTickCount 18325->18330 18331 40b826 InterlockedIncrement 18325->18331 18332 40b932 GetTickCount 18325->18332 18333 40bcdc closesocket 18325->18333 18335 4038f0 6 API calls 18325->18335 18339 40bba6 InterlockedIncrement 18325->18339 18341 40bc4c closesocket 18325->18341 18343 405ce1 22 API calls 18325->18343 18344 40ba71 wsprintfA 18325->18344 18345 40ab81 lstrcpynA InterlockedIncrement 18325->18345 18347 40a7c1 22 API calls 18325->18347 18348 40ef1e lstrlenA 18325->18348 18349 405ded 12 API calls 18325->18349 18350 40a688 GetTickCount 18325->18350 18351 403e10 18325->18351 18354 403e4f 18325->18354 18357 40384f 18325->18357 18377 40a7a3 inet_ntoa 18325->18377 18384 40abee 18325->18384 18396 401feb GetTickCount 18325->18396 18417 403cfb 18325->18417 18420 40b3c5 18325->18420 18451 40ab81 18325->18451 18326->18325 18379 40acd7 18327->18379 18330->18325 18331->18321 18332->18325 18334 40bc6d InterlockedIncrement 18332->18334 18333->18325 18334->18325 18335->18325 18339->18325 18341->18325 18343->18325 18397 40a7c1 18344->18397 18345->18325 18347->18325 18348->18325 18349->18325 18350->18325 18352 4030fa 4 API calls 18351->18352 18353 403e1d 18352->18353 18353->18325 18355 4030fa 4 API calls 18354->18355 18356 403e5c 18355->18356 18356->18325 18358 4030fa 4 API calls 18357->18358 18359 403863 18358->18359 18360 4038b9 18359->18360 18361 403889 18359->18361 18368 4038b2 18359->18368 18472 4035f9 18360->18472 18466 403718 18361->18466 18366 403718 6 API calls 18366->18368 18367 4035f9 6 API calls 18367->18368 18368->18325 18370 405cf4 18369->18370 18371 405cec 18369->18371 18373 404bd1 4 API calls 18370->18373 18478 404bd1 GetTickCount 18371->18478 18374 405d02 18373->18374 18483 405472 18374->18483 18378 40a7b9 18377->18378 18378->18325 18380 40f315 14 API calls 18379->18380 18381 40aceb 18380->18381 18382 40f315 14 API calls 18381->18382 18383 40acff 18381->18383 18382->18383 18383->18325 18385 40abfb 18384->18385 18388 40ac65 18385->18388 18546 402f22 18385->18546 18387 40f315 14 API calls 18387->18388 18388->18387 18389 40ac8a 18388->18389 18390 40ac6f 18388->18390 18389->18325 18392 40ab81 2 API calls 18390->18392 18391 40ac23 18391->18388 18393 402684 2 API calls 18391->18393 18394 40ac81 18392->18394 18393->18391 18554 4038f0 18394->18554 18396->18325 18398 40a87d lstrlenA send 18397->18398 18399 40a7df 18397->18399 18400 40a899 18398->18400 18401 40a8bf 18398->18401 18399->18398 18402 40a8f2 18399->18402 18407 40a7fa wsprintfA 18399->18407 18409 40a80a 18399->18409 18403 40a8a5 wsprintfA 18400->18403 18410 40a89e 18400->18410 18401->18402 18404 40a8c4 send 18401->18404 18405 40a978 recv 18402->18405 18408 40a9b0 wsprintfA 18402->18408 18411 40a982 18402->18411 18403->18410 18404->18402 18406 40a8d8 wsprintfA 18404->18406 18405->18402 18405->18411 18406->18410 18407->18409 18408->18410 18409->18398 18410->18325 18411->18410 18412 4030b5 2 API calls 18411->18412 18413 40ab05 18412->18413 18414 40e819 11 API calls 18413->18414 18415 40ab17 18414->18415 18416 40a7a3 inet_ntoa 18415->18416 18416->18410 18418 4030fa 4 API calls 18417->18418 18419 403d0b 18418->18419 18419->18325 18421 405ce1 22 API calls 18420->18421 18422 40b3e6 18421->18422 18423 405ce1 22 API calls 18422->18423 18425 40b404 18423->18425 18424 40b440 18427 40ef7c 3 API calls 18424->18427 18425->18424 18426 40ef7c 3 API calls 18425->18426 18428 40b42b 18426->18428 18429 40b458 wsprintfA 18427->18429 18430 40ef7c 3 API calls 18428->18430 18431 40ef7c 3 API calls 18429->18431 18430->18424 18432 40b480 18431->18432 18433 40ef7c 3 API calls 18432->18433 18434 40b493 18433->18434 18435 40ef7c 3 API calls 18434->18435 18436 40b4bb 18435->18436 18568 40ad89 GetLocalTime SystemTimeToFileTime 18436->18568 18440 40b4cc 18441 40ef7c 3 API calls 18440->18441 18442 40b4dd 18441->18442 18443 40b211 7 API calls 18442->18443 18444 40b4ec 18443->18444 18445 40ef7c 3 API calls 18444->18445 18446 40b4fd 18445->18446 18447 40b211 7 API calls 18446->18447 18448 40b509 18447->18448 18449 40ef7c 3 API calls 18448->18449 18450 40b51a 18449->18450 18450->18325 18453 40abe9 GetTickCount 18451->18453 18454 40ab8c 18451->18454 18452 40aba8 lstrcpynA 18452->18454 18456 40a51d 18453->18456 18454->18452 18454->18453 18455 40abe1 InterlockedIncrement 18454->18455 18455->18454 18457 40a4c7 4 API calls 18456->18457 18458 40a52c 18457->18458 18459 40a542 GetTickCount 18458->18459 18461 40a539 GetTickCount 18458->18461 18459->18461 18462 40a56c 18461->18462 18462->18325 18464 40a4c7 4 API calls 18463->18464 18465 40a633 18464->18465 18465->18325 18467 40f04e 4 API calls 18466->18467 18469 40372a 18467->18469 18468 403847 18468->18366 18468->18368 18469->18468 18470 4037b3 GetCurrentThreadId 18469->18470 18470->18469 18471 4037c8 GetCurrentThreadId 18470->18471 18471->18469 18473 40f04e 4 API calls 18472->18473 18477 40360c 18473->18477 18474 4036f1 18474->18367 18474->18368 18475 4036da GetCurrentThreadId 18475->18474 18476 4036e5 GetCurrentThreadId 18475->18476 18476->18474 18477->18474 18477->18475 18479 404bff InterlockedExchange 18478->18479 18480 404c08 18479->18480 18481 404bec GetTickCount 18479->18481 18480->18370 18481->18480 18482 404bf7 Sleep 18481->18482 18482->18479 18502 404763 18483->18502 18485 405b58 18512 404699 18485->18512 18488 404763 lstrlenA 18489 405b6e 18488->18489 18533 404f9f 18489->18533 18491 405b79 18491->18325 18493 405549 lstrlenA 18501 40548a 18493->18501 18494 405472 13 API calls 18494->18501 18496 40558d lstrcpynA 18496->18501 18497 405a9f lstrcpyA 18497->18501 18498 405935 lstrcpynA 18498->18501 18499 404ae6 8 API calls 18499->18501 18500 4058e7 lstrcpyA 18500->18501 18501->18485 18501->18494 18501->18496 18501->18497 18501->18498 18501->18499 18501->18500 18506 404ae6 18501->18506 18510 40ef7c lstrlenA lstrlenA lstrlenA 18501->18510 18504 40477a 18502->18504 18503 404859 18503->18501 18504->18503 18505 40480d lstrlenA 18504->18505 18505->18504 18507 404af3 18506->18507 18509 404b03 18506->18509 18508 40ebed 8 API calls 18507->18508 18508->18509 18509->18493 18511 40efb4 18510->18511 18511->18501 18538 4045b3 18512->18538 18515 4045b3 7 API calls 18516 4046c6 18515->18516 18517 4045b3 7 API calls 18516->18517 18518 4046d8 18517->18518 18519 4045b3 7 API calls 18518->18519 18520 4046ea 18519->18520 18521 4045b3 7 API calls 18520->18521 18522 4046ff 18521->18522 18523 4045b3 7 API calls 18522->18523 18524 404711 18523->18524 18525 4045b3 7 API calls 18524->18525 18526 404723 18525->18526 18527 40ef7c 3 API calls 18526->18527 18528 404735 18527->18528 18529 40ef7c 3 API calls 18528->18529 18530 40474a 18529->18530 18531 40ef7c 3 API calls 18530->18531 18532 40475c 18531->18532 18532->18488 18534 404fac 18533->18534 18537 404fb0 18533->18537 18534->18491 18535 404ffd 18535->18491 18536 404fd5 IsBadCodePtr 18536->18537 18537->18535 18537->18536 18539 4045c1 18538->18539 18540 4045c8 18538->18540 18542 40ebcc 4 API calls 18539->18542 18541 4045e1 18540->18541 18543 40ebcc 4 API calls 18540->18543 18544 404691 18541->18544 18545 40ef7c 3 API calls 18541->18545 18542->18540 18543->18541 18544->18515 18545->18541 18561 402d21 GetModuleHandleA 18546->18561 18549 402f44 18549->18391 18550 402fcf GetProcessHeap HeapFree 18550->18549 18551 402f4f 18553 402f6b GetProcessHeap HeapFree 18551->18553 18552 402f85 18552->18550 18552->18552 18553->18549 18555 403900 18554->18555 18560 403980 18554->18560 18556 4030fa 4 API calls 18555->18556 18557 40390a 18556->18557 18558 40391b GetCurrentThreadId 18557->18558 18559 403939 GetCurrentThreadId 18557->18559 18557->18560 18558->18557 18559->18557 18560->18389 18562 402d46 LoadLibraryA 18561->18562 18563 402d5b GetProcAddress 18561->18563 18562->18563 18564 402d54 18562->18564 18563->18564 18566 402d6b 18563->18566 18564->18549 18564->18551 18564->18552 18565 402d97 GetProcessHeap HeapAlloc 18565->18564 18565->18566 18566->18564 18566->18565 18567 402db5 lstrcpynA 18566->18567 18567->18566 18569 40adbf 18568->18569 18593 40ad08 gethostname 18569->18593 18572 4030b5 2 API calls 18573 40add3 18572->18573 18574 40a7a3 inet_ntoa 18573->18574 18576 40ade4 18573->18576 18574->18576 18575 40ae85 wsprintfA 18577 40ef7c 3 API calls 18575->18577 18576->18575 18579 40ae36 wsprintfA wsprintfA 18576->18579 18578 40aebb 18577->18578 18580 40ef7c 3 API calls 18578->18580 18581 40ef7c 3 API calls 18579->18581 18582 40aed2 18580->18582 18581->18576 18583 40b211 18582->18583 18584 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 18583->18584 18585 40b2af GetLocalTime 18583->18585 18586 40b2d2 18584->18586 18585->18586 18587 40b2d9 SystemTimeToFileTime 18586->18587 18588 40b31c GetTimeZoneInformation 18586->18588 18589 40b2ec 18587->18589 18590 40b33a wsprintfA 18588->18590 18591 40b312 FileTimeToSystemTime 18589->18591 18590->18440 18591->18588 18594 40ad71 18593->18594 18599 40ad26 lstrlenA 18593->18599 18595 40ad85 18594->18595 18596 40ad79 lstrcpyA 18594->18596 18595->18572 18596->18595 18598 40ad68 lstrlenA 18598->18594 18599->18594 18599->18598 18601 40f428 14 API calls 18600->18601 18602 40198a 18601->18602 18603 401990 closesocket 18602->18603 18604 401998 18602->18604 18603->18604 18604->18183 18606 402d21 6 API calls 18605->18606 18607 402f01 18606->18607 18608 402f0f 18607->18608 18621 402df2 GetModuleHandleA 18607->18621 18610 402684 2 API calls 18608->18610 18612 402f1f 18608->18612 18611 402f1d 18610->18611 18611->18186 18612->18186 18614 401c80 18613->18614 18615 401cc2 wsprintfA 18614->18615 18617 401d1c 18614->18617 18620 401d79 18614->18620 18616 402684 2 API calls 18615->18616 18616->18614 18618 401d47 wsprintfA 18617->18618 18619 402684 2 API calls 18618->18619 18619->18620 18620->18207 18622 402e10 LoadLibraryA 18621->18622 18623 402e0b 18621->18623 18624 402e17 18622->18624 18623->18622 18623->18624 18625 402ef1 18624->18625 18626 402e28 GetProcAddress 18624->18626 18625->18608 18626->18625 18627 402e3e GetProcessHeap HeapAlloc 18626->18627 18629 402e62 18627->18629 18628 402ede GetProcessHeap HeapFree 18628->18625 18629->18625 18629->18628 18630 402e7f htons inet_addr 18629->18630 18631 402ea5 gethostbyname 18629->18631 18633 402ceb 18629->18633 18630->18629 18630->18631 18631->18629 18634 402cf2 18633->18634 18636 402d1c 18634->18636 18637 402d0e Sleep 18634->18637 18638 402a62 GetProcessHeap HeapAlloc 18634->18638 18636->18629 18637->18634 18637->18636 18639 402a92 18638->18639 18640 402a99 socket 18638->18640 18639->18634 18641 402cd3 GetProcessHeap HeapFree 18640->18641 18642 402ab4 18640->18642 18641->18639 18642->18641 18656 402abd 18642->18656 18643 402adb htons 18658 4026ff 18643->18658 18645 402b04 select 18645->18656 18646 402ca4 18647 402cb3 GetProcessHeap HeapFree closesocket 18646->18647 18647->18639 18648 402b3f recv 18648->18656 18649 402b66 htons 18649->18646 18649->18656 18650 402b87 htons 18650->18646 18650->18656 18653 402bf3 GetProcessHeap HeapAlloc 18653->18656 18654 402c17 htons 18673 402871 18654->18673 18656->18643 18656->18645 18656->18646 18656->18647 18656->18648 18656->18649 18656->18650 18656->18653 18656->18654 18657 402c4d GetProcessHeap HeapFree 18656->18657 18665 402923 18656->18665 18677 402904 18656->18677 18657->18656 18659 40271d 18658->18659 18660 402717 18658->18660 18662 40272b GetTickCount htons 18659->18662 18661 40ebcc 4 API calls 18660->18661 18661->18659 18663 4027cc htons htons sendto 18662->18663 18664 40278a 18662->18664 18663->18656 18664->18663 18666 402944 18665->18666 18667 40293d 18665->18667 18681 402816 htons 18666->18681 18667->18656 18669 402871 htons 18672 402950 18669->18672 18670 4029bd htons htons htons 18670->18667 18671 4029f6 GetProcessHeap HeapAlloc 18670->18671 18671->18667 18671->18672 18672->18667 18672->18669 18672->18670 18674 4028e3 18673->18674 18676 402889 18673->18676 18674->18656 18675 4028c3 htons 18675->18674 18675->18676 18676->18674 18676->18675 18678 402921 18677->18678 18679 402908 18677->18679 18678->18656 18680 402909 GetProcessHeap HeapFree 18679->18680 18680->18678 18680->18680 18682 40286b 18681->18682 18683 402836 18681->18683 18682->18672 18683->18682 18684 40285c htons 18683->18684 18684->18682 18684->18683 18686 406bc0 18685->18686 18687 406bbc 18685->18687 18688 40ebcc 4 API calls 18686->18688 18699 406bd4 18686->18699 18687->18225 18689 406be4 18688->18689 18690 406c07 CreateFileA 18689->18690 18691 406bfc 18689->18691 18689->18699 18693 406c34 WriteFile 18690->18693 18694 406c2a 18690->18694 18692 40ec2e codecvt 4 API calls 18691->18692 18692->18699 18696 406c49 CloseHandle DeleteFileA 18693->18696 18697 406c5a CloseHandle 18693->18697 18695 40ec2e codecvt 4 API calls 18694->18695 18695->18699 18696->18694 18698 40ec2e codecvt 4 API calls 18697->18698 18698->18699 18699->18225 18700 42540d 18703 4250b9 18700->18703 18702 425412 18704 4250df 18703->18704 18705 42513f 11 API calls 18704->18705 18707 4251b7 18704->18707 18705->18707 18706 4251d7 SetCommMask GetTickCount GetDateFormatA GetSystemTimes 18706->18707 18708 425230 18706->18708 18707->18706 18709 42522e 18707->18709 18708->18709 18710 425239 FoldStringA 18708->18710 18711 425331 GlobalAlloc 18709->18711 18712 425251 GetTimeFormatA HeapLock FormatMessageW 18709->18712 18710->18709 18713 425376 LoadLibraryA VirtualProtect 18711->18713 18714 42534f 18711->18714 18719 4252bc 18712->18719 18720 425028 18713->18720 18714->18713 18716 4253aa GetProcessIoCounters UnlockFile 18717 42539f 18716->18717 18717->18716 18718 4253d3 18717->18718 18718->18702 18719->18711 18721 425064 18720->18721 18722 425054 GetFullPathNameA 18720->18722 18731 424f2b 18721->18731 18722->18721 18725 425080 18734 424f61 18725->18734 18726 425079 FreeEnvironmentStringsW 18726->18725 18729 425095 HeapCreate SetFileShortNameA 18730 4250aa 18729->18730 18730->18717 18732 424f42 GetCommMask LoadLibraryA 18731->18732 18733 424f54 18731->18733 18732->18733 18733->18725 18733->18726 18735 424f8a GetNumaHighestNodeNumber 18734->18735 18738 424f91 18734->18738 18735->18738 18736 425002 18736->18729 18736->18730 18738->18736 18739 424fc0 GetNumaProcessorNode GetComputerNameA SetCalendarInfoW OpenJobObjectA 18738->18739 18740 424f56 18738->18740 18739->18738 18743 424eee 18740->18743 18744 424f14 18743->18744 18745 424f0a VirtualLock 18743->18745 18744->18738 18745->18744 16898 540005 16903 54092b GetPEB 16898->16903 16900 540030 16905 54003c 16900->16905 16904 540972 16903->16904 16904->16900 16906 540049 16905->16906 16920 540e0f SetErrorMode SetErrorMode 16906->16920 16911 540265 16912 5402ce VirtualProtect 16911->16912 16914 54030b 16912->16914 16913 540439 VirtualFree 16918 5405f4 LoadLibraryA 16913->16918 16919 5404be 16913->16919 16914->16913 16915 5404e3 LoadLibraryA 16915->16919 16917 5408c7 16918->16917 16919->16915 16919->16918 16921 540223 16920->16921 16922 540d90 16921->16922 16923 540dad 16922->16923 16924 540dbb GetPEB 16923->16924 16925 540238 VirtualAlloc 16923->16925 16924->16925 16925->16911 21266 69a7c4 21267 69a7c7 21266->21267 21268 69b00e 3 API calls 21267->21268 21269 69a886 21268->21269
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                        • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                        • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                        • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                      • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                      • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                      • ExitProcess.KERNEL32 ref: 00409C06
                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                      • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                      • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                      • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                      • wsprintfA.USER32 ref: 0040A0B6
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                      • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                        • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                      • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                      • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                      • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                      • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                      • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                      • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                      • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                      • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                      • API String ID: 2089075347-2824936573
                                                                                      • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                      • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                      • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                      • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 264 4250b9-4250dd 265 4250df-4250e5 264->265 266 4250f1-4250f6 265->266 267 4250e7-4250ec 265->267 268 4250f8-4250ff 266->268 269 425109-425110 266->269 267->266 268->269 269->265 270 425112-425117 269->270 271 425119-42511f 270->271 272 425121-425127 271->272 273 42512d-425134 271->273 272->273 273->271 274 425136-425139 273->274 275 4251d5 274->275 276 42513f-4251b5 lstrcatW InterlockedExchangeAdd GetActiveWindow LoadIconA InflateRect FlushInstructionCache GetAtomNameA InitAtomTable GetCurrentConsoleFont DebugBreak EnumDateFormatsW 274->276 277 4251d7-425223 SetCommMask GetTickCount GetDateFormatA GetSystemTimes 275->277 278 4251c7-4251d4 276->278 279 4251b7-4251c0 276->279 280 425230-425237 277->280 281 425225-42522c 277->281 278->275 279->278 284 425244-42524b 280->284 285 425239-42523e FoldStringA 280->285 281->277 283 42522e 281->283 283->284 287 425331-42534d GlobalAlloc 284->287 288 425251-42532e GetTimeFormatA HeapLock FormatMessageW 284->288 285->284 290 425376-42539a LoadLibraryA VirtualProtect call 425028 287->290 291 42534f-425365 287->291 288->287 296 42539f 290->296 292 425371-425374 291->292 293 425367 291->293 292->290 292->291 293->292 298 4253a1-4253a8 296->298 299 4253aa-4253b7 GetProcessIoCounters UnlockFile 298->299 300 4253bd-4253c3 298->300 299->300 301 4253c5 call 424ee3 300->301 302 4253ca-4253d1 300->302 301->302 302->298 305 4253d3 302->305 307 4253dd-4253e3 305->307 308 4253e5-4253ed 307->308 309 4253ef-4253f6 307->309 308->309 311 4253f8-42540c 308->311 309->307 309->311
                                                                                      APIs
                                                                                      • lstrcatW.KERNEL32(?,00000000), ref: 00425148
                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00425154
                                                                                      • GetActiveWindow.USER32 ref: 0042515A
                                                                                      • LoadIconA.USER32(00000000,00000000), ref: 00425162
                                                                                      • InflateRect.USER32(00000000,00000000,00000000), ref: 0042516F
                                                                                      • FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 00425178
                                                                                      • GetAtomNameA.KERNEL32(00000000,?,00000000), ref: 00425185
                                                                                      • InitAtomTable.KERNEL32(00000000), ref: 0042518C
                                                                                      • GetCurrentConsoleFont.KERNEL32(00000000,00000000,?), ref: 00425199
                                                                                      • DebugBreak.KERNEL32 ref: 0042519F
                                                                                      • EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 004251A8
                                                                                      • SetCommMask.KERNELBASE(00000000,00000000), ref: 004251D9
                                                                                      • GetTickCount.KERNEL32 ref: 004251DF
                                                                                      • GetDateFormatA.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 00425203
                                                                                      • GetSystemTimes.KERNELBASE(?,?,?), ref: 00425218
                                                                                      • FoldStringA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0042523E
                                                                                      • GetTimeFormatA.KERNEL32(00000000,00000000,0042C4E0,0042C4E0,?,00000000), ref: 0042527F
                                                                                      • HeapLock.KERNEL32(00000000), ref: 00425286
                                                                                      • FormatMessageW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0042529A
                                                                                      • GlobalAlloc.KERNELBASE(00000000), ref: 00425338
                                                                                      • LoadLibraryA.KERNELBASE(0042C520), ref: 0042537B
                                                                                      • VirtualProtect.KERNELBASE(00000040,?), ref: 00425394
                                                                                      • GetProcessIoCounters.KERNEL32(00000000,00000000), ref: 004253AC
                                                                                      • UnlockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004253B7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181031656.0000000000418000.00000020.00000001.01000000.00000003.sdmp, Offset: 00418000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_418000_bEsOrli29K.jbxd
                                                                                      Similarity
                                                                                      • API ID: Format$AtomDateLoad$ActiveAllocBreakCacheCommConsoleCountCountersCurrentDebugEnumExchangeFileFlushFoldFontFormatsGlobalHeapIconInflateInitInstructionInterlockedLibraryLockMaskMessageNameProcessProtectRectStringSystemTableTickTimeTimesUnlockVirtualWindowlstrcat
                                                                                      • String ID: k`$}$
                                                                                      • API String ID: 1758670013-956986773
                                                                                      • Opcode ID: 11a06e5e142067575ebe82f8eff95b9e5a09bdf74230d629ed085f9a8f10a717
                                                                                      • Instruction ID: 06bb82473ef69684721e713d6b0dfcdbaab8e4b9c375e17e3125242d7fe09b8c
                                                                                      • Opcode Fuzzy Hash: 11a06e5e142067575ebe82f8eff95b9e5a09bdf74230d629ed085f9a8f10a717
                                                                                      • Instruction Fuzzy Hash: 6E81E671602A30BBC225AB62FC49DAF7B6CFF4A355B40103AF545D21A1D7389542CBEE

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 554 409326-409348 call 401910 GetVersionExA 557 409358-40935c 554->557 558 40934a-409356 554->558 559 409360-40937d GetModuleHandleA GetModuleFileNameA 557->559 558->559 560 409385-4093a2 559->560 561 40937f 559->561 562 4093a4-4093d7 call 402544 wsprintfA 560->562 563 4093d9-409412 call 402544 wsprintfA 560->563 561->560 568 409415-40942c call 40ee2a 562->568 563->568 571 4094a3-4094b3 call 406edd 568->571 572 40942e-409432 568->572 577 4094b9-4094f9 call 402544 RegOpenKeyExA 571->577 578 40962f-409632 571->578 572->571 573 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 572->573 573->571 588 409502-40952e call 402544 RegQueryValueExA 577->588 589 4094fb-409500 577->589 582 409634-409637 578->582 583 409639-40964a call 401820 582->583 584 40967b-409682 582->584 597 40964c-409662 583->597 598 40966d-409679 583->598 591 409683 call 4091eb 584->591 607 409530-409537 588->607 608 409539-409565 call 402544 RegQueryValueExA 588->608 593 40957a-40957f 589->593 601 409688-409690 591->601 602 409581-409584 593->602 603 40958a-40958d 593->603 605 409664-40966b 597->605 606 40962b-40962d 597->606 598->591 610 409692 601->610 611 409698-4096a0 601->611 602->582 602->603 603->584 604 409593-40959a 603->604 612 40961a-40961f 604->612 613 40959c-4095a1 604->613 605->606 617 4096a2-4096a9 606->617 614 40956e-409577 RegCloseKey 607->614 608->614 623 409567 608->623 610->611 611->617 621 409625 612->621 613->612 618 4095a3-4095c0 call 40f0e4 613->618 614->593 627 4095c2-4095db call 4018e0 618->627 628 40960c-409618 618->628 621->606 623->614 627->617 631 4095e1-4095f9 627->631 628->621 631->617 632 4095ff-409607 631->632 632->617
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                      • wsprintfA.USER32 ref: 004093CE
                                                                                      • wsprintfA.USER32 ref: 0040940C
                                                                                      • wsprintfA.USER32 ref: 0040948D
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                      • String ID: PromptOnSecureDesktop$runas
                                                                                      • API String ID: 3696105349-2220793183
                                                                                      • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                      • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                      • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                      • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 671 406a60-406a89 CreateFileA 672 406b8c-406ba1 GetLastError 671->672 673 406a8f-406ac3 GetDiskFreeSpaceA 671->673 676 406ba3-406ba6 672->676 674 406ac5-406adc call 40eb0e 673->674 675 406b1d-406b27 call 406987 673->675 674->675 683 406ade 674->683 679 406b2c-406b34 675->679 681 406b56-406b63 CloseHandle 679->681 682 406b36-406b54 GetLastError CloseHandle 679->682 685 406b65-406b7d GetLastError CloseHandle 681->685 686 406b86-406b8a 681->686 684 406b7f-406b80 DeleteFileA 682->684 687 406ae0-406ae5 683->687 688 406ae7-406afb call 40eca5 683->688 684->686 685->684 686->676 687->688 689 406afd-406aff 687->689 688->675 689->675 692 406b01 689->692 693 406b03-406b08 692->693 694 406b0a-406b17 call 40eca5 692->694 693->675 693->694 694->675
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                      • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                      • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3188212458-2980165447
                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                      • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                                      • String ID:
                                                                                      • API String ID: 1209300637-0
                                                                                      • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                      • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                      • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                      • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 880 69b00e-69b027 881 69b029-69b02b 880->881 882 69b02d 881->882 883 69b032-69b03e CreateToolhelp32Snapshot 881->883 882->883 884 69b04e-69b05b Module32First 883->884 885 69b040-69b046 883->885 886 69b05d-69b05e call 69accd 884->886 887 69b064-69b06c 884->887 885->884 890 69b048-69b04c 885->890 891 69b063 886->891 890->881 890->884 891->887
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0069B036
                                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 0069B056
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181701002.000000000069A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_69a000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                      • String ID:
                                                                                      • API String ID: 3833638111-0
                                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction ID: a035c155b476cc2a52b3904ca2342c434184e22c435fb999ffe7eed2c7503eb1
                                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction Fuzzy Hash: 34F0F631200310AFDB203BF4AD8DBAF76EEAF48324F101528E652929C0DBB0EC458A61
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                        • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                        • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AllocateSize
                                                                                      • String ID:
                                                                                      • API String ID: 2559512979-0
                                                                                      • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                      • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                      • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                      • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 321 4073ff-407419 322 40741b 321->322 323 40741d-407422 321->323 322->323 324 407424 323->324 325 407426-40742b 323->325 324->325 326 407430-407435 325->326 327 40742d 325->327 328 407437 326->328 329 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 326->329 327->326 328->329 334 407487-40749d call 40ee2a 329->334 335 4077f9-4077fe call 40ee2a 329->335 340 407703-40770e RegEnumKeyA 334->340 341 407801 335->341 343 4074a2-4074b1 call 406cad 340->343 344 407714-40771d RegCloseKey 340->344 342 407804-407808 341->342 347 4074b7-4074cc call 40f1a5 343->347 348 4076ed-407700 343->348 344->341 347->348 351 4074d2-4074f8 RegOpenKeyExA 347->351 348->340 352 407727-40772a 351->352 353 4074fe-407530 call 402544 RegQueryValueExA 351->353 354 407755-407764 call 40ee2a 352->354 355 40772c-407740 call 40ef00 352->355 353->352 361 407536-40753c 353->361 366 4076df-4076e2 354->366 363 407742-407745 RegCloseKey 355->363 364 40774b-40774e 355->364 365 40753f-407544 361->365 363->364 368 4077ec-4077f7 RegCloseKey 364->368 365->365 367 407546-40754b 365->367 366->348 369 4076e4-4076e7 RegCloseKey 366->369 367->354 370 407551-40756b call 40ee95 367->370 368->342 369->348 370->354 373 407571-407593 call 402544 call 40ee95 370->373 378 407753 373->378 379 407599-4075a0 373->379 378->354 380 4075a2-4075c6 call 40ef00 call 40ed03 379->380 381 4075c8-4075d7 call 40ed03 379->381 387 4075d8-4075da 380->387 381->387 389 4075dc 387->389 390 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 387->390 389->390 399 407626-40762b 390->399 399->399 400 40762d-407634 399->400 401 407637-40763c 400->401 401->401 402 40763e-407642 401->402 403 407644-407656 call 40ed77 402->403 404 40765c-407673 call 40ed23 402->404 403->404 409 407769-40777c call 40ef00 403->409 410 407680 404->410 411 407675-40767e 404->411 416 4077e3-4077e6 RegCloseKey 409->416 413 407683-40768e call 406cad 410->413 411->413 418 407722-407725 413->418 419 407694-4076bf call 40f1a5 call 406c96 413->419 416->368 421 4076dd 418->421 425 4076c1-4076c7 419->425 426 4076d8 419->426 421->366 425->426 427 4076c9-4076d2 425->427 426->421 427->426 428 40777e-407797 GetFileAttributesExA 427->428 429 407799 428->429 430 40779a-40779f 428->430 429->430 431 4077a1 430->431 432 4077a3-4077a8 430->432 431->432 433 4077c4-4077c8 432->433 434 4077aa-4077c0 call 40ee08 432->434 436 4077d7-4077dc 433->436 437 4077ca-4077d6 call 40ef00 433->437 434->433 440 4077e0-4077e2 436->440 441 4077de 436->441 437->436 440->416 441->440
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                      • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                      • String ID: "$PromptOnSecureDesktop
                                                                                      • API String ID: 3433985886-3108538426
                                                                                      • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                      • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                      • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                      • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 443 40704c-407071 444 407073 443->444 445 407075-40707a 443->445 444->445 446 40707c 445->446 447 40707e-407083 445->447 446->447 448 407085 447->448 449 407087-40708c 447->449 448->449 450 407090-4070ca call 402544 RegOpenKeyExA 449->450 451 40708e 449->451 454 4070d0-4070f6 call 406dc2 450->454 455 4071b8-4071c8 call 40ee2a 450->455 451->450 460 40719b-4071a9 RegEnumValueA 454->460 461 4071cb-4071cf 455->461 462 4070fb-4070fd 460->462 463 4071af-4071b2 RegCloseKey 460->463 464 40716e-407194 462->464 465 4070ff-407102 462->465 463->455 464->460 465->464 466 407104-407107 465->466 466->464 467 407109-40710d 466->467 467->464 468 40710f-407133 call 402544 call 40eed1 467->468 473 4071d0-407203 call 402544 call 40ee95 call 40ee2a 468->473 474 407139-407145 call 406cad 468->474 489 407205-407212 RegCloseKey 473->489 490 407227-40722e 473->490 480 407147-40715c call 40f1a5 474->480 481 40715e-40716b call 40ee2a 474->481 480->473 480->481 481->464 491 407222-407225 489->491 492 407214-407221 call 40ef00 489->492 493 407230-407256 call 40ef00 call 40ed23 490->493 494 40725b-40728c call 402544 call 40ee95 call 40ee2a 490->494 491->461 492->491 493->494 506 407258 493->506 508 4072b8-4072cb call 40ed77 494->508 509 40728e-40729a RegCloseKey 494->509 506->494 516 4072dd-4072f4 call 40ed23 508->516 517 4072cd-4072d8 RegCloseKey 508->517 510 4072aa-4072b3 509->510 511 40729c-4072a9 call 40ef00 509->511 510->461 511->510 520 407301 516->520 521 4072f6-4072ff 516->521 517->461 522 407304-40730f call 406cad 520->522 521->522 525 407311-40731d RegCloseKey 522->525 526 407335-40735d call 406c96 522->526 527 40732d-407330 525->527 528 40731f-40732c call 40ef00 525->528 533 4073d5-4073e2 RegCloseKey 526->533 534 40735f-407365 526->534 527->510 528->527 536 4073f2-4073f7 533->536 537 4073e4-4073f1 call 40ef00 533->537 534->533 535 407367-407370 534->535 535->533 538 407372-40737c 535->538 537->536 541 40739d-4073a2 538->541 542 40737e-407395 GetFileAttributesExA 538->542 544 4073a4 541->544 545 4073a6-4073a9 541->545 542->541 543 407397 542->543 543->541 544->545 546 4073b9-4073bc 545->546 547 4073ab-4073b8 call 40ef00 545->547 549 4073cb-4073cd 546->549 550 4073be-4073ca call 40ef00 546->550 547->546 549->533 550->549
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                      • RegEnumValueA.KERNELBASE(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                      • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                      • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                      • String ID: $"$PromptOnSecureDesktop
                                                                                      • API String ID: 4293430545-98143240
                                                                                      • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                      • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                      • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                      • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 633 40675c-406778 634 406784-4067a2 CreateFileA 633->634 635 40677a-40677e SetFileAttributesA 633->635 636 4067a4-4067b2 CreateFileA 634->636 637 4067b5-4067b8 634->637 635->634 636->637 638 4067c5-4067c9 637->638 639 4067ba-4067bf SetFileAttributesA 637->639 640 406977-406986 638->640 641 4067cf-4067df GetFileSize 638->641 639->638 642 4067e5-4067e7 641->642 643 40696b 641->643 642->643 645 4067ed-40680b ReadFile 642->645 644 40696e-406971 CloseHandle 643->644 644->640 645->643 646 406811-406824 SetFilePointer 645->646 646->643 647 40682a-406842 ReadFile 646->647 647->643 648 406848-406861 SetFilePointer 647->648 648->643 649 406867-406876 648->649 650 4068d5-4068df 649->650 651 406878-40688f ReadFile 649->651 650->644 652 4068e5-4068eb 650->652 653 406891-40689e 651->653 654 4068d2 651->654 657 4068f0-4068fe call 40ebcc 652->657 658 4068ed 652->658 655 4068a0-4068b5 653->655 656 4068b7-4068ba 653->656 654->650 659 4068bd-4068c3 655->659 656->659 657->643 665 406900-40690b SetFilePointer 657->665 658->657 661 4068c5 659->661 662 4068c8-4068ce 659->662 661->662 662->651 664 4068d0 662->664 664->650 666 40695a-406969 call 40ec2e 665->666 667 40690d-406920 ReadFile 665->667 666->644 667->666 669 406922-406958 667->669 669->644
                                                                                      APIs
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                      • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                      • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                      • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                      • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                      • CloseHandle.KERNEL32(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                      • String ID:
                                                                                      • API String ID: 2622201749-0
                                                                                      • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                      • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                      • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                      • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 697 54003c-540047 698 54004c-540263 call 540a3f call 540e0f call 540d90 VirtualAlloc 697->698 699 540049 697->699 714 540265-540289 call 540a69 698->714 715 54028b-540292 698->715 699->698 720 5402ce-5403c2 VirtualProtect call 540cce call 540ce7 714->720 717 5402a1-5402b0 715->717 719 5402b2-5402cc 717->719 717->720 719->717 726 5403d1-5403e0 720->726 727 5403e2-540437 call 540ce7 726->727 728 540439-5404b8 VirtualFree 726->728 727->726 730 5405f4-5405fe 728->730 731 5404be-5404cd 728->731 734 540604-54060d 730->734 735 54077f-540789 730->735 733 5404d3-5404dd 731->733 733->730 739 5404e3-540505 LoadLibraryA 733->739 734->735 740 540613-540637 734->740 737 5407a6-5407b0 735->737 738 54078b-5407a3 735->738 741 5407b6-5407cb 737->741 742 54086e-5408be LoadLibraryA 737->742 738->737 743 540517-540520 739->743 744 540507-540515 739->744 745 54063e-540648 740->745 746 5407d2-5407d5 741->746 749 5408c7-5408f9 742->749 747 540526-540547 743->747 744->747 745->735 748 54064e-54065a 745->748 750 540824-540833 746->750 751 5407d7-5407e0 746->751 752 54054d-540550 747->752 748->735 753 540660-54066a 748->753 754 540902-54091d 749->754 755 5408fb-540901 749->755 761 540839-54083c 750->761 756 5407e4-540822 751->756 757 5407e2 751->757 758 540556-54056b 752->758 759 5405e0-5405ef 752->759 760 54067a-540689 753->760 755->754 756->746 757->750 762 54056d 758->762 763 54056f-54057a 758->763 759->733 764 540750-54077a 760->764 765 54068f-5406b2 760->765 761->742 766 54083e-540847 761->766 762->759 772 54057c-540599 763->772 773 54059b-5405bb 763->773 764->745 767 5406b4-5406ed 765->767 768 5406ef-5406fc 765->768 769 540849 766->769 770 54084b-54086c 766->770 767->768 774 5406fe-540748 768->774 775 54074b 768->775 769->742 770->761 780 5405bd-5405db 772->780 773->780 774->775 775->760 780->752
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0054024D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID: cess$kernel32.dll
                                                                                      • API String ID: 4275171209-1230238691
                                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                      • Instruction ID: 154a888089c45a34402e680f3c48991356cd843d6438e7c360382ace7e0c66c3
                                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                      • Instruction Fuzzy Hash: F0526974A01229DFDB64CF58C984BA8BBB1BF09304F1480D9E54DAB291DB30AE95DF15

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                      • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                      • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                        • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                        • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                        • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                        • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                        • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 4131120076-2980165447
                                                                                      • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                      • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                      • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                      • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 796 404000-404008 797 40400b-40402a CreateFileA 796->797 798 404057 797->798 799 40402c-404035 GetLastError 797->799 800 404059-40405c 798->800 801 404052 799->801 802 404037-40403a 799->802 804 404054-404056 800->804 801->804 802->801 803 40403c-40403f 802->803 803->800 805 404041-404050 Sleep 803->805 805->797 805->801
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                      • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                      • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateErrorFileLastSleep
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 408151869-2980165447
                                                                                      • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                      • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                      • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                      • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 806 406987-4069b7 807 4069e0 806->807 808 4069b9-4069be 806->808 809 4069e4-4069fd WriteFile 807->809 808->807 810 4069c0-4069d0 808->810 811 406a4d-406a51 809->811 812 4069ff-406a02 809->812 813 4069d2 810->813 814 4069d5-4069de 810->814 816 406a53-406a56 811->816 817 406a59 811->817 812->811 815 406a04-406a08 812->815 813->814 814->809 818 406a0a-406a0d 815->818 819 406a3c-406a3e 815->819 816->817 820 406a5b-406a5f 817->820 821 406a10-406a2e WriteFile 818->821 819->820 822 406a40-406a4b 821->822 823 406a30-406a33 821->823 822->820 823->822 824 406a35-406a3a 823->824 824->819 824->821
                                                                                      APIs
                                                                                      • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                      • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID: ,k@
                                                                                      • API String ID: 3934441357-1053005162
                                                                                      • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                      • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                      • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                      • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 826 406dc2-406dd5 827 406e33-406e35 826->827 828 406dd7-406df1 call 406cc9 call 40ef00 826->828 833 406df4-406df9 828->833 833->833 834 406dfb-406e00 833->834 835 406e02-406e22 GetVolumeInformationA 834->835 836 406e24 834->836 835->836 837 406e2e 835->837 836->837 837->827
                                                                                      APIs
                                                                                        • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                        • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                        • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                        • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                      • String ID: xa,
                                                                                      • API String ID: 1823874839-1065553563
                                                                                      • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                      • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                      • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                      • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 838 4091eb-409208 839 409308 838->839 840 40920e-40921c call 40ed03 838->840 842 40930b-40930f 839->842 844 40921e-40922c call 40ed03 840->844 845 40923f-409249 840->845 844->845 851 40922e-409230 844->851 847 409250-409270 call 40ee08 845->847 848 40924b 845->848 854 409272-40927f 847->854 855 4092dd-4092e1 847->855 848->847 853 409233-409238 851->853 853->853 858 40923a-40923c 853->858 859 409281-409285 854->859 860 40929b-40929e 854->860 856 4092e3-4092e5 855->856 857 4092e7-4092e8 855->857 856->857 862 4092ea-4092ef 856->862 857->855 858->845 859->859 861 409287 859->861 863 4092a0 860->863 864 40928e-409293 860->864 861->860 867 4092f1-4092f6 Sleep 862->867 868 4092fc-409302 862->868 869 4092a8-4092ab 863->869 865 409295-409298 864->865 866 409289-40928c 864->866 865->869 870 40929a 865->870 866->864 866->870 867->868 868->839 868->840 871 4092a2-4092a5 869->871 872 4092ad-4092b0 869->872 870->860 873 4092b2 871->873 874 4092a7 871->874 872->873 875 4092bd 872->875 876 4092b5-4092b9 873->876 874->869 877 4092bf-4092db ShellExecuteA 875->877 876->876 879 4092bb 876->879 877->855 878 409310-409324 877->878 878->842 879->877
                                                                                      APIs
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                      • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShellSleep
                                                                                      • String ID:
                                                                                      • API String ID: 4194306370-0
                                                                                      • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                      • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                      • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                      • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 893 540e0f-540e24 SetErrorMode * 2 894 540e26 893->894 895 540e2b-540e2c 893->895 894->895
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,00540223,?,?), ref: 00540E19
                                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,00540223,?,?), ref: 00540E1E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorMode
                                                                                      • String ID:
                                                                                      • API String ID: 2340568224-0
                                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                      • Instruction ID: 8c4bb27ebef91340a8cc9f03cc0e2f213876f804ecf9a794f7e7c0ac875d06d5
                                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                      • Instruction Fuzzy Hash: 5FD0123114512877D7002A94DC09BCD7F1CDF05B66F108411FB0DD9080C770995046E5
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0069AD1E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181701002.000000000069A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_69a000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 4275171209-0
                                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction ID: ee75654346c1d103995654828f2838917bd8b1f15b90b8e2e7523cc4946d9345
                                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction Fuzzy Hash: DF113C79A00208EFDB01DF98C985E98BBF5EF08351F158094F9489B362D371EA50DF81
                                                                                      APIs
                                                                                      • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                      • closesocket.WS2_32(?), ref: 0040CB63
                                                                                      • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                      • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                      • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                      • wsprintfA.USER32 ref: 0040CD21
                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                      • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                      • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                      • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                      • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                      • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                      • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                      • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                      • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                      • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                      • closesocket.WS2_32(?), ref: 0040D56C
                                                                                      • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                      • ExitProcess.KERNEL32 ref: 0040D583
                                                                                      • wsprintfA.USER32 ref: 0040D81F
                                                                                        • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                      • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                      • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                      • API String ID: 562065436-3791576231
                                                                                      • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                      • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                      • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                      • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                      • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                      • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                      • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                      • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                      • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                      • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                      • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                      • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                      • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                      • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                      • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                      • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                      • API String ID: 2238633743-3228201535
                                                                                      • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                      • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                      • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                      • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                      • wsprintfA.USER32 ref: 0040B3B7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                      • API String ID: 766114626-2976066047
                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                      • String ID: D
                                                                                      • API String ID: 3722657555-2746444292
                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShelllstrlen
                                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                      • API String ID: 1628651668-3716895483
                                                                                      • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                      • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                      • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                      • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                      • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                      • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                        • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                      • API String ID: 4207808166-1381319158
                                                                                      • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                      • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                      • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                      • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                      • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                      • htons.WS2_32(00000000), ref: 00402ADB
                                                                                      • select.WS2_32 ref: 00402B28
                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                      • htons.WS2_32(?), ref: 00402B71
                                                                                      • htons.WS2_32(?), ref: 00402B8C
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                      • String ID:
                                                                                      • API String ID: 1639031587-0
                                                                                      • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                      • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                      • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                      • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                      • ExitProcess.KERNEL32 ref: 00404121
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEventExitProcess
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 2404124870-2980165447
                                                                                      • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                      • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                      • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                      • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                      APIs
                                                                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                      • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 2438460464-0
                                                                                      • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                      • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                      • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                      • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                      APIs
                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                      • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                      • String ID: *p@
                                                                                      • API String ID: 3429775523-2474123842
                                                                                      • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                      • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                      • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                      • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1965334864-0
                                                                                      • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                      • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                      • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                      • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 005465F6
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00546610
                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00546631
                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00546652
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1965334864-0
                                                                                      • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                      • Instruction ID: 4c258c7a41499e36644c5167fd510dc528da2edf0034e13745af275805d7fe81
                                                                                      • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                      • Instruction Fuzzy Hash: EF1191B1600219BFDB219F65EC0AFDB3FA8FB457A9F114024F908A7251DBB1DD0086A5
                                                                                      APIs
                                                                                      • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                      • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                        • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                        • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3754425949-0
                                                                                      • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                      • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                      • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                      • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: .$GetProcAddress.$l
                                                                                      • API String ID: 0-2784972518
                                                                                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                      • Instruction ID: 1ac6c022222df10fddb45b89cce92d0bd369c4a3ad6ba39bd49a2e21b0455d6a
                                                                                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                      • Instruction Fuzzy Hash: EB318AB6910609CFDB10CF99C880AEEBBF9FF48328F24504AD941A7351D771EA45CBA4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                      • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                      • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                      • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181701002.000000000069A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0069A000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_69a000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                      • Instruction ID: 784afc855bcd13ab5c84581519becdd3e049072cd1421be4c0b3bafcefd739f7
                                                                                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                      • Instruction Fuzzy Hash: 4A117072350100AFDB44DF95DC81FA673EEFB89360B2A8055ED04CB716D675E802C7A0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                      • Instruction ID: 2c82bd516d6ff097f8176106e61eb0d6ffe2c8492c1e619661976ec5e8f84ee2
                                                                                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                      • Instruction Fuzzy Hash: B801D472A006008FDB21DF60C804BEA37B9FB85309F1544A4DA0697282E370A9458B80
                                                                                      APIs
                                                                                      • ExitProcess.KERNEL32 ref: 00549E6D
                                                                                      • lstrcpy.KERNEL32(?,00000000), ref: 00549FE1
                                                                                      • lstrcat.KERNEL32(?,?), ref: 00549FF2
                                                                                      • lstrcat.KERNEL32(?,0041070C), ref: 0054A004
                                                                                      • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0054A054
                                                                                      • DeleteFileA.KERNEL32(?), ref: 0054A09F
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0054A0D6
                                                                                      • lstrcpy.KERNEL32 ref: 0054A12F
                                                                                      • lstrlen.KERNEL32(00000022), ref: 0054A13C
                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00549F13
                                                                                        • Part of subcall function 00547029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00547081
                                                                                        • Part of subcall function 00546F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\utwyareo,00547043), ref: 00546F4E
                                                                                        • Part of subcall function 00546F30: GetProcAddress.KERNEL32(00000000), ref: 00546F55
                                                                                        • Part of subcall function 00546F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00546F7B
                                                                                        • Part of subcall function 00546F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00546F92
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0054A1A2
                                                                                      • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0054A1C5
                                                                                      • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0054A214
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0054A21B
                                                                                      • GetDriveTypeA.KERNEL32(?), ref: 0054A265
                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0054A29F
                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 0054A2C5
                                                                                      • lstrcat.KERNEL32(?,00000022), ref: 0054A2D9
                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 0054A2F4
                                                                                      • wsprintfA.USER32 ref: 0054A31D
                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0054A345
                                                                                      • lstrcat.KERNEL32(?,?), ref: 0054A364
                                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0054A387
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0054A398
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0054A1D1
                                                                                        • Part of subcall function 00549966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0054999D
                                                                                        • Part of subcall function 00549966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 005499BD
                                                                                        • Part of subcall function 00549966: RegCloseKey.ADVAPI32(?), ref: 005499C6
                                                                                      • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0054A3DB
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0054A3E2
                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0054A41D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                      • String ID: "$"$"$D$P$\
                                                                                      • API String ID: 1653845638-2605685093
                                                                                      • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                      • Instruction ID: 9a727131086402e8a26a032c3a533df0b8b7f77d02aea8ca227b5499c9afb06e
                                                                                      • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                      • Instruction Fuzzy Hash: D0F130B1C40259AFDF21DFA08C49EEF7BBCBB48308F5444A6F609E2141E7758A848F65
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                      • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                      • String ID: D$PromptOnSecureDesktop
                                                                                      • API String ID: 2976863881-1403908072
                                                                                      • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                      • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                      • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                      • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00547D21
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00547D46
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00547D7D
                                                                                      • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00547DA2
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00547DC0
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 00547DD1
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00547DE5
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00547DF3
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00547E03
                                                                                      • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00547E12
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00547E19
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00547E35
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                      • String ID: D$PromptOnSecureDesktop
                                                                                      • API String ID: 2976863881-1403908072
                                                                                      • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                      • Instruction ID: 5adf81cff110d09f516cc4b6d65a8cf1364b92f88b186fcfa56755949861d1e3
                                                                                      • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                      • Instruction Fuzzy Hash: 3DA13B7190021DAFDB118FA0DD88FEEBFBDFB48304F14816AE605E6150EB758A95CB64
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                      • API String ID: 2400214276-165278494
                                                                                      • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                      • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                      • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                      • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 0040A7FB
                                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                      • wsprintfA.USER32 ref: 0040A8AF
                                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                      • wsprintfA.USER32 ref: 0040A8E2
                                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                      • wsprintfA.USER32 ref: 0040A9B9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                      • API String ID: 3650048968-2394369944
                                                                                      • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                      • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                      • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                      • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00547A96
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00547ACD
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00547ADF
                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00547B01
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00547B1F
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 00547B39
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00547B4A
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00547B58
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00547B68
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00547B77
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00547B7E
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00547B9A
                                                                                      • GetAce.ADVAPI32(?,?,?), ref: 00547BCA
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 00547BF1
                                                                                      • DeleteAce.ADVAPI32(?,?), ref: 00547C0A
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 00547C2C
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00547CB1
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00547CBF
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00547CD0
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00547CE0
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00547CEE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                      • String ID: D
                                                                                      • API String ID: 3722657555-2746444292
                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction ID: 57ab21ca0a8df4b7e67b746cfaae047ada5b0e3625585e843c32fd3145e1fa79
                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction Fuzzy Hash: 79813B7190421DABDB11CFA4DD88BEEBFB8FF0C308F04806AE515E6150D7759A41CBA4
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                      • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                      • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                      • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseOpenQuery
                                                                                      • String ID: PromptOnSecureDesktop$localcfg
                                                                                      • API String ID: 237177642-1678164370
                                                                                      • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                      • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                      • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                      • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                      • API String ID: 835516345-270533642
                                                                                      • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                      • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                      • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                      • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0054865A
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0054867B
                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 005486A8
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 005486B1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseOpenQuery
                                                                                      • String ID: "$PromptOnSecureDesktop
                                                                                      • API String ID: 237177642-3108538426
                                                                                      • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                      • Instruction ID: f5f39e8f84c78405caa5a79986c2dab7b6f3de14f287b3f6ab7abb0da96e307e
                                                                                      • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                      • Instruction Fuzzy Hash: C2C1B071900209BEEB11ABA4DC89EFF7FBCFB58308F144476F605E2051EBB14A949B65
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(?), ref: 00541601
                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 005417D8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShelllstrlen
                                                                                      • String ID: $<$@$D
                                                                                      • API String ID: 1628651668-1974347203
                                                                                      • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                      • Instruction ID: 0c4a1a3928f5332ac33e4b4e253cfbe2eb2bd5d068b05a73adbe6b65d88044ef
                                                                                      • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                      • Instruction Fuzzy Hash: 3EF18DB15087419FD720CF64C888BEBBBE4FB88308F10892DF59697290D7B4D984CB5A
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 005476D9
                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00547757
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0054778F
                                                                                      • ___ascii_stricmp.LIBCMT ref: 005478B4
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0054794E
                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0054796D
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0054797E
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 005479AC
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00547A56
                                                                                        • Part of subcall function 0054F40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,0054772A,?), ref: 0054F414
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 005479F6
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00547A4D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                      • String ID: "$PromptOnSecureDesktop
                                                                                      • API String ID: 3433985886-3108538426
                                                                                      • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                      • Instruction ID: 5f18f2415cbcfdc631bca6cf4873e9ece24ccd06ac0483057c3eb866cdf98e7d
                                                                                      • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                      • Instruction Fuzzy Hash: 92C1827290420EAFEB219FA4DC49FEE7FB9FF89314F1040A5F544E6151EB719A848B60
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00542CED
                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00542D07
                                                                                      • htons.WS2_32(00000000), ref: 00542D42
                                                                                      • select.WS2_32 ref: 00542D8F
                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00542DB1
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00542E62
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                      • String ID:
                                                                                      • API String ID: 127016686-0
                                                                                      • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                      • Instruction ID: 7172c50ddcff244c9ac3b68c0eebda80e0bbfc424ea0678f2a3c8d5db52ca5dc
                                                                                      • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                      • Instruction Fuzzy Hash: 7F61E371904326ABC3209F65CC09BBBBFF8FF84349F914819F94497151D7B4D8848BA6
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                        • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                        • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                        • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                        • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                      • wsprintfA.USER32 ref: 0040AEA5
                                                                                        • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                      • wsprintfA.USER32 ref: 0040AE4F
                                                                                      • wsprintfA.USER32 ref: 0040AE5E
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                      • API String ID: 3631595830-1816598006
                                                                                      • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                      • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                      • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                      • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                      • htons.WS2_32(00000035), ref: 00402E88
                                                                                      • inet_addr.WS2_32(?), ref: 00402E93
                                                                                      • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                      • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                                      • API String ID: 929413710-2099955842
                                                                                      • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                      • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                      • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                      • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?), ref: 005495A7
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 005495D5
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 005495DC
                                                                                      • wsprintfA.USER32 ref: 00549635
                                                                                      • wsprintfA.USER32 ref: 00549673
                                                                                      • wsprintfA.USER32 ref: 005496F4
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00549758
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0054978D
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 005497D8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3696105349-2980165447
                                                                                      • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                      • Instruction ID: 6f25e8b9c30bdb78c19925ffe84e753cd7dca432892bd9bf8adfedad29c98ee8
                                                                                      • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                      • Instruction Fuzzy Hash: 2AA16BB1900209ABEB21DFA4CC4AFDB3FACFB45745F204026FA1596152E7B5D984CBA4
                                                                                      APIs
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmpi
                                                                                      • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                      • API String ID: 1586166983-142018493
                                                                                      • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                      • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                      • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                      • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 0040B467
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$wsprintf
                                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                      • API String ID: 1220175532-2340906255
                                                                                      • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                      • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                      • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                      • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 0054202D
                                                                                      • GetSystemInfo.KERNEL32(?), ref: 0054204F
                                                                                      • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0054206A
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00542071
                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00542082
                                                                                      • GetTickCount.KERNEL32 ref: 00542230
                                                                                        • Part of subcall function 00541E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 00541E7C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                      • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                      • API String ID: 4207808166-1391650218
                                                                                      • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                      • Instruction ID: 26e74fde23c86c3706efda5290e3e6fa409d145468db017059d5625aa3fcdc19
                                                                                      • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                      • Instruction Fuzzy Hash: E551C5B05043456FE330AF758C8AFA7BEECFB84708F40491DF99682142D7B5A984C765
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00402078
                                                                                      • GetTickCount.KERNEL32 ref: 004020D4
                                                                                      • GetTickCount.KERNEL32 ref: 004020DB
                                                                                      • GetTickCount.KERNEL32 ref: 0040212B
                                                                                      • GetTickCount.KERNEL32 ref: 00402132
                                                                                      • GetTickCount.KERNEL32 ref: 00402142
                                                                                        • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                        • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                        • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                        • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                        • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                      • API String ID: 3976553417-1522128867
                                                                                      • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                      • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                      • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                      • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                      APIs
                                                                                      • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                      • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesockethtonssocket
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 311057483-2401304539
                                                                                      • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                      • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                      • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                      • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                      APIs
                                                                                        • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                        • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                      • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                      • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                      • GetTickCount.KERNEL32 ref: 0040C363
                                                                                      • GetTickCount.KERNEL32 ref: 0040C378
                                                                                      • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                      • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                      • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1553760989-1857712256
                                                                                      • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                      • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                      • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                      • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00543068
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00543078
                                                                                      • GetProcAddress.KERNEL32(00000000,00410408), ref: 00543095
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005430B6
                                                                                      • htons.WS2_32(00000035), ref: 005430EF
                                                                                      • inet_addr.WS2_32(?), ref: 005430FA
                                                                                      • gethostbyname.WS2_32(?), ref: 0054310D
                                                                                      • HeapFree.KERNEL32(00000000), ref: 0054314D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                      • String ID: iphlpapi.dll
                                                                                      • API String ID: 2869546040-3565520932
                                                                                      • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                      • Instruction ID: 9f846563e26b71c42376995f3b593efdc1db0701943744de08e7e7f9801d5a37
                                                                                      • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                      • Instruction Fuzzy Hash: 50318631A00606ABDB119BB89C48AEE7FB8FF04764F144265F518E72A0DB74DE81CB58
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                                      • API String ID: 3560063639-3847274415
                                                                                      • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                      • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                      • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                      • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                      • API String ID: 1082366364-2834986871
                                                                                      • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                      • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                      • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                      • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                      • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                      • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                      • String ID: D$PromptOnSecureDesktop
                                                                                      • API String ID: 2981417381-1403908072
                                                                                      • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                      • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                      • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                      • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                      APIs
                                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 005467C3
                                                                                      • htonl.WS2_32(?), ref: 005467DF
                                                                                      • htonl.WS2_32(?), ref: 005467EE
                                                                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 005468F1
                                                                                      • ExitProcess.KERNEL32 ref: 005469BC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Processhtonl$CurrentExitHugeRead
                                                                                      • String ID: except_info$localcfg
                                                                                      • API String ID: 1150517154-3605449297
                                                                                      • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                      • Instruction ID: 4dff4b95dc44f5f97e5c81cc474de35de4e4010c6cb388f0bf01291133ff03f4
                                                                                      • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                      • Instruction Fuzzy Hash: FA618072940208AFDB609FB4DC45FEA7BE9FF48304F148066F96DD2161DAB59990CF14
                                                                                      APIs
                                                                                      • htons.WS2_32(0054CC84), ref: 0054F5B4
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0054F5CE
                                                                                      • closesocket.WS2_32(00000000), ref: 0054F5DC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesockethtonssocket
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 311057483-2401304539
                                                                                      • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                      • Instruction ID: 5420c4ab8c3977bf513e77a20ab30260b5ffc4aedb87511255aa90f8d0273f55
                                                                                      • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                      • Instruction Fuzzy Hash: 97317A72900119ABDB10DFA9EC89DEF7BBCFF88314F114566F905E3150E7708A818BA4
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                      • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                      • wsprintfA.USER32 ref: 00407036
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                      • String ID: /%d$|
                                                                                      • API String ID: 676856371-4124749705
                                                                                      • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                      • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                      • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                      • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 00542FA1
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 00542FB1
                                                                                      • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00542FC8
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00543000
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00543007
                                                                                      • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00543032
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                      • String ID: dnsapi.dll
                                                                                      • API String ID: 1242400761-3175542204
                                                                                      • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                      • Instruction ID: 6e2670cdad0fcee6640ff8199cfdc034dcf3ae266de98778da712e48909de33c
                                                                                      • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                      • Instruction Fuzzy Hash: 6A21C171900229BBCB219B95DC49AEEBFBCFF08B14F404421F905E3150D7B09E8587E0
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Code
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3609698214-2980165447
                                                                                      • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                      • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                      • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                      • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\utwyareo,00547043), ref: 00546F4E
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00546F55
                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00546F7B
                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00546F92
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                      • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\utwyareo
                                                                                      • API String ID: 1082366364-2671325736
                                                                                      • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                      • Instruction ID: ba6201c575b6e60445dfe136d27f94753a6fc014373c56a915033ec541662e67
                                                                                      • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                      • Instruction Fuzzy Hash: A62126317453457AF7225335AC8DFFB2E4CAB97718F1840A5F448E6081DBD988DA826E
                                                                                      APIs
                                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                      • wsprintfA.USER32 ref: 004090E9
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 2439722600-2980165447
                                                                                      • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                      • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                      • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                      • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                      APIs
                                                                                      • GetTempPathA.KERNEL32(00000400,?), ref: 005492E2
                                                                                      • wsprintfA.USER32 ref: 00549350
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00549375
                                                                                      • lstrlen.KERNEL32(?,?,00000000), ref: 00549389
                                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 00549394
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0054939B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 2439722600-2980165447
                                                                                      • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                      • Instruction ID: 662cdeba73e4fec61cbf9c2edc4810c8a896a669da597112eee5f7060ab3edd2
                                                                                      • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                      • Instruction Fuzzy Hash: 431193B27401157BE7216B32EC0EFEF3E6DEBC9B14F00C065BB09E5091EEB44A4586A4
                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00549A18
                                                                                      • GetThreadContext.KERNEL32(?,?), ref: 00549A52
                                                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 00549A60
                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00549A98
                                                                                      • SetThreadContext.KERNEL32(?,00010002), ref: 00549AB5
                                                                                      • ResumeThread.KERNEL32(?), ref: 00549AC2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                      • String ID: D
                                                                                      • API String ID: 2981417381-2746444292
                                                                                      • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                      • Instruction ID: bda3f207350c6701ad24b1deed2289853a47859025defb9df01985dd098acd2e
                                                                                      • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                      • Instruction Fuzzy Hash: 45213BB1A01219BBDB11DBA1DC0AEEFBFBCFF05754F404461BA19E1150E7758A84CBA4
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(004102D8), ref: 00541C18
                                                                                      • LoadLibraryA.KERNEL32(004102C8), ref: 00541C26
                                                                                      • GetProcessHeap.KERNEL32 ref: 00541C84
                                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00541C9D
                                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00541CC1
                                                                                      • HeapFree.KERNEL32(?,00000000,00000000), ref: 00541D02
                                                                                      • FreeLibrary.KERNEL32(?), ref: 00541D0B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                      • String ID:
                                                                                      • API String ID: 2324436984-0
                                                                                      • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                      • Instruction ID: ca20fcaad073cb3081624eb756777627be6714b2c56cd8a5dd0f6e318882a373
                                                                                      • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                      • Instruction Fuzzy Hash: 2D315872E00209BFCB119FA4DD888EEBFB9FB45305B24447AE501A6110D7B54EC0DB98
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                      • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: QueryValue$CloseOpen
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 1586453840-2980165447
                                                                                      • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                      • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                      • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                      • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                      • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                      • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$CreateEvent
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 1371578007-2980165447
                                                                                      • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                      • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                      • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                      • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00546CE4
                                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00546D22
                                                                                      • GetLastError.KERNEL32 ref: 00546DA7
                                                                                      • CloseHandle.KERNEL32(?), ref: 00546DB5
                                                                                      • GetLastError.KERNEL32 ref: 00546DD6
                                                                                      • DeleteFileA.KERNEL32(?), ref: 00546DE7
                                                                                      • GetLastError.KERNEL32 ref: 00546DFD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                      • String ID:
                                                                                      • API String ID: 3873183294-0
                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction ID: f898e12eaf55c9d3aebf21b4d56760a9e5310d826d86f4c152e98589239ed978
                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction Fuzzy Hash: 3B310376E00249BFCB01DFA4DD49BDE7FB9FB89304F148066E211E3211D7708A558B62
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0054E50A,00000000,00000000,00000000,00020106,00000000,0054E50A,00000000,000000E4), ref: 0054E319
                                                                                      • RegSetValueExA.ADVAPI32(0054E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0054E38E
                                                                                      • RegDeleteValueA.ADVAPI32(0054E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,DT), ref: 0054E3BF
                                                                                      • RegCloseKey.ADVAPI32(0054E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,DT,0054E50A), ref: 0054E3C8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseCreateDelete
                                                                                      • String ID: PromptOnSecureDesktop$DT
                                                                                      • API String ID: 2667537340-1980669561
                                                                                      • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                      • Instruction ID: 5c3dc798e4dbadf5913ad1264f54004bfe31e38478d30a8bd56635730715410d
                                                                                      • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                      • Instruction Fuzzy Hash: C5217A31A0021DABDF219FA4EC8AEEE7F78FF08754F008461F904A7051E6719A54D7A0
                                                                                      APIs
                                                                                      • GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00424F8B
                                                                                      • GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00424FC7
                                                                                      • GetComputerNameA.KERNEL32(?,?), ref: 00424FDB
                                                                                      • SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,0042C41C), ref: 00424FE9
                                                                                      • OpenJobObjectA.KERNEL32(00000000,00000000,0042C428), ref: 00424FF6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181031656.0000000000418000.00000020.00000001.01000000.00000003.sdmp, Offset: 00418000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_418000_bEsOrli29K.jbxd
                                                                                      Similarity
                                                                                      • API ID: NodeNuma$CalendarComputerHighestInfoNameNumberObjectOpenProcessor
                                                                                      • String ID: -
                                                                                      • API String ID: 3293808458-2547889144
                                                                                      • Opcode ID: cbd7c5c07cb5078078958f77ac79951bebb201362ab674e3885adec3f36132ee
                                                                                      • Instruction ID: 0eccb1aac1e8823434b1d3e5e9d8e26066e9430f249d9380e5c281313551a7e7
                                                                                      • Opcode Fuzzy Hash: cbd7c5c07cb5078078958f77ac79951bebb201362ab674e3885adec3f36132ee
                                                                                      • Instruction Fuzzy Hash: 1C11D271600228EFCB21AF21ED8499F7BB8FB84318F408179E629A6141C7385A86CF5C
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                      • CharToOemA.USER32(?,?), ref: 00409174
                                                                                      • wsprintfA.USER32 ref: 004091A9
                                                                                        • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                        • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                        • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                        • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                        • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                        • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3857584221-2980165447
                                                                                      • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                      • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                      • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                      • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 005493C6
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 005493CD
                                                                                      • CharToOemA.USER32(?,?), ref: 005493DB
                                                                                      • wsprintfA.USER32 ref: 00549410
                                                                                        • Part of subcall function 005492CB: GetTempPathA.KERNEL32(00000400,?), ref: 005492E2
                                                                                        • Part of subcall function 005492CB: wsprintfA.USER32 ref: 00549350
                                                                                        • Part of subcall function 005492CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00549375
                                                                                        • Part of subcall function 005492CB: lstrlen.KERNEL32(?,?,00000000), ref: 00549389
                                                                                        • Part of subcall function 005492CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00549394
                                                                                        • Part of subcall function 005492CB: CloseHandle.KERNEL32(00000000), ref: 0054939B
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00549448
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3857584221-2980165447
                                                                                      • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                      • Instruction ID: 8f1a7eb98c1fa0d9188652d1999987236cd74927189a621131695c4ba0293cb2
                                                                                      • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                      • Instruction Fuzzy Hash: 5E0140F69001197BDB21A7619D4DEDF3A7CEB95705F0040A1BB49E2080EAB496C58F75
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen
                                                                                      • String ID: $localcfg
                                                                                      • API String ID: 1659193697-2018645984
                                                                                      • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                      • Instruction ID: a2d4120085c9aaeb27aba208afef607da02f81f43e8ccb5236991e8bda771f8c
                                                                                      • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                      • Instruction Fuzzy Hash: 1E713A71EC4305AAEFA18B58DCCAFEE3F69FB4030DF244426F905A6091DA628D848757
                                                                                      APIs
                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                      • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                      • String ID: flags_upd$localcfg
                                                                                      • API String ID: 204374128-3505511081
                                                                                      • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                      • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                      • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                      • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                      APIs
                                                                                        • Part of subcall function 0054DF6C: GetCurrentThreadId.KERNEL32 ref: 0054DFBA
                                                                                      • lstrcmp.KERNEL32(00410178,00000000), ref: 0054E8FA
                                                                                      • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00546128), ref: 0054E950
                                                                                      • lstrcmp.KERNEL32(?,00000008), ref: 0054E989
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                      • String ID: A$ A$ A
                                                                                      • API String ID: 2920362961-1846390581
                                                                                      • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                      • Instruction ID: b724df5db8f150b3be6baee57d4bd19f313b1bef7903e1e7e41d047061c7659f
                                                                                      • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                      • Instruction Fuzzy Hash: B2319C31600716EBDF718F24C88ABE67FE4FB05728F10892AF59687691D370E884CB91
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Code
                                                                                      • String ID:
                                                                                      • API String ID: 3609698214-0
                                                                                      • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                      • Instruction ID: 50c0a97f685af91ffd22bc8c7e487fcadba3bfcfb328c3d517538f8ca8780da8
                                                                                      • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                      • Instruction Fuzzy Hash: 2E214D76504116BFDB109B60FC49EDF3FEDFB4A368B208425F502D1091EB719A50A675
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                      • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                      • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                      • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 3819781495-0
                                                                                      • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                      • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                      • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                      • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0054C6B4
                                                                                      • InterlockedIncrement.KERNEL32(0054C74B), ref: 0054C715
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0054C747), ref: 0054C728
                                                                                      • CloseHandle.KERNEL32(00000000,?,0054C747,00413588,00548A77), ref: 0054C733
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1026198776-1857712256
                                                                                      • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                      • Instruction ID: e98b25cd3b1099ad0de276aa7a25427da79b06ae209d005b1bed884115d59f02
                                                                                      • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                      • Instruction Fuzzy Hash: FD514BB1A02B418FD7B49F69C58556ABFE9FB88304B51593EE18BC7AA0D774F8408B10
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                        • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                        • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                        • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 124786226-2980165447
                                                                                      • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                      • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                      • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                      • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                      • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                      • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                      • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseCreateDelete
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 2667537340-2980165447
                                                                                      • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                      • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                      • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                      • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 005471E1
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00547228
                                                                                      • LocalFree.KERNEL32(?,?,?), ref: 00547286
                                                                                      • wsprintfA.USER32 ref: 0054729D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                      • String ID: |
                                                                                      • API String ID: 2539190677-2343686810
                                                                                      • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                      • Instruction ID: 6abe6fff1d54450d8cb5dae785b1e1670498517370d2652fd83accba0a755ca8
                                                                                      • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                      • Instruction Fuzzy Hash: C5313A76904209BBDB01DFA8DC49ADA3FACFF08314F148166F859DB201EB75DA48CB94
                                                                                      APIs
                                                                                      • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                                      • String ID: LocalHost
                                                                                      • API String ID: 3695455745-3154191806
                                                                                      • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                      • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                      • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                      • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 0054B51A
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0054B529
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0054B548
                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0054B590
                                                                                      • wsprintfA.USER32 ref: 0054B61E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 4026320513-0
                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction ID: c70564c24516ee4d33e7e247abea569c49a16d98e3b70424e38065adb0ff1eb9
                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction Fuzzy Hash: 075142B1D0021CAADF14DFD4D8885EEFBB9BF48304F10812AF501A6150E7B88AC9CF94
                                                                                      APIs
                                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00546303
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 0054632A
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 005463B1
                                                                                      • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00546405
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: HugeRead$AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 3498078134-0
                                                                                      • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                      • Instruction ID: 08db78cefe3d4f60986abb5ece1cabc2c9cc493d7d4e894c6b91515396fc26f9
                                                                                      • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                      • Instruction Fuzzy Hash: 85415BB1A0020AAFDF14CF58C884BE9BBB8FF05358F248969E815D7290E771ED40DB51
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                      • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                      • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                      • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                      APIs
                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                      • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                      • String ID: A$ A
                                                                                      • API String ID: 3343386518-686259309
                                                                                      • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                      • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                      • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                      • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040272E
                                                                                      • htons.WS2_32(00000001), ref: 00402752
                                                                                      • htons.WS2_32(0000000F), ref: 004027D5
                                                                                      • htons.WS2_32(00000001), ref: 004027E3
                                                                                      • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                        • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                        • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                      • String ID:
                                                                                      • API String ID: 1128258776-0
                                                                                      • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                      • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                      • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                      • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                      APIs
                                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: setsockopt
                                                                                      • String ID:
                                                                                      • API String ID: 3981526788-0
                                                                                      • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                      • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                      • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                      • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                      APIs
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$lstrcmpi
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1808961391-1857712256
                                                                                      • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                      • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                      • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                      • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000001,DT,00000000,00000000,00000000), ref: 0054E470
                                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 0054E484
                                                                                        • Part of subcall function 0054E2FC: RegCreateKeyExA.ADVAPI32(80000001,0054E50A,00000000,00000000,00000000,00020106,00000000,0054E50A,00000000,000000E4), ref: 0054E319
                                                                                        • Part of subcall function 0054E2FC: RegSetValueExA.ADVAPI32(0054E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0054E38E
                                                                                        • Part of subcall function 0054E2FC: RegDeleteValueA.ADVAPI32(0054E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,DT), ref: 0054E3BF
                                                                                        • Part of subcall function 0054E2FC: RegCloseKey.ADVAPI32(0054E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,DT,0054E50A), ref: 0054E3C8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                      • String ID: PromptOnSecureDesktop$DT
                                                                                      • API String ID: 4151426672-1980669561
                                                                                      • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                      • Instruction ID: 92aced4d27436c113832870fbf999f93538012ba920e6c4a8597f2ea036e5990
                                                                                      • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                      • Instruction Fuzzy Hash: A241D6B6900215BAEF206B518C4BFEF3F6CFF4472CF148065FA0994092E7B58A50DAB4
                                                                                      APIs
                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                      • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3683885500-2980165447
                                                                                      • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                      • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                      • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                      • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                      APIs
                                                                                        • Part of subcall function 0054DF6C: GetCurrentThreadId.KERNEL32 ref: 0054DFBA
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,0054A6AC), ref: 0054E7BF
                                                                                      • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,0054A6AC), ref: 0054E7EA
                                                                                      • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,0054A6AC), ref: 0054E819
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 1396056608-2980165447
                                                                                      • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                      • Instruction ID: 2a92920d74a71820abdf2b256ac2be287b41d9edd189de1bd9682a838e3a34b1
                                                                                      • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                      • Instruction Fuzzy Hash: 8021F9B1A403027AF62077219C0FFEB3E1CFBA5768F500034FA0AB51D3FA55985086B5
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                      • API String ID: 2574300362-1087626847
                                                                                      • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                      • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                      • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                      • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 005476D9
                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0054796D
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0054797E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseEnumOpen
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 1332880857-2980165447
                                                                                      • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                      • Instruction ID: de7d9cb3a3be5376cbbcd1f814f32d3a3c47cbc5fa7e2a09bf119c4e9cc91216
                                                                                      • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                      • Instruction Fuzzy Hash: 9911EE70A04109AFDB118FA9EC49FEFBF79FB89308F150561F515EA291E3B08D408B60
                                                                                      APIs
                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: hi_id$localcfg
                                                                                      • API String ID: 2777991786-2393279970
                                                                                      • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                      • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                      • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                      • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                      • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                      • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseDeleteOpenValue
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 849931509-2980165447
                                                                                      • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                      • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                      • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                      • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0054999D
                                                                                      • RegDeleteValueA.ADVAPI32(?,00000000), ref: 005499BD
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 005499C6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseDeleteOpenValue
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 849931509-2980165447
                                                                                      • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                      • Instruction ID: 29a7463438f8ae83a899204ffa117b7487d102bc83a079b2086cf251c0b7c813
                                                                                      • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                      • Instruction Fuzzy Hash: D6F096B2680218BBF7116B54EC0BFDB3E2CEB95B14F504075FA05B5092F6E59E9082F9
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynameinet_addr
                                                                                      • String ID: time_cfg$u6A
                                                                                      • API String ID: 1594361348-1940331995
                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction ID: 83b2ddce7cc79ee651171a814c67ba1828611c854ff77881390cb5570a4fea66
                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction Fuzzy Hash: E6E082306082218FDB008B28F848ADA3BA4AF0A334F428180F080C32A1C7349CC0AA88
                                                                                      APIs
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 005469E5
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 00546A26
                                                                                      • GetFileSize.KERNEL32(000000FF,00000000), ref: 00546A3A
                                                                                      • CloseHandle.KERNEL32(000000FF), ref: 00546BD8
                                                                                        • Part of subcall function 0054EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00541DCF,?), ref: 0054EEA8
                                                                                        • Part of subcall function 0054EE95: HeapFree.KERNEL32(00000000), ref: 0054EEAF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                      • String ID:
                                                                                      • API String ID: 3384756699-0
                                                                                      • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                      • Instruction ID: 44e68c456ef2cdfe4ba11c63e3dec3fe93bc06b340ee957740147b036de0796d
                                                                                      • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                      • Instruction Fuzzy Hash: EC71257190021DEFDF109FA4CC84AEEBFB9FB05318F10856AE515E6190D7349E92DB60
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                      • API String ID: 2111968516-120809033
                                                                                      • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                      • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                      • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                      • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                      APIs
                                                                                      • GetFullPathNameA.KERNEL32(00000000,00000000,?,00000000), ref: 0042505E
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042507A
                                                                                      • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 00425098
                                                                                      • SetFileShortNameA.KERNEL32(00000000,0042C460), ref: 004250A4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181031656.0000000000418000.00000020.00000001.01000000.00000003.sdmp, Offset: 00418000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_418000_bEsOrli29K.jbxd
                                                                                      Similarity
                                                                                      • API ID: Name$CreateEnvironmentFileFreeFullHeapPathShortStrings
                                                                                      • String ID:
                                                                                      • API String ID: 4071102102-0
                                                                                      • Opcode ID: bc69b1226fcf67db89fe464c706799af24d95d8a8024064d16ebc773a46ea2e6
                                                                                      • Instruction ID: 5c8f484b8e6f5073547a08100acdc7810c7886e53351bf40ac3baed53192359c
                                                                                      • Opcode Fuzzy Hash: bc69b1226fcf67db89fe464c706799af24d95d8a8024064d16ebc773a46ea2e6
                                                                                      • Instruction Fuzzy Hash: 6E015E76701514ABC721AB66FD88D6F77BCE7C9709780102AF601D2190DA385942CAAD
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181031656.0000000000418000.00000020.00000001.01000000.00000003.sdmp, Offset: 00418000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_418000_bEsOrli29K.jbxd
                                                                                      Similarity
                                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                      • String ID:
                                                                                      • API String ID: 3016257755-0
                                                                                      • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                      • Instruction ID: 62ab4b8ba8e517d9559e8c491edd40464884d24b5327c3800230cc66b45608ab
                                                                                      • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                      • Instruction Fuzzy Hash: BE11923211455EBBCF125F84ED05CEE3F22BB18354F998416FE1859130D33ACAB2AB89
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                      • GetLastError.KERNEL32 ref: 00403F4E
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3373104450-0
                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                      • GetLastError.KERNEL32 ref: 00403FC2
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 888215731-0
                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 005441AB
                                                                                      • GetLastError.KERNEL32 ref: 005441B5
                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 005441C6
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 005441D9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3373104450-0
                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction ID: 4a8584d75d843c6aeb69f805d14aba13ac5dac8ed65e270d58d604c271197ce5
                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction Fuzzy Hash: 9201A57691110AABDF01DF91ED84BEE7BACFB18359F108461F901E2050D7749AA4CFB6
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0054421F
                                                                                      • GetLastError.KERNEL32 ref: 00544229
                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 0054423A
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0054424D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 888215731-0
                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction ID: a95c71f21399a2b331da3081b5db22fc8b7c2af87823db42c8ea6ffade2edee2
                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction Fuzzy Hash: 1C01A572555109ABDF01DF90ED84BEF7BACFB0835AF108461F901E2050D7B09A549FB6
                                                                                      APIs
                                                                                      • lstrcmp.KERNEL32(?,80000009), ref: 0054E066
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp
                                                                                      • String ID: A$ A$ A
                                                                                      • API String ID: 1534048567-1846390581
                                                                                      • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                      • Instruction ID: 9a0649f2f1ba92bd2011c6e90dd32c921ec4523ea51be81df567301d0106263a
                                                                                      • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                      • Instruction Fuzzy Hash: BFF06231200702DBCB20CF65D888AC2BBE9FB05325B44862BE168C3060D3B4A899CB51
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                      • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                      • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                      • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                      • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                      • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                      • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                      • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                      • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                      • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                      • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                      • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                      • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                      • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00403103
                                                                                      • GetTickCount.KERNEL32 ref: 0040310F
                                                                                      • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                      • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                      • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                      • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                        • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                        • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                        • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                        • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 4151426672-2980165447
                                                                                      • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                      • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                      • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                      • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 005483C6
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00548477
                                                                                        • Part of subcall function 005469C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 005469E5
                                                                                        • Part of subcall function 005469C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00546A26
                                                                                        • Part of subcall function 005469C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00546A3A
                                                                                        • Part of subcall function 0054EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00541DCF,?), ref: 0054EEA8
                                                                                        • Part of subcall function 0054EE95: HeapFree.KERNEL32(00000000), ref: 0054EEAF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 359188348-2980165447
                                                                                      • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                      • Instruction ID: b705c0db7fa76178c956dcf01c84f5e631ba38f222d670f55f80157842185c18
                                                                                      • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                      • Instruction Fuzzy Hash: EE4150B290010ABFEF10ABA49D85DFF7F6CFB44348F144466F504E6111EAB45A988B65
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0054E859,00000000,00020119,0054E859,PromptOnSecureDesktop), ref: 0054E64D
                                                                                      • RegCloseKey.ADVAPI32(0054E859,?,?,?,?,000000C8,000000E4), ref: 0054E787
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseOpen
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 47109696-2980165447
                                                                                      • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                      • Instruction ID: 98ae48c990cca30e7e0cd347f8e069b80f81c9d47c2a511b0f81578da6ecc390
                                                                                      • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                      • Instruction Fuzzy Hash: 7F4117B2D0011DBFDF11AF98DC86DEEBB79FB54308F104466FA00A6150E3719A559B60
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 0054AFFF
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0054B00D
                                                                                        • Part of subcall function 0054AF6F: gethostname.WS2_32(?,00000080), ref: 0054AF83
                                                                                        • Part of subcall function 0054AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0054AFE6
                                                                                        • Part of subcall function 0054331C: gethostname.WS2_32(?,00000080), ref: 0054333F
                                                                                        • Part of subcall function 0054331C: gethostbyname.WS2_32(?), ref: 00543349
                                                                                        • Part of subcall function 0054AA0A: inet_ntoa.WS2_32(00000000), ref: 0054AA10
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                      • String ID: %OUTLOOK_BND_
                                                                                      • API String ID: 1981676241-3684217054
                                                                                      • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                      • Instruction ID: 9d91a0d016586592c3c86b405a7136d2646f57e4ba345de9c8acce01493d85f6
                                                                                      • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                      • Instruction Fuzzy Hash: 47411E7290020DBBDB25EFA4DC4AEEF3BACFB48304F244426F92992152EA75D654CB54
                                                                                      APIs
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00549536
                                                                                      • Sleep.KERNEL32(000001F4), ref: 0054955D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShellSleep
                                                                                      • String ID:
                                                                                      • API String ID: 4194306370-3916222277
                                                                                      • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                      • Instruction ID: 3f9d416b05c40c911c33905187967865efc70af1bf6d641c57df850d01a81f05
                                                                                      • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                      • Instruction Fuzzy Hash: B941F5B18043856EEF379A64D88FBE77FA4BF4231CF3441E5D48697192D6744D818711
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0054B9D9
                                                                                      • InterlockedIncrement.KERNEL32(00413648), ref: 0054BA3A
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 0054BA94
                                                                                      • GetTickCount.KERNEL32 ref: 0054BB79
                                                                                      • GetTickCount.KERNEL32 ref: 0054BB99
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 0054BE15
                                                                                      • closesocket.WS2_32(00000000), ref: 0054BEB4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountIncrementInterlockedTick$closesocket
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 1869671989-2903620461
                                                                                      • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                      • Instruction ID: 7eecbf324de56d4bea38ede6b90606932c1f6c00ef2c6a0b29138577c9820e83
                                                                                      • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                      • Instruction Fuzzy Hash: 59319171800248DFEF25DFA4DC48AED7BB8FB88704F204466FA1482151DB31DA95CF11
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 536389180-1857712256
                                                                                      • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                      • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                      • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                      • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                      APIs
                                                                                      Strings
                                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTickwsprintf
                                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                      • API String ID: 2424974917-1012700906
                                                                                      • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                      • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                      • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                      • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                      APIs
                                                                                        • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                        • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 3716169038-2903620461
                                                                                      • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                      • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                      • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                      • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                      APIs
                                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 005470BC
                                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 005470F4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountLookupUser
                                                                                      • String ID: |
                                                                                      • API String ID: 2370142434-2343686810
                                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction ID: 3fb2e5ae59ead0c3541eb55d69716371c91ee1dc4f26b074d0513c194248c7b4
                                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction Fuzzy Hash: 07112A7290411CEBDF15CBE4DD84ADEBBBCBB08305F1451A6E501F6090D7709B88CBA0
                                                                                      APIs
                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2777991786-1857712256
                                                                                      • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                      • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                      • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                      • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                      APIs
                                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                      • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 224340156-2903620461
                                                                                      • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                      • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                      • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                      • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                      APIs
                                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                      • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2112563974-1857712256
                                                                                      • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                      • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                      • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                      • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynameinet_addr
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 1594361348-2401304539
                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: ntdll.dll
                                                                                      • API String ID: 2574300362-2227199552
                                                                                      • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                      • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                      • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                      • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                      APIs
                                                                                        • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                        • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2180995386.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2180995386.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1017166417-0
                                                                                      • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                      • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                      • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                      • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                      APIs
                                                                                        • Part of subcall function 00542F88: GetModuleHandleA.KERNEL32(?), ref: 00542FA1
                                                                                        • Part of subcall function 00542F88: LoadLibraryA.KERNEL32(?), ref: 00542FB1
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005431DA
                                                                                      • HeapFree.KERNEL32(00000000), ref: 005431E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2181457601.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_540000_bEsOrli29K.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1017166417-0
                                                                                      • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                      • Instruction ID: 1ba83095f042057a3fa0bcf9f45ede59f1396a151da77ebca6415de1e1aa4a6e
                                                                                      • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                      • Instruction Fuzzy Hash: 7051BC3590420AAFCF01DF68D8889FABB75FF15308F244568EC96C7221E772DA19CB90

                                                                                      Execution Graph

                                                                                      Execution Coverage:2.7%
                                                                                      Dynamic/Decrypted Code Coverage:2%
                                                                                      Signature Coverage:0%
                                                                                      Total number of Nodes:1609
                                                                                      Total number of Limit Nodes:14
                                                                                      execution_graph 16870 409961 RegisterServiceCtrlHandlerA 16871 40997d 16870->16871 16878 4099cb 16870->16878 16880 409892 16871->16880 16873 40999a 16874 4099ba 16873->16874 16875 409892 SetServiceStatus 16873->16875 16876 409892 SetServiceStatus 16874->16876 16874->16878 16877 4099aa 16875->16877 16876->16878 16877->16874 16883 4098f2 16877->16883 16881 4098c2 SetServiceStatus 16880->16881 16881->16873 16884 4098f6 16883->16884 16886 409904 Sleep 16884->16886 16888 409917 16884->16888 16891 404280 CreateEventA 16884->16891 16886->16884 16887 409915 16886->16887 16887->16888 16890 409947 16888->16890 16918 40977c 16888->16918 16890->16874 16892 4042a5 16891->16892 16898 40429d 16891->16898 16932 403ecd 16892->16932 16894 4042b0 16936 404000 16894->16936 16897 4043c1 CloseHandle 16897->16898 16898->16884 16899 4042ce 16942 403f18 WriteFile 16899->16942 16904 4043ba CloseHandle 16904->16897 16905 404318 16906 403f18 4 API calls 16905->16906 16907 404331 16906->16907 16908 403f18 4 API calls 16907->16908 16909 40434a 16908->16909 16950 40ebcc GetProcessHeap HeapAlloc 16909->16950 16912 403f18 4 API calls 16913 404389 16912->16913 16953 40ec2e 16913->16953 16916 403f8c 4 API calls 16917 40439f CloseHandle CloseHandle 16916->16917 16917->16898 16982 40ee2a 16918->16982 16921 4097bb 16921->16890 16922 4097c2 16923 4097d4 Wow64GetThreadContext 16922->16923 16924 409801 16923->16924 16925 4097f5 16923->16925 16984 40637c 16924->16984 16926 4097f6 TerminateProcess 16925->16926 16926->16921 16928 409816 16928->16926 16929 40981e WriteProcessMemory 16928->16929 16929->16925 16930 40983b Wow64SetThreadContext 16929->16930 16930->16925 16931 409858 ResumeThread 16930->16931 16931->16921 16933 403ee2 16932->16933 16934 403edc 16932->16934 16933->16894 16958 406dc2 16934->16958 16937 40400b CreateFileA 16936->16937 16938 40402c GetLastError 16937->16938 16939 404052 16937->16939 16938->16939 16940 404037 16938->16940 16939->16897 16939->16898 16939->16899 16940->16939 16941 404041 Sleep 16940->16941 16941->16937 16941->16939 16943 403f7c 16942->16943 16944 403f4e GetLastError 16942->16944 16946 403f8c ReadFile 16943->16946 16944->16943 16945 403f5b WaitForSingleObject GetOverlappedResult 16944->16945 16945->16943 16947 403ff0 16946->16947 16948 403fc2 GetLastError 16946->16948 16947->16904 16947->16905 16948->16947 16949 403fcf WaitForSingleObject GetOverlappedResult 16948->16949 16949->16947 16976 40eb74 16950->16976 16954 40ec37 16953->16954 16955 40438f 16953->16955 16979 40eba0 16954->16979 16955->16916 16959 406dd7 16958->16959 16963 406e24 16958->16963 16964 406cc9 16959->16964 16961 406ddc 16961->16961 16962 406e02 GetVolumeInformationA 16961->16962 16961->16963 16962->16963 16963->16933 16965 406cdc GetModuleHandleA GetProcAddress 16964->16965 16966 406dbe 16964->16966 16967 406d12 GetSystemDirectoryA 16965->16967 16970 406cfd 16965->16970 16966->16961 16968 406d27 GetWindowsDirectoryA 16967->16968 16969 406d1e 16967->16969 16971 406d42 16968->16971 16969->16968 16973 406d8b 16969->16973 16970->16967 16970->16973 16974 40ef1e lstrlenA 16971->16974 16973->16966 16975 40ef32 16974->16975 16975->16973 16977 40eb7b GetProcessHeap HeapSize 16976->16977 16978 404350 16976->16978 16977->16978 16978->16912 16980 40eba7 GetProcessHeap HeapSize 16979->16980 16981 40ebbf GetProcessHeap HeapFree 16979->16981 16980->16981 16981->16955 16983 409794 CreateProcessA 16982->16983 16983->16921 16983->16922 16985 406386 16984->16985 16986 40638a GetModuleHandleA VirtualAlloc 16984->16986 16985->16928 16987 4063f5 16986->16987 16988 4063b6 16986->16988 16987->16928 16989 4063be VirtualAllocEx 16988->16989 16989->16987 16990 4063d6 16989->16990 16991 4063df WriteProcessMemory 16990->16991 16991->16987 17020 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 17137 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 17020->17137 17022 409a95 17023 409aa3 GetModuleHandleA GetModuleFileNameA 17022->17023 17101 40a3c7 17022->17101 17024 409ac4 17023->17024 17026 409afd GetCommandLineA 17024->17026 17025 40a41c CreateThread WSAStartup 17248 40e52e 17025->17248 18075 40405e CreateEventA 17025->18075 17036 409b22 17026->17036 17027 40a406 DeleteFileA 17029 40a40d 17027->17029 17027->17101 17029->17025 17030 40a445 17267 40eaaf 17030->17267 17031 40a3ed GetLastError 17031->17029 17034 40a3f8 Sleep 17031->17034 17033 40a44d 17271 401d96 17033->17271 17034->17027 17040 409c0c 17036->17040 17046 409b47 17036->17046 17037 40a457 17319 4080c9 17037->17319 17138 4096aa 17040->17138 17050 409b96 lstrlenA 17046->17050 17052 409b58 17046->17052 17047 40a1d2 17053 40a1e3 GetCommandLineA 17047->17053 17048 409c39 17051 40a167 GetModuleHandleA GetModuleFileNameA 17048->17051 17057 409c4b 17048->17057 17050->17052 17055 409c05 ExitProcess 17051->17055 17056 40a189 17051->17056 17052->17055 17058 409bd2 17052->17058 17081 40a205 17053->17081 17056->17055 17066 40a1b2 GetDriveTypeA 17056->17066 17057->17051 17060 404280 30 API calls 17057->17060 17150 40675c 17058->17150 17061 409c5b 17060->17061 17061->17051 17068 40675c 21 API calls 17061->17068 17066->17055 17067 40a1c5 17066->17067 17240 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 17067->17240 17070 409c79 17068->17070 17070->17051 17077 409ca0 GetTempPathA 17070->17077 17078 409e3e 17070->17078 17071 409bff 17071->17055 17073 40a491 17074 40a49f GetTickCount 17073->17074 17075 40a4be Sleep 17073->17075 17080 40a4b7 GetTickCount 17073->17080 17365 40c913 17073->17365 17074->17073 17074->17075 17075->17073 17077->17078 17079 409cba 17077->17079 17084 409e6b GetEnvironmentVariableA 17078->17084 17088 409e04 17078->17088 17188 4099d2 lstrcpyA 17079->17188 17080->17075 17085 40a285 lstrlenA 17081->17085 17097 40a239 17081->17097 17083 40ec2e codecvt 4 API calls 17087 40a15d 17083->17087 17084->17088 17089 409e7d 17084->17089 17085->17097 17087->17051 17087->17055 17088->17083 17090 4099d2 16 API calls 17089->17090 17091 409e9d 17090->17091 17091->17088 17096 409eb0 lstrcpyA lstrlenA 17091->17096 17092 406dc2 6 API calls 17094 409d5f 17092->17094 17100 406cc9 5 API calls 17094->17100 17095 40a3c2 17098 4098f2 41 API calls 17095->17098 17099 409ef4 17096->17099 17146 406ec3 17097->17146 17098->17101 17102 406dc2 6 API calls 17099->17102 17105 409f03 17099->17105 17104 409d72 lstrcpyA lstrcatA lstrcatA 17100->17104 17101->17025 17101->17027 17101->17029 17101->17031 17102->17105 17103 40a39d StartServiceCtrlDispatcherA 17103->17095 17108 409cf6 17104->17108 17106 409f32 RegOpenKeyExA 17105->17106 17107 409f48 RegSetValueExA RegCloseKey 17106->17107 17112 409f70 17106->17112 17107->17112 17195 409326 17108->17195 17109 40a35f 17109->17095 17109->17103 17117 409f9d GetModuleHandleA GetModuleFileNameA 17112->17117 17113 409e0c DeleteFileA 17113->17078 17114 409dde GetFileAttributesExA 17114->17113 17115 409df7 17114->17115 17115->17088 17232 4096ff 17115->17232 17119 409fc2 17117->17119 17120 40a093 17117->17120 17119->17120 17126 409ff1 GetDriveTypeA 17119->17126 17121 40a103 CreateProcessA 17120->17121 17122 40a0a4 wsprintfA 17120->17122 17123 40a13a 17121->17123 17124 40a12a DeleteFileA 17121->17124 17238 402544 17122->17238 17123->17088 17129 4096ff 3 API calls 17123->17129 17124->17123 17126->17120 17128 40a00d 17126->17128 17131 40a02d lstrcatA 17128->17131 17129->17088 17130 40ee2a 17132 40a0ec lstrcatA 17130->17132 17133 40a046 17131->17133 17132->17121 17134 40a052 lstrcatA 17133->17134 17135 40a064 lstrcatA 17133->17135 17134->17135 17135->17120 17136 40a081 lstrcatA 17135->17136 17136->17120 17137->17022 17139 4096b9 17138->17139 17468 4073ff 17139->17468 17141 4096e2 17142 4096e9 17141->17142 17143 4096fa 17141->17143 17488 40704c 17142->17488 17143->17047 17143->17048 17145 4096f7 17145->17143 17147 406ed5 17146->17147 17148 406ecc 17146->17148 17147->17109 17513 406e36 GetUserNameW 17148->17513 17151 406784 CreateFileA 17150->17151 17152 40677a SetFileAttributesA 17150->17152 17153 4067a4 CreateFileA 17151->17153 17154 4067b5 17151->17154 17152->17151 17153->17154 17155 4067c5 17154->17155 17156 4067ba SetFileAttributesA 17154->17156 17157 406977 17155->17157 17158 4067cf GetFileSize 17155->17158 17156->17155 17157->17055 17175 406a60 CreateFileA 17157->17175 17159 4067e5 17158->17159 17173 406922 17158->17173 17161 4067ed ReadFile 17159->17161 17159->17173 17160 40696e CloseHandle 17160->17157 17162 406811 SetFilePointer 17161->17162 17161->17173 17163 40682a ReadFile 17162->17163 17162->17173 17164 406848 SetFilePointer 17163->17164 17163->17173 17165 406867 17164->17165 17164->17173 17166 406878 ReadFile 17165->17166 17169 4068d0 17165->17169 17166->17165 17166->17169 17167 40ebcc 4 API calls 17168 4068f8 17167->17168 17170 406900 SetFilePointer 17168->17170 17168->17173 17169->17160 17169->17167 17171 40695a 17170->17171 17172 40690d ReadFile 17170->17172 17174 40ec2e codecvt 4 API calls 17171->17174 17172->17171 17172->17173 17173->17160 17174->17173 17176 406b8c GetLastError 17175->17176 17177 406a8f GetDiskFreeSpaceA 17175->17177 17186 406b86 17176->17186 17178 406ac5 17177->17178 17187 406ad7 17177->17187 17516 40eb0e 17178->17516 17182 406b56 CloseHandle 17185 406b65 GetLastError CloseHandle 17182->17185 17182->17186 17183 406b36 GetLastError CloseHandle 17184 406b7f DeleteFileA 17183->17184 17184->17186 17185->17184 17186->17071 17520 406987 17187->17520 17189 4099eb 17188->17189 17190 409a2f lstrcatA 17189->17190 17191 40ee2a 17190->17191 17192 409a4b lstrcatA 17191->17192 17193 406a60 13 API calls 17192->17193 17194 409a60 17193->17194 17194->17078 17194->17092 17194->17108 17530 401910 17195->17530 17198 40934a GetModuleHandleA GetModuleFileNameA 17200 40937f 17198->17200 17201 4093a4 17200->17201 17202 4093d9 17200->17202 17203 4093c3 wsprintfA 17201->17203 17204 409401 wsprintfA 17202->17204 17205 409415 17203->17205 17204->17205 17208 406cc9 5 API calls 17205->17208 17229 4094a0 17205->17229 17207 4094ac 17209 40962f 17207->17209 17211 4094e8 RegOpenKeyExA 17207->17211 17210 409439 17208->17210 17217 409646 17209->17217 17553 401820 17209->17553 17219 40ef1e lstrlenA 17210->17219 17213 409502 17211->17213 17215 4094fb 17211->17215 17218 40951f RegQueryValueExA 17213->17218 17215->17209 17216 40958a 17215->17216 17216->17217 17220 409593 17216->17220 17224 4095d6 17217->17224 17559 4091eb 17217->17559 17221 409530 17218->17221 17222 409539 17218->17222 17223 409462 17219->17223 17220->17224 17540 40f0e4 17220->17540 17225 40956e RegCloseKey 17221->17225 17226 409556 RegQueryValueExA 17222->17226 17227 40947e wsprintfA 17223->17227 17224->17113 17224->17114 17225->17215 17226->17221 17226->17225 17227->17229 17532 406edd 17229->17532 17230 4095bb 17230->17224 17547 4018e0 17230->17547 17233 402544 17232->17233 17234 40972d RegOpenKeyExA 17233->17234 17235 409740 17234->17235 17236 409765 17234->17236 17237 40974f RegDeleteValueA RegCloseKey 17235->17237 17236->17088 17237->17236 17239 402554 lstrcatA 17238->17239 17239->17130 17241 402544 17240->17241 17242 40919e wsprintfA 17241->17242 17243 4091bb 17242->17243 17597 409064 GetTempPathA 17243->17597 17246 4091d5 ShellExecuteA 17247 4091e7 17246->17247 17247->17071 17604 40dd05 GetTickCount 17248->17604 17250 40e538 17611 40dbcf 17250->17611 17252 40e544 17253 40e555 GetFileSize 17252->17253 17258 40e5b8 17252->17258 17254 40e5b1 CloseHandle 17253->17254 17255 40e566 17253->17255 17254->17258 17621 40db2e 17255->17621 17630 40e3ca RegOpenKeyExA 17258->17630 17259 40e576 ReadFile 17259->17254 17261 40e58d 17259->17261 17625 40e332 17261->17625 17263 40e5f2 17265 40e629 17263->17265 17266 40e3ca 19 API calls 17263->17266 17265->17030 17266->17265 17268 40eabe 17267->17268 17270 40eaba 17267->17270 17269 40dd05 6 API calls 17268->17269 17268->17270 17269->17270 17270->17033 17272 40ee2a 17271->17272 17273 401db4 GetVersionExA 17272->17273 17274 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 17273->17274 17276 401e24 17274->17276 17277 401e16 GetCurrentProcess 17274->17277 17683 40e819 17276->17683 17277->17276 17279 401e3d 17280 40e819 11 API calls 17279->17280 17281 401e4e 17280->17281 17282 401e77 17281->17282 17690 40df70 17281->17690 17699 40ea84 17282->17699 17286 401e6c 17287 40df70 12 API calls 17286->17287 17287->17282 17288 40e819 11 API calls 17289 401e93 17288->17289 17703 40199c inet_addr LoadLibraryA 17289->17703 17292 40e819 11 API calls 17293 401eb9 17292->17293 17294 401ed8 17293->17294 17296 40f04e 4 API calls 17293->17296 17295 40e819 11 API calls 17294->17295 17298 401eee 17295->17298 17297 401ec9 17296->17297 17299 40ea84 30 API calls 17297->17299 17300 401f0a 17298->17300 17716 401b71 17298->17716 17299->17294 17302 40e819 11 API calls 17300->17302 17304 401f23 17302->17304 17303 401efd 17305 40ea84 30 API calls 17303->17305 17306 401f3f 17304->17306 17720 401bdf 17304->17720 17305->17300 17307 40e819 11 API calls 17306->17307 17310 401f5e 17307->17310 17312 401f77 17310->17312 17313 40ea84 30 API calls 17310->17313 17311 40ea84 30 API calls 17311->17306 17727 4030b5 17312->17727 17313->17312 17317 406ec3 2 API calls 17318 401f8e GetTickCount 17317->17318 17318->17037 17320 406ec3 2 API calls 17319->17320 17321 4080eb 17320->17321 17322 4080f9 17321->17322 17323 4080ef 17321->17323 17325 40704c 16 API calls 17322->17325 17775 407ee6 17323->17775 17327 408110 17325->17327 17326 408269 CreateThread 17344 405e6c 17326->17344 18104 40877e 17326->18104 17329 408156 RegOpenKeyExA 17327->17329 17330 4080f4 17327->17330 17328 40675c 21 API calls 17334 408244 17328->17334 17329->17330 17331 40816d RegQueryValueExA 17329->17331 17330->17326 17330->17328 17332 4081f7 17331->17332 17333 40818d 17331->17333 17335 40820d RegCloseKey 17332->17335 17337 40ec2e codecvt 4 API calls 17332->17337 17333->17332 17338 40ebcc 4 API calls 17333->17338 17334->17326 17336 40ec2e codecvt 4 API calls 17334->17336 17335->17330 17336->17326 17343 4081dd 17337->17343 17339 4081a0 17338->17339 17339->17335 17340 4081aa RegQueryValueExA 17339->17340 17340->17332 17341 4081c4 17340->17341 17342 40ebcc 4 API calls 17341->17342 17342->17343 17343->17335 17843 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 17344->17843 17346 405e71 17844 40e654 17346->17844 17348 405ec1 17349 403132 17348->17349 17350 40df70 12 API calls 17349->17350 17351 40313b 17350->17351 17352 40c125 17351->17352 17855 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 17352->17855 17354 40c12d 17355 40e654 13 API calls 17354->17355 17356 40c2bd 17355->17356 17357 40e654 13 API calls 17356->17357 17358 40c2c9 17357->17358 17359 40e654 13 API calls 17358->17359 17360 40a47a 17359->17360 17361 408db1 17360->17361 17362 408dbc 17361->17362 17363 40e654 13 API calls 17362->17363 17364 408dec Sleep 17363->17364 17364->17073 17366 40c92f 17365->17366 17367 40c93c 17366->17367 17856 40c517 17366->17856 17369 40ca2b 17367->17369 17370 40e819 11 API calls 17367->17370 17369->17073 17371 40c96a 17370->17371 17372 40e819 11 API calls 17371->17372 17373 40c97d 17372->17373 17374 40e819 11 API calls 17373->17374 17375 40c990 17374->17375 17376 40c9aa 17375->17376 17377 40ebcc 4 API calls 17375->17377 17376->17369 17873 402684 17376->17873 17377->17376 17382 40ca26 17880 40c8aa 17382->17880 17385 40ca44 17386 40ca4b closesocket 17385->17386 17387 40ca83 17385->17387 17386->17382 17388 40ea84 30 API calls 17387->17388 17389 40caac 17388->17389 17390 40f04e 4 API calls 17389->17390 17391 40cab2 17390->17391 17392 40ea84 30 API calls 17391->17392 17393 40caca 17392->17393 17394 40ea84 30 API calls 17393->17394 17395 40cad9 17394->17395 17888 40c65c 17395->17888 17398 40cb60 closesocket 17398->17369 17400 40dad2 closesocket 17401 40e318 23 API calls 17400->17401 17401->17369 17402 40df4c 20 API calls 17439 40cb70 17402->17439 17407 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 17407->17439 17408 40e654 13 API calls 17408->17439 17414 40ea84 30 API calls 17414->17439 17415 40d569 closesocket Sleep 17935 40e318 17415->17935 17416 40d815 wsprintfA 17416->17439 17417 40cc1c GetTempPathA 17417->17439 17418 407ead 6 API calls 17418->17439 17419 40c517 23 API calls 17419->17439 17421 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 17421->17439 17422 40e8a1 30 API calls 17422->17439 17423 40d582 ExitProcess 17424 40cfe3 GetSystemDirectoryA 17424->17439 17425 40cfad GetEnvironmentVariableA 17425->17439 17426 40675c 21 API calls 17426->17439 17427 40d027 GetSystemDirectoryA 17427->17439 17428 40d105 lstrcatA 17428->17439 17429 40ef1e lstrlenA 17429->17439 17430 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 17430->17439 17431 40cc9f CreateFileA 17432 40ccc6 WriteFile 17431->17432 17431->17439 17435 40cdcc CloseHandle 17432->17435 17436 40cced CloseHandle 17432->17436 17433 40d15b CreateFileA 17434 40d182 WriteFile CloseHandle 17433->17434 17433->17439 17434->17439 17435->17439 17442 40cd2f 17436->17442 17437 40d149 SetFileAttributesA 17437->17433 17438 40cd16 wsprintfA 17438->17442 17439->17400 17439->17402 17439->17407 17439->17408 17439->17414 17439->17415 17439->17416 17439->17417 17439->17418 17439->17419 17439->17421 17439->17422 17439->17424 17439->17425 17439->17426 17439->17427 17439->17428 17439->17429 17439->17430 17439->17431 17439->17433 17439->17437 17440 40d36e GetEnvironmentVariableA 17439->17440 17441 40d1bf SetFileAttributesA 17439->17441 17443 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 17439->17443 17444 40d22d GetEnvironmentVariableA 17439->17444 17445 40d3af lstrcatA 17439->17445 17447 407fcf 64 API calls 17439->17447 17448 40d3f2 CreateFileA 17439->17448 17456 40d4b1 CreateProcessA 17439->17456 17457 40d3e0 SetFileAttributesA 17439->17457 17458 40d26e lstrcatA 17439->17458 17460 40d2b1 CreateFileA 17439->17460 17461 407ee6 64 API calls 17439->17461 17462 40d452 SetFileAttributesA 17439->17462 17465 40d29f SetFileAttributesA 17439->17465 17467 40d31d SetFileAttributesA 17439->17467 17896 40c75d 17439->17896 17908 407e2f 17439->17908 17930 407ead 17439->17930 17940 4031d0 17439->17940 17957 403c09 17439->17957 17967 403a00 17439->17967 17971 40e7b4 17439->17971 17974 40c06c 17439->17974 17980 406f5f GetUserNameA 17439->17980 17991 40e854 17439->17991 18001 407dd6 17439->18001 17440->17439 17441->17439 17442->17438 17917 407fcf 17442->17917 17443->17439 17444->17439 17445->17439 17445->17448 17447->17439 17448->17439 17450 40d415 WriteFile CloseHandle 17448->17450 17450->17439 17451 40cd81 WaitForSingleObject CloseHandle CloseHandle 17453 40f04e 4 API calls 17451->17453 17452 40cda5 17454 407ee6 64 API calls 17452->17454 17453->17452 17455 40cdbd DeleteFileA 17454->17455 17455->17439 17456->17439 17459 40d4e8 CloseHandle CloseHandle 17456->17459 17457->17448 17458->17439 17458->17460 17459->17439 17460->17439 17463 40d2d8 WriteFile CloseHandle 17460->17463 17461->17439 17462->17439 17463->17439 17465->17460 17467->17439 17469 40741b 17468->17469 17470 406dc2 6 API calls 17469->17470 17471 40743f 17470->17471 17472 407469 RegOpenKeyExA 17471->17472 17474 4077f9 17472->17474 17484 407487 ___ascii_stricmp 17472->17484 17473 407703 RegEnumKeyA 17475 407714 RegCloseKey 17473->17475 17473->17484 17474->17141 17475->17474 17476 40f1a5 lstrlenA 17476->17484 17477 4074d2 RegOpenKeyExA 17477->17484 17478 40772c 17480 407742 RegCloseKey 17478->17480 17481 40774b 17478->17481 17479 407521 RegQueryValueExA 17479->17484 17480->17481 17482 4077ec RegCloseKey 17481->17482 17482->17474 17483 4076e4 RegCloseKey 17483->17484 17484->17473 17484->17476 17484->17477 17484->17478 17484->17479 17484->17483 17486 40777e GetFileAttributesExA 17484->17486 17487 407769 17484->17487 17485 4077e3 RegCloseKey 17485->17482 17486->17487 17487->17485 17489 407073 17488->17489 17490 4070b9 RegOpenKeyExA 17489->17490 17491 4070d0 17490->17491 17505 4071b8 17490->17505 17492 406dc2 6 API calls 17491->17492 17495 4070d5 17492->17495 17493 40719b RegEnumValueA 17494 4071af RegCloseKey 17493->17494 17493->17495 17494->17505 17495->17493 17497 4071d0 17495->17497 17511 40f1a5 lstrlenA 17495->17511 17498 407205 RegCloseKey 17497->17498 17499 407227 17497->17499 17498->17505 17500 4072b8 ___ascii_stricmp 17499->17500 17501 40728e RegCloseKey 17499->17501 17502 4072cd RegCloseKey 17500->17502 17503 4072dd 17500->17503 17501->17505 17502->17505 17504 407311 RegCloseKey 17503->17504 17507 407335 17503->17507 17504->17505 17505->17145 17506 4073d5 RegCloseKey 17508 4073e4 17506->17508 17507->17506 17509 40737e GetFileAttributesExA 17507->17509 17510 407397 17507->17510 17509->17510 17510->17506 17512 40f1c3 17511->17512 17512->17495 17514 406e97 17513->17514 17515 406e5f LookupAccountNameW 17513->17515 17514->17147 17515->17514 17517 40eb17 17516->17517 17518 40eb21 17516->17518 17526 40eae4 17517->17526 17518->17187 17522 4069b9 WriteFile 17520->17522 17523 406a3c 17522->17523 17525 4069ff 17522->17525 17523->17182 17523->17183 17524 406a10 WriteFile 17524->17523 17524->17525 17525->17523 17525->17524 17527 40eb02 GetProcAddress 17526->17527 17528 40eaed LoadLibraryA 17526->17528 17527->17518 17528->17527 17529 40eb01 17528->17529 17529->17518 17531 401924 GetVersionExA 17530->17531 17531->17198 17533 406eef AllocateAndInitializeSid 17532->17533 17539 406f55 17532->17539 17534 406f1c CheckTokenMembership 17533->17534 17535 406f44 17533->17535 17536 406f3b FreeSid 17534->17536 17537 406f2e 17534->17537 17538 406e36 2 API calls 17535->17538 17535->17539 17536->17535 17537->17536 17538->17539 17539->17207 17541 40f0f1 17540->17541 17542 40f0ed 17540->17542 17543 40f119 17541->17543 17544 40f0fa lstrlenA SysAllocStringByteLen 17541->17544 17542->17230 17546 40f11c MultiByteToWideChar 17543->17546 17545 40f117 17544->17545 17544->17546 17545->17230 17546->17545 17548 401820 17 API calls 17547->17548 17549 4018f2 17548->17549 17550 4018f9 17549->17550 17564 401280 17549->17564 17550->17224 17552 401908 17552->17224 17576 401000 17553->17576 17555 401839 17556 401851 GetCurrentProcess 17555->17556 17557 40183d 17555->17557 17558 401864 17556->17558 17557->17217 17558->17217 17561 40920e 17559->17561 17563 409308 17559->17563 17560 4092f1 Sleep 17560->17561 17561->17560 17561->17561 17562 4092bf ShellExecuteA 17561->17562 17561->17563 17562->17561 17562->17563 17563->17224 17565 4012e1 17564->17565 17566 4016f9 GetLastError 17565->17566 17567 4013a8 17565->17567 17568 401699 17566->17568 17567->17568 17569 401570 lstrlenW 17567->17569 17570 4015be GetStartupInfoW 17567->17570 17571 4015ff CreateProcessWithLogonW 17567->17571 17575 401668 CloseHandle 17567->17575 17568->17552 17569->17567 17570->17567 17572 4016bf GetLastError 17571->17572 17573 40163f WaitForSingleObject 17571->17573 17572->17568 17573->17567 17574 401659 CloseHandle 17573->17574 17574->17567 17575->17567 17577 40100d LoadLibraryA 17576->17577 17586 401023 17576->17586 17578 401021 17577->17578 17577->17586 17578->17555 17579 4010b5 GetProcAddress 17580 4010d1 GetProcAddress 17579->17580 17581 40127b 17579->17581 17580->17581 17582 4010f0 GetProcAddress 17580->17582 17581->17555 17582->17581 17583 401110 GetProcAddress 17582->17583 17583->17581 17584 401130 GetProcAddress 17583->17584 17584->17581 17585 40114f GetProcAddress 17584->17585 17585->17581 17587 40116f GetProcAddress 17585->17587 17586->17579 17595 4010ae 17586->17595 17587->17581 17588 40118f GetProcAddress 17587->17588 17588->17581 17589 4011ae GetProcAddress 17588->17589 17589->17581 17590 4011ce GetProcAddress 17589->17590 17590->17581 17591 4011ee GetProcAddress 17590->17591 17591->17581 17592 401209 GetProcAddress 17591->17592 17592->17581 17593 401225 GetProcAddress 17592->17593 17593->17581 17594 401241 GetProcAddress 17593->17594 17594->17581 17596 40125c GetProcAddress 17594->17596 17595->17555 17596->17581 17598 40908d 17597->17598 17599 4090e2 wsprintfA 17598->17599 17600 40ee2a 17599->17600 17601 4090fd CreateFileA 17600->17601 17602 40911a lstrlenA WriteFile CloseHandle 17601->17602 17603 40913f 17601->17603 17602->17603 17603->17246 17603->17247 17605 40dd41 InterlockedExchange 17604->17605 17606 40dd20 GetCurrentThreadId 17605->17606 17607 40dd4a 17605->17607 17608 40dd53 GetCurrentThreadId 17606->17608 17609 40dd2e GetTickCount 17606->17609 17607->17608 17608->17250 17609->17607 17610 40dd39 Sleep 17609->17610 17610->17605 17612 40dbf0 17611->17612 17644 40db67 GetEnvironmentVariableA 17612->17644 17614 40dc19 17615 40dcda 17614->17615 17616 40db67 3 API calls 17614->17616 17615->17252 17617 40dc5c 17616->17617 17617->17615 17618 40db67 3 API calls 17617->17618 17619 40dc9b 17618->17619 17619->17615 17620 40db67 3 API calls 17619->17620 17620->17615 17622 40db55 17621->17622 17623 40db3a 17621->17623 17622->17254 17622->17259 17648 40ebed 17623->17648 17657 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 17625->17657 17627 40e3be 17627->17254 17628 40e342 17628->17627 17660 40de24 17628->17660 17631 40e528 17630->17631 17632 40e3f4 17630->17632 17631->17263 17633 40e434 RegQueryValueExA 17632->17633 17634 40e458 17633->17634 17635 40e51d RegCloseKey 17633->17635 17636 40e46e RegQueryValueExA 17634->17636 17635->17631 17636->17634 17637 40e488 17636->17637 17637->17635 17638 40db2e 8 API calls 17637->17638 17639 40e499 17638->17639 17639->17635 17640 40e4b9 RegQueryValueExA 17639->17640 17641 40e4e8 17639->17641 17640->17639 17640->17641 17641->17635 17642 40e332 14 API calls 17641->17642 17643 40e513 17642->17643 17643->17635 17645 40db89 lstrcpyA CreateFileA 17644->17645 17646 40dbca 17644->17646 17645->17614 17646->17614 17649 40ec01 17648->17649 17650 40ebf6 17648->17650 17651 40eba0 codecvt 2 API calls 17649->17651 17652 40ebcc 4 API calls 17650->17652 17653 40ec0a GetProcessHeap HeapReAlloc 17651->17653 17654 40ebfe 17652->17654 17655 40eb74 2 API calls 17653->17655 17654->17622 17656 40ec28 17655->17656 17656->17622 17671 40eb41 17657->17671 17661 40de3a 17660->17661 17666 40de4e 17661->17666 17675 40dd84 17661->17675 17664 40de9e 17665 40ebed 8 API calls 17664->17665 17664->17666 17669 40def6 17665->17669 17666->17628 17667 40de76 17679 40ddcf 17667->17679 17669->17666 17670 40ddcf lstrcmpA 17669->17670 17670->17666 17672 40eb54 17671->17672 17673 40eb4a 17671->17673 17672->17628 17674 40eae4 2 API calls 17673->17674 17674->17672 17676 40ddc5 17675->17676 17677 40dd96 17675->17677 17676->17664 17676->17667 17677->17676 17678 40ddad lstrcmpiA 17677->17678 17678->17676 17678->17677 17680 40de20 17679->17680 17681 40dddd 17679->17681 17680->17666 17681->17680 17682 40ddfa lstrcmpA 17681->17682 17682->17681 17684 40dd05 6 API calls 17683->17684 17685 40e821 17684->17685 17686 40dd84 lstrcmpiA 17685->17686 17687 40e82c 17686->17687 17688 40e844 17687->17688 17731 402480 17687->17731 17688->17279 17691 40dd05 6 API calls 17690->17691 17692 40df7c 17691->17692 17693 40dd84 lstrcmpiA 17692->17693 17697 40df89 17693->17697 17694 40dfc4 17694->17286 17695 40ddcf lstrcmpA 17695->17697 17696 40ec2e codecvt 4 API calls 17696->17697 17697->17694 17697->17695 17697->17696 17698 40dd84 lstrcmpiA 17697->17698 17698->17697 17700 40ea98 17699->17700 17740 40e8a1 17700->17740 17702 401e84 17702->17288 17704 4019d5 GetProcAddress GetProcAddress GetProcAddress 17703->17704 17705 4019ce 17703->17705 17706 401ab3 FreeLibrary 17704->17706 17707 401a04 17704->17707 17705->17292 17706->17705 17707->17706 17708 401a14 GetProcessHeap 17707->17708 17708->17705 17710 401a2e HeapAlloc 17708->17710 17710->17705 17711 401a42 17710->17711 17712 401a52 HeapReAlloc 17711->17712 17714 401a62 17711->17714 17712->17714 17713 401aa1 FreeLibrary 17713->17705 17714->17713 17715 401a96 HeapFree 17714->17715 17715->17713 17768 401ac3 LoadLibraryA 17716->17768 17719 401bcf 17719->17303 17721 401ac3 12 API calls 17720->17721 17722 401c09 17721->17722 17723 401c41 17722->17723 17724 401c0d GetComputerNameA 17722->17724 17723->17311 17725 401c45 GetVolumeInformationA 17724->17725 17726 401c1f 17724->17726 17725->17723 17726->17723 17726->17725 17728 40ee2a 17727->17728 17729 4030d0 gethostname gethostbyname 17728->17729 17730 401f82 17729->17730 17730->17317 17730->17318 17734 402419 lstrlenA 17731->17734 17733 402491 17733->17688 17735 40243d lstrlenA 17734->17735 17738 402474 17734->17738 17736 402464 lstrlenA 17735->17736 17737 40244e lstrcmpiA 17735->17737 17736->17735 17736->17738 17737->17736 17739 40245c 17737->17739 17738->17733 17739->17736 17739->17738 17741 40dd05 6 API calls 17740->17741 17742 40e8b4 17741->17742 17743 40dd84 lstrcmpiA 17742->17743 17744 40e8c0 17743->17744 17745 40e90a 17744->17745 17746 40e8c8 lstrcpynA 17744->17746 17748 402419 4 API calls 17745->17748 17754 40ea27 17745->17754 17747 40e8f5 17746->17747 17761 40df4c 17747->17761 17749 40e926 lstrlenA lstrlenA 17748->17749 17751 40e96a 17749->17751 17752 40e94c lstrlenA 17749->17752 17751->17754 17756 40ebcc 4 API calls 17751->17756 17752->17751 17753 40e901 17755 40dd84 lstrcmpiA 17753->17755 17754->17702 17755->17745 17757 40e98f 17756->17757 17757->17754 17758 40df4c 20 API calls 17757->17758 17759 40ea1e 17758->17759 17760 40ec2e codecvt 4 API calls 17759->17760 17760->17754 17762 40dd05 6 API calls 17761->17762 17763 40df51 17762->17763 17764 40f04e 4 API calls 17763->17764 17765 40df58 17764->17765 17766 40de24 10 API calls 17765->17766 17767 40df63 17766->17767 17767->17753 17769 401ae2 GetProcAddress 17768->17769 17772 401b68 GetComputerNameA GetVolumeInformationA 17768->17772 17770 401af5 17769->17770 17769->17772 17771 40ebed 8 API calls 17770->17771 17773 401b29 17770->17773 17771->17770 17772->17719 17773->17772 17773->17773 17774 40ec2e codecvt 4 API calls 17773->17774 17774->17772 17776 406ec3 2 API calls 17775->17776 17777 407ef4 17776->17777 17778 4073ff 17 API calls 17777->17778 17787 407fc9 17777->17787 17779 407f16 17778->17779 17779->17787 17788 407809 GetUserNameA 17779->17788 17781 407f63 17782 40ef1e lstrlenA 17781->17782 17781->17787 17783 407fa6 17782->17783 17784 40ef1e lstrlenA 17783->17784 17785 407fb7 17784->17785 17812 407a95 RegOpenKeyExA 17785->17812 17787->17330 17789 40783d LookupAccountNameA 17788->17789 17790 407a8d 17788->17790 17789->17790 17791 407874 GetLengthSid GetFileSecurityA 17789->17791 17790->17781 17791->17790 17792 4078a8 GetSecurityDescriptorOwner 17791->17792 17793 4078c5 EqualSid 17792->17793 17794 40791d GetSecurityDescriptorDacl 17792->17794 17793->17794 17795 4078dc LocalAlloc 17793->17795 17794->17790 17802 407941 17794->17802 17795->17794 17796 4078ef InitializeSecurityDescriptor 17795->17796 17798 407916 LocalFree 17796->17798 17799 4078fb SetSecurityDescriptorOwner 17796->17799 17797 40795b GetAce 17797->17802 17798->17794 17799->17798 17800 40790b SetFileSecurityA 17799->17800 17800->17798 17801 407980 EqualSid 17801->17802 17802->17790 17802->17797 17802->17801 17803 407a3d 17802->17803 17804 4079be EqualSid 17802->17804 17805 40799d DeleteAce 17802->17805 17803->17790 17806 407a43 LocalAlloc 17803->17806 17804->17802 17805->17802 17806->17790 17807 407a56 InitializeSecurityDescriptor 17806->17807 17808 407a62 SetSecurityDescriptorDacl 17807->17808 17809 407a86 LocalFree 17807->17809 17808->17809 17810 407a73 SetFileSecurityA 17808->17810 17809->17790 17810->17809 17811 407a83 17810->17811 17811->17809 17813 407ac4 17812->17813 17814 407acb GetUserNameA 17812->17814 17813->17787 17815 407da7 RegCloseKey 17814->17815 17816 407aed LookupAccountNameA 17814->17816 17815->17813 17816->17815 17817 407b24 RegGetKeySecurity 17816->17817 17817->17815 17818 407b49 GetSecurityDescriptorOwner 17817->17818 17819 407b63 EqualSid 17818->17819 17820 407bb8 GetSecurityDescriptorDacl 17818->17820 17819->17820 17822 407b74 LocalAlloc 17819->17822 17821 407da6 17820->17821 17829 407bdc 17820->17829 17821->17815 17822->17820 17823 407b8a InitializeSecurityDescriptor 17822->17823 17825 407bb1 LocalFree 17823->17825 17826 407b96 SetSecurityDescriptorOwner 17823->17826 17824 407bf8 GetAce 17824->17829 17825->17820 17826->17825 17827 407ba6 RegSetKeySecurity 17826->17827 17827->17825 17828 407c1d EqualSid 17828->17829 17829->17821 17829->17824 17829->17828 17830 407cd9 17829->17830 17831 407c5f EqualSid 17829->17831 17832 407c3a DeleteAce 17829->17832 17830->17821 17833 407d5a LocalAlloc 17830->17833 17834 407cf2 RegOpenKeyExA 17830->17834 17831->17829 17832->17829 17833->17821 17835 407d70 InitializeSecurityDescriptor 17833->17835 17834->17833 17840 407d0f 17834->17840 17836 407d7c SetSecurityDescriptorDacl 17835->17836 17837 407d9f LocalFree 17835->17837 17836->17837 17838 407d8c RegSetKeySecurity 17836->17838 17837->17821 17838->17837 17839 407d9c 17838->17839 17839->17837 17841 407d43 RegSetValueExA 17840->17841 17841->17833 17842 407d54 17841->17842 17842->17833 17843->17346 17845 40dd05 6 API calls 17844->17845 17846 40e65f 17845->17846 17847 40e6a5 17846->17847 17849 40e68c lstrcmpA 17846->17849 17848 40ebcc 4 API calls 17847->17848 17853 40e6f5 17847->17853 17851 40e6b0 17848->17851 17849->17846 17850 40e6b7 17850->17348 17851->17850 17852 40e6e0 lstrcpynA 17851->17852 17851->17853 17852->17853 17853->17850 17854 40e71d lstrcmpA 17853->17854 17854->17853 17855->17354 17857 40c525 17856->17857 17858 40c532 17856->17858 17857->17858 17860 40ec2e codecvt 4 API calls 17857->17860 17859 40c548 17858->17859 18008 40e7ff 17858->18008 17862 40e7ff lstrcmpiA 17859->17862 17869 40c54f 17859->17869 17860->17858 17863 40c615 17862->17863 17864 40ebcc 4 API calls 17863->17864 17863->17869 17864->17869 17865 40c5d1 17867 40ebcc 4 API calls 17865->17867 17867->17869 17868 40e819 11 API calls 17870 40c5b7 17868->17870 17869->17367 17871 40f04e 4 API calls 17870->17871 17872 40c5bf 17871->17872 17872->17859 17872->17865 17874 402692 inet_addr 17873->17874 17875 40268e 17873->17875 17874->17875 17876 40269e gethostbyname 17874->17876 17877 40f428 17875->17877 17876->17875 18011 40f315 17877->18011 17882 40c8d2 17880->17882 17881 40c907 17881->17369 17882->17881 17883 40c517 23 API calls 17882->17883 17883->17881 17884 40f43e 17885 40f473 recv 17884->17885 17886 40f47c 17885->17886 17887 40f458 17885->17887 17886->17385 17887->17885 17887->17886 17889 40c670 17888->17889 17891 40c67d 17888->17891 17890 40ebcc 4 API calls 17889->17890 17890->17891 17892 40ebcc 4 API calls 17891->17892 17894 40c699 17891->17894 17892->17894 17893 40c6f3 17893->17398 17893->17439 17894->17893 17895 40c73c send 17894->17895 17895->17893 17897 40c770 17896->17897 17898 40c77d 17896->17898 17899 40ebcc 4 API calls 17897->17899 17900 40c799 17898->17900 17902 40ebcc 4 API calls 17898->17902 17899->17898 17901 40c7b5 17900->17901 17903 40ebcc 4 API calls 17900->17903 17904 40f43e recv 17901->17904 17902->17900 17903->17901 17905 40c7cb 17904->17905 17906 40f43e recv 17905->17906 17907 40c7d3 17905->17907 17906->17907 17907->17439 18024 407db7 17908->18024 17911 40f04e 4 API calls 17914 407e4c 17911->17914 17912 407e96 17912->17439 17913 40f04e 4 API calls 17913->17912 17915 40f04e 4 API calls 17914->17915 17916 407e70 17914->17916 17915->17916 17916->17912 17916->17913 17918 406ec3 2 API calls 17917->17918 17919 407fdd 17918->17919 17920 4073ff 17 API calls 17919->17920 17929 4080c2 CreateProcessA 17919->17929 17921 407fff 17920->17921 17922 407809 21 API calls 17921->17922 17921->17929 17923 40804d 17922->17923 17924 40ef1e lstrlenA 17923->17924 17923->17929 17925 40809e 17924->17925 17926 40ef1e lstrlenA 17925->17926 17927 4080af 17926->17927 17928 407a95 24 API calls 17927->17928 17928->17929 17929->17451 17929->17452 17931 407db7 2 API calls 17930->17931 17932 407eb8 17931->17932 17933 40f04e 4 API calls 17932->17933 17934 407ece DeleteFileA 17933->17934 17934->17439 17936 40dd05 6 API calls 17935->17936 17937 40e31d 17936->17937 18028 40e177 17937->18028 17939 40e326 17939->17423 17941 4031f3 17940->17941 17951 4031ec 17940->17951 17942 40ebcc 4 API calls 17941->17942 17955 4031fc 17942->17955 17943 40344b 17944 403459 17943->17944 17945 40349d 17943->17945 17947 40f04e 4 API calls 17944->17947 17946 40ec2e codecvt 4 API calls 17945->17946 17946->17951 17948 40345f 17947->17948 17949 4030fa 4 API calls 17948->17949 17949->17951 17950 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 17950->17955 17951->17439 17952 40344d 17953 40ec2e codecvt 4 API calls 17952->17953 17953->17943 17955->17943 17955->17950 17955->17951 17955->17952 17955->17955 17956 403141 lstrcmpiA 17955->17956 18054 4030fa GetTickCount 17955->18054 17956->17955 17958 4030fa 4 API calls 17957->17958 17959 403c1a 17958->17959 17960 403ce6 17959->17960 18059 403a72 17959->18059 17960->17439 17963 403a72 9 API calls 17965 403c5e 17963->17965 17964 403a72 9 API calls 17964->17965 17965->17960 17965->17964 17966 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 17965->17966 17966->17965 17968 403a10 17967->17968 17969 4030fa 4 API calls 17968->17969 17970 403a1a 17969->17970 17970->17439 17972 40dd05 6 API calls 17971->17972 17973 40e7be 17972->17973 17973->17439 17975 40c105 17974->17975 17976 40c07e wsprintfA 17974->17976 17975->17439 18068 40bfce GetTickCount wsprintfA 17976->18068 17978 40c0ef 18069 40bfce GetTickCount wsprintfA 17978->18069 17981 407047 17980->17981 17982 406f88 LookupAccountNameA 17980->17982 17981->17439 17984 407025 17982->17984 17985 406fcb 17982->17985 17986 406edd 5 API calls 17984->17986 17988 406fdb ConvertSidToStringSidA 17985->17988 17987 40702a wsprintfA 17986->17987 17987->17981 17988->17984 17989 406ff1 17988->17989 17990 407013 LocalFree 17989->17990 17990->17984 17992 40dd05 6 API calls 17991->17992 17993 40e85c 17992->17993 17994 40dd84 lstrcmpiA 17993->17994 17995 40e867 17994->17995 17996 40e885 lstrcpyA 17995->17996 18070 4024a5 17995->18070 18073 40dd69 17996->18073 18002 407db7 2 API calls 18001->18002 18003 407de1 18002->18003 18004 40f04e 4 API calls 18003->18004 18007 407e16 18003->18007 18005 407df2 18004->18005 18006 40f04e 4 API calls 18005->18006 18005->18007 18006->18007 18007->17439 18009 40dd84 lstrcmpiA 18008->18009 18010 40c58e 18009->18010 18010->17859 18010->17865 18010->17868 18012 40ca1d 18011->18012 18013 40f33b 18011->18013 18012->17382 18012->17884 18014 40f347 htons socket 18013->18014 18015 40f382 ioctlsocket 18014->18015 18016 40f374 closesocket 18014->18016 18017 40f3aa connect select 18015->18017 18018 40f39d 18015->18018 18016->18012 18017->18012 18020 40f3f2 __WSAFDIsSet 18017->18020 18019 40f39f closesocket 18018->18019 18019->18012 18020->18019 18021 40f403 ioctlsocket 18020->18021 18023 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 18021->18023 18023->18012 18025 407dc8 InterlockedExchange 18024->18025 18026 407dc0 Sleep 18025->18026 18027 407dd4 18025->18027 18026->18025 18027->17911 18027->17916 18029 40e184 18028->18029 18030 40e223 18029->18030 18042 40e2e4 18029->18042 18044 40dfe2 18029->18044 18032 40dfe2 8 API calls 18030->18032 18030->18042 18035 40e23c 18032->18035 18033 40e1be 18033->18030 18034 40dbcf 3 API calls 18033->18034 18036 40e1d6 18034->18036 18035->18042 18048 40e095 RegCreateKeyExA 18035->18048 18036->18030 18037 40e21a CloseHandle 18036->18037 18038 40e1f9 WriteFile 18036->18038 18037->18030 18038->18037 18040 40e213 18038->18040 18040->18037 18041 40e2a3 18041->18042 18043 40e095 4 API calls 18041->18043 18042->17939 18043->18042 18045 40dffc 18044->18045 18047 40e024 18044->18047 18046 40db2e 8 API calls 18045->18046 18045->18047 18046->18047 18047->18033 18049 40e172 18048->18049 18050 40e0c0 18048->18050 18049->18041 18051 40e13d 18050->18051 18053 40e115 RegSetValueExA 18050->18053 18052 40e14e RegDeleteValueA RegCloseKey 18051->18052 18052->18049 18053->18050 18053->18051 18055 403122 InterlockedExchange 18054->18055 18056 40312e 18055->18056 18057 40310f GetTickCount 18055->18057 18056->17955 18057->18056 18058 40311a Sleep 18057->18058 18058->18055 18060 40f04e 4 API calls 18059->18060 18067 403a83 18060->18067 18061 403ac1 18061->17960 18061->17963 18062 403be6 18065 40ec2e codecvt 4 API calls 18062->18065 18063 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 18064 403bc0 18063->18064 18064->18062 18064->18063 18065->18061 18066 403b66 lstrlenA 18066->18061 18066->18067 18067->18061 18067->18064 18067->18066 18068->17978 18069->17975 18071 402419 4 API calls 18070->18071 18072 4024b6 18071->18072 18072->17996 18074 40dd79 lstrlenA 18073->18074 18074->17439 18076 404084 18075->18076 18077 40407d 18075->18077 18078 403ecd 6 API calls 18076->18078 18079 40408f 18078->18079 18080 404000 3 API calls 18079->18080 18082 404095 18080->18082 18081 404130 18083 403ecd 6 API calls 18081->18083 18082->18081 18087 403f18 4 API calls 18082->18087 18084 404159 CreateNamedPipeA 18083->18084 18085 404167 Sleep 18084->18085 18086 404188 ConnectNamedPipe 18084->18086 18085->18081 18088 404176 CloseHandle 18085->18088 18090 404195 GetLastError 18086->18090 18099 4041ab 18086->18099 18089 4040da 18087->18089 18088->18086 18092 403f8c 4 API calls 18089->18092 18091 40425e DisconnectNamedPipe 18090->18091 18090->18099 18091->18086 18093 4040ec 18092->18093 18094 404127 CloseHandle 18093->18094 18095 404101 18093->18095 18094->18081 18096 403f18 4 API calls 18095->18096 18097 40411c ExitProcess 18096->18097 18098 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 18098->18099 18099->18086 18099->18091 18099->18098 18100 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 18099->18100 18101 40426a CloseHandle CloseHandle 18099->18101 18100->18099 18102 40e318 23 API calls 18101->18102 18103 40427b 18102->18103 18103->18103 18105 408791 18104->18105 18106 40879f 18104->18106 18107 40f04e 4 API calls 18105->18107 18108 4087bc 18106->18108 18109 40f04e 4 API calls 18106->18109 18107->18106 18110 40e819 11 API calls 18108->18110 18109->18108 18111 4087d7 18110->18111 18124 408803 18111->18124 18126 4026b2 gethostbyaddr 18111->18126 18114 4087eb 18116 40e8a1 30 API calls 18114->18116 18114->18124 18116->18124 18119 40e819 11 API calls 18119->18124 18120 4088a0 Sleep 18120->18124 18121 4026b2 2 API calls 18121->18124 18123 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 18123->18124 18124->18119 18124->18120 18124->18121 18124->18123 18125 40e8a1 30 API calls 18124->18125 18131 408cee 18124->18131 18139 40c4d6 18124->18139 18142 40c4e2 18124->18142 18145 402011 18124->18145 18180 408328 18124->18180 18125->18124 18127 4026fb 18126->18127 18128 4026cd 18126->18128 18127->18114 18129 4026e1 inet_ntoa 18128->18129 18130 4026de 18128->18130 18129->18130 18130->18114 18132 408d02 GetTickCount 18131->18132 18133 408dae 18131->18133 18132->18133 18135 408d19 18132->18135 18133->18124 18134 408da1 GetTickCount 18134->18133 18135->18134 18138 408d89 18135->18138 18232 40a677 18135->18232 18235 40a688 18135->18235 18138->18134 18243 40c2dc 18139->18243 18143 40c2dc 141 API calls 18142->18143 18144 40c4ec 18143->18144 18144->18124 18146 402020 18145->18146 18147 40202e 18145->18147 18148 40f04e 4 API calls 18146->18148 18149 40f04e 4 API calls 18147->18149 18150 40204b 18147->18150 18148->18147 18149->18150 18151 40206e GetTickCount 18150->18151 18152 40f04e 4 API calls 18150->18152 18153 4020db GetTickCount 18151->18153 18163 402090 18151->18163 18155 402068 18152->18155 18154 402132 GetTickCount GetTickCount 18153->18154 18166 4020e7 18153->18166 18157 40f04e 4 API calls 18154->18157 18155->18151 18156 4020d4 GetTickCount 18156->18153 18159 402159 18157->18159 18158 40212b GetTickCount 18158->18154 18161 4021b4 18159->18161 18165 40e854 13 API calls 18159->18165 18160 402684 2 API calls 18160->18163 18164 40f04e 4 API calls 18161->18164 18163->18156 18163->18160 18169 4020ce 18163->18169 18570 401978 18163->18570 18168 4021d1 18164->18168 18170 40218e 18165->18170 18166->18158 18171 402125 18166->18171 18174 401978 15 API calls 18166->18174 18575 402ef8 18166->18575 18172 4021f2 18168->18172 18175 40ea84 30 API calls 18168->18175 18169->18156 18173 40e819 11 API calls 18170->18173 18171->18158 18172->18124 18176 40219c 18173->18176 18174->18166 18177 4021ec 18175->18177 18176->18161 18583 401c5f 18176->18583 18178 40f04e 4 API calls 18177->18178 18178->18172 18181 407dd6 6 API calls 18180->18181 18182 40833c 18181->18182 18183 406ec3 2 API calls 18182->18183 18211 408340 18182->18211 18184 40834f 18183->18184 18185 40835c 18184->18185 18190 40846b 18184->18190 18186 4073ff 17 API calls 18185->18186 18203 408373 18186->18203 18187 4085df 18188 408626 GetTempPathA 18187->18188 18192 408638 18187->18192 18197 408762 18187->18197 18188->18192 18189 40675c 21 API calls 18189->18187 18193 4084a7 RegOpenKeyExA 18190->18193 18213 408450 18190->18213 18655 406ba7 IsBadCodePtr 18192->18655 18195 4084c0 RegQueryValueExA 18193->18195 18196 40852f 18193->18196 18194 4086ad 18194->18197 18200 407e2f 6 API calls 18194->18200 18198 408521 RegCloseKey 18195->18198 18199 4084dd 18195->18199 18201 408564 RegOpenKeyExA 18196->18201 18205 4085a5 18196->18205 18208 40ec2e codecvt 4 API calls 18197->18208 18197->18211 18198->18196 18199->18198 18206 40ebcc 4 API calls 18199->18206 18202 4086bb 18200->18202 18204 408573 RegSetValueExA RegCloseKey 18201->18204 18201->18205 18207 40875b DeleteFileA 18202->18207 18221 4086e0 lstrcpyA lstrlenA 18202->18221 18203->18211 18203->18213 18214 4083ea RegOpenKeyExA 18203->18214 18204->18205 18205->18213 18216 40ec2e codecvt 4 API calls 18205->18216 18210 4084f0 18206->18210 18207->18197 18208->18211 18210->18198 18212 4084f8 RegQueryValueExA 18210->18212 18211->18124 18212->18198 18215 408515 18212->18215 18213->18187 18213->18189 18214->18213 18217 4083fd RegQueryValueExA 18214->18217 18220 40ec2e codecvt 4 API calls 18215->18220 18216->18213 18218 40842d RegSetValueExA 18217->18218 18219 40841e 18217->18219 18222 408447 RegCloseKey 18218->18222 18219->18218 18219->18222 18223 40851d 18220->18223 18224 407fcf 64 API calls 18221->18224 18222->18213 18223->18198 18225 408719 CreateProcessA 18224->18225 18226 40873d CloseHandle CloseHandle 18225->18226 18227 40874f 18225->18227 18226->18197 18228 407ee6 64 API calls 18227->18228 18229 408754 18228->18229 18230 407ead 6 API calls 18229->18230 18231 40875a 18230->18231 18231->18207 18238 40a63d 18232->18238 18234 40a685 18234->18135 18236 40a63d GetTickCount 18235->18236 18237 40a696 18236->18237 18237->18135 18239 40a645 18238->18239 18240 40a64d 18238->18240 18239->18234 18241 40a66e 18240->18241 18242 40a65e GetTickCount 18240->18242 18241->18234 18242->18241 18259 40a4c7 GetTickCount 18243->18259 18246 40c45e 18251 40c4d2 18246->18251 18252 40c4ab InterlockedIncrement CreateThread 18246->18252 18247 40c300 GetTickCount 18249 40c337 18247->18249 18248 40c326 18248->18249 18250 40c32b GetTickCount 18248->18250 18249->18246 18254 40c363 GetTickCount 18249->18254 18250->18249 18251->18124 18252->18251 18253 40c4cb CloseHandle 18252->18253 18264 40b535 18252->18264 18253->18251 18254->18246 18255 40c373 18254->18255 18256 40c378 GetTickCount 18255->18256 18257 40c37f 18255->18257 18256->18257 18258 40c43b GetTickCount 18257->18258 18258->18246 18260 40a4f7 InterlockedExchange 18259->18260 18261 40a500 18260->18261 18262 40a4e4 GetTickCount 18260->18262 18261->18246 18261->18247 18261->18248 18262->18261 18263 40a4ef Sleep 18262->18263 18263->18260 18265 40b566 18264->18265 18266 40ebcc 4 API calls 18265->18266 18267 40b587 18266->18267 18268 40ebcc 4 API calls 18267->18268 18308 40b590 18268->18308 18269 40bdcd InterlockedDecrement 18270 40bde2 18269->18270 18272 40ec2e codecvt 4 API calls 18270->18272 18273 40bdea 18272->18273 18275 40ec2e codecvt 4 API calls 18273->18275 18274 40bdb7 Sleep 18274->18308 18276 40bdf2 18275->18276 18278 40be05 18276->18278 18279 40ec2e codecvt 4 API calls 18276->18279 18277 40bdcc 18277->18269 18279->18278 18280 40ebed 8 API calls 18280->18308 18283 40b6b6 lstrlenA 18283->18308 18284 4030b5 2 API calls 18284->18308 18285 40e819 11 API calls 18285->18308 18286 40b6ed lstrcpyA 18339 405ce1 18286->18339 18289 40b731 lstrlenA 18289->18308 18290 40b71f lstrcmpA 18290->18289 18290->18308 18291 40b772 GetTickCount 18291->18308 18292 40bd49 InterlockedIncrement 18433 40a628 18292->18433 18295 40b7ce InterlockedIncrement 18349 40acd7 18295->18349 18296 40bc5b InterlockedIncrement 18296->18308 18299 40b912 GetTickCount 18299->18308 18300 40b932 GetTickCount 18303 40bc6d InterlockedIncrement 18300->18303 18300->18308 18301 40bcdc closesocket 18301->18308 18302 40b826 InterlockedIncrement 18302->18291 18303->18308 18304 405ce1 22 API calls 18304->18308 18305 4038f0 6 API calls 18305->18308 18307 40bba6 InterlockedIncrement 18307->18308 18308->18269 18308->18274 18308->18277 18308->18280 18308->18283 18308->18284 18308->18285 18308->18286 18308->18289 18308->18290 18308->18291 18308->18292 18308->18295 18308->18296 18308->18299 18308->18300 18308->18301 18308->18302 18308->18304 18308->18305 18308->18307 18311 40bc4c closesocket 18308->18311 18312 40a7c1 22 API calls 18308->18312 18314 40ba71 wsprintfA 18308->18314 18315 405ded 12 API calls 18308->18315 18318 40ab81 lstrcpynA InterlockedIncrement 18308->18318 18319 40ef1e lstrlenA 18308->18319 18320 40a688 GetTickCount 18308->18320 18321 403e10 18308->18321 18324 403e4f 18308->18324 18327 40384f 18308->18327 18347 40a7a3 inet_ntoa 18308->18347 18354 40abee 18308->18354 18366 401feb GetTickCount 18308->18366 18387 403cfb 18308->18387 18390 40b3c5 18308->18390 18421 40ab81 18308->18421 18311->18308 18312->18308 18367 40a7c1 18314->18367 18315->18308 18318->18308 18319->18308 18320->18308 18322 4030fa 4 API calls 18321->18322 18323 403e1d 18322->18323 18323->18308 18325 4030fa 4 API calls 18324->18325 18326 403e5c 18325->18326 18326->18308 18328 4030fa 4 API calls 18327->18328 18330 403863 18328->18330 18329 4038b2 18329->18308 18330->18329 18331 4038b9 18330->18331 18332 403889 18330->18332 18442 4035f9 18331->18442 18436 403718 18332->18436 18337 403718 6 API calls 18337->18329 18338 4035f9 6 API calls 18338->18329 18340 405cf4 18339->18340 18341 405cec 18339->18341 18343 404bd1 4 API calls 18340->18343 18448 404bd1 GetTickCount 18341->18448 18344 405d02 18343->18344 18453 405472 18344->18453 18348 40a7b9 18347->18348 18348->18308 18350 40f315 14 API calls 18349->18350 18351 40aceb 18350->18351 18352 40f315 14 API calls 18351->18352 18353 40acff 18351->18353 18352->18353 18353->18308 18355 40abfb 18354->18355 18359 40ac65 18355->18359 18516 402f22 18355->18516 18357 40f315 14 API calls 18357->18359 18358 40ac8a 18358->18308 18359->18357 18359->18358 18360 40ac6f 18359->18360 18361 40ab81 2 API calls 18360->18361 18363 40ac81 18361->18363 18362 402684 2 API calls 18364 40ac23 18362->18364 18524 4038f0 18363->18524 18364->18359 18364->18362 18366->18308 18368 40a87d lstrlenA send 18367->18368 18369 40a7df 18367->18369 18370 40a899 18368->18370 18371 40a8bf 18368->18371 18369->18368 18376 40a7fa wsprintfA 18369->18376 18377 40a80a 18369->18377 18379 40a8f2 18369->18379 18374 40a8a5 wsprintfA 18370->18374 18386 40a89e 18370->18386 18372 40a8c4 send 18371->18372 18371->18379 18375 40a8d8 wsprintfA 18372->18375 18372->18379 18373 40a978 recv 18373->18379 18380 40a982 18373->18380 18374->18386 18375->18386 18376->18377 18377->18368 18378 40a9b0 wsprintfA 18378->18386 18379->18373 18379->18378 18379->18380 18381 4030b5 2 API calls 18380->18381 18380->18386 18382 40ab05 18381->18382 18383 40e819 11 API calls 18382->18383 18384 40ab17 18383->18384 18385 40a7a3 inet_ntoa 18384->18385 18385->18386 18386->18308 18388 4030fa 4 API calls 18387->18388 18389 403d0b 18388->18389 18389->18308 18391 405ce1 22 API calls 18390->18391 18392 40b3e6 18391->18392 18393 405ce1 22 API calls 18392->18393 18395 40b404 18393->18395 18394 40b440 18397 40ef7c 3 API calls 18394->18397 18395->18394 18396 40ef7c 3 API calls 18395->18396 18398 40b42b 18396->18398 18399 40b458 wsprintfA 18397->18399 18401 40ef7c 3 API calls 18398->18401 18400 40ef7c 3 API calls 18399->18400 18402 40b480 18400->18402 18401->18394 18403 40ef7c 3 API calls 18402->18403 18404 40b493 18403->18404 18405 40ef7c 3 API calls 18404->18405 18406 40b4bb 18405->18406 18538 40ad89 GetLocalTime SystemTimeToFileTime 18406->18538 18410 40b4cc 18411 40ef7c 3 API calls 18410->18411 18412 40b4dd 18411->18412 18413 40b211 7 API calls 18412->18413 18414 40b4ec 18413->18414 18415 40ef7c 3 API calls 18414->18415 18416 40b4fd 18415->18416 18417 40b211 7 API calls 18416->18417 18418 40b509 18417->18418 18419 40ef7c 3 API calls 18418->18419 18420 40b51a 18419->18420 18420->18308 18422 40abe9 GetTickCount 18421->18422 18424 40ab8c 18421->18424 18426 40a51d 18422->18426 18423 40aba8 lstrcpynA 18423->18424 18424->18422 18424->18423 18425 40abe1 InterlockedIncrement 18424->18425 18425->18424 18427 40a4c7 4 API calls 18426->18427 18428 40a52c 18427->18428 18429 40a542 GetTickCount 18428->18429 18431 40a539 GetTickCount 18428->18431 18429->18431 18432 40a56c 18431->18432 18432->18308 18434 40a4c7 4 API calls 18433->18434 18435 40a633 18434->18435 18435->18308 18437 40f04e 4 API calls 18436->18437 18439 40372a 18437->18439 18438 403847 18438->18329 18438->18337 18439->18438 18440 4037b3 GetCurrentThreadId 18439->18440 18440->18439 18441 4037c8 GetCurrentThreadId 18440->18441 18441->18439 18443 40f04e 4 API calls 18442->18443 18447 40360c 18443->18447 18444 4036f1 18444->18329 18444->18338 18445 4036da GetCurrentThreadId 18445->18444 18446 4036e5 GetCurrentThreadId 18445->18446 18446->18444 18447->18444 18447->18445 18449 404bff InterlockedExchange 18448->18449 18450 404c08 18449->18450 18451 404bec GetTickCount 18449->18451 18450->18340 18451->18450 18452 404bf7 Sleep 18451->18452 18452->18449 18472 404763 18453->18472 18455 40548a 18456 405b58 18455->18456 18466 40558d lstrcpynA 18455->18466 18467 405a9f lstrcpyA 18455->18467 18468 405935 lstrcpynA 18455->18468 18469 404ae6 8 API calls 18455->18469 18470 405472 13 API calls 18455->18470 18471 4058e7 lstrcpyA 18455->18471 18476 404ae6 18455->18476 18480 40ef7c lstrlenA lstrlenA lstrlenA 18455->18480 18482 404699 18456->18482 18459 404763 lstrlenA 18460 405b6e 18459->18460 18503 404f9f 18460->18503 18462 405b79 18462->18308 18464 405549 lstrlenA 18464->18455 18466->18455 18467->18455 18468->18455 18469->18455 18470->18455 18471->18455 18474 40477a 18472->18474 18473 404859 18473->18455 18474->18473 18475 40480d lstrlenA 18474->18475 18475->18474 18477 404af3 18476->18477 18479 404b03 18476->18479 18478 40ebed 8 API calls 18477->18478 18478->18479 18479->18464 18481 40efb4 18480->18481 18481->18455 18508 4045b3 18482->18508 18485 4045b3 7 API calls 18486 4046c6 18485->18486 18487 4045b3 7 API calls 18486->18487 18488 4046d8 18487->18488 18489 4045b3 7 API calls 18488->18489 18490 4046ea 18489->18490 18491 4045b3 7 API calls 18490->18491 18492 4046ff 18491->18492 18493 4045b3 7 API calls 18492->18493 18494 404711 18493->18494 18495 4045b3 7 API calls 18494->18495 18496 404723 18495->18496 18497 40ef7c 3 API calls 18496->18497 18498 404735 18497->18498 18499 40ef7c 3 API calls 18498->18499 18500 40474a 18499->18500 18501 40ef7c 3 API calls 18500->18501 18502 40475c 18501->18502 18502->18459 18504 404fac 18503->18504 18507 404fb0 18503->18507 18504->18462 18505 404ffd 18505->18462 18506 404fd5 IsBadCodePtr 18506->18507 18507->18505 18507->18506 18509 4045c1 18508->18509 18510 4045c8 18508->18510 18511 40ebcc 4 API calls 18509->18511 18512 40ebcc 4 API calls 18510->18512 18514 4045e1 18510->18514 18511->18510 18512->18514 18513 404691 18513->18485 18514->18513 18515 40ef7c 3 API calls 18514->18515 18515->18514 18531 402d21 GetModuleHandleA 18516->18531 18519 402f44 18519->18364 18520 402fcf GetProcessHeap HeapFree 18520->18519 18521 402f4f 18523 402f6b GetProcessHeap HeapFree 18521->18523 18522 402f85 18522->18520 18522->18522 18523->18519 18525 403900 18524->18525 18526 403980 18524->18526 18527 4030fa 4 API calls 18525->18527 18526->18358 18529 40390a 18527->18529 18528 40391b GetCurrentThreadId 18528->18529 18529->18526 18529->18528 18530 403939 GetCurrentThreadId 18529->18530 18530->18529 18532 402d46 LoadLibraryA 18531->18532 18533 402d5b GetProcAddress 18531->18533 18532->18533 18535 402d54 18532->18535 18533->18535 18537 402d6b 18533->18537 18534 402d97 GetProcessHeap HeapAlloc 18534->18535 18534->18537 18535->18519 18535->18521 18535->18522 18536 402db5 lstrcpynA 18536->18537 18537->18534 18537->18535 18537->18536 18539 40adbf 18538->18539 18563 40ad08 gethostname 18539->18563 18542 4030b5 2 API calls 18543 40add3 18542->18543 18544 40a7a3 inet_ntoa 18543->18544 18552 40ade4 18543->18552 18544->18552 18545 40ae85 wsprintfA 18546 40ef7c 3 API calls 18545->18546 18547 40aebb 18546->18547 18549 40ef7c 3 API calls 18547->18549 18548 40ae36 wsprintfA wsprintfA 18550 40ef7c 3 API calls 18548->18550 18551 40aed2 18549->18551 18550->18552 18553 40b211 18551->18553 18552->18545 18552->18548 18554 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 18553->18554 18555 40b2af GetLocalTime 18553->18555 18556 40b2d2 18554->18556 18555->18556 18557 40b2d9 SystemTimeToFileTime 18556->18557 18558 40b31c GetTimeZoneInformation 18556->18558 18559 40b2ec 18557->18559 18560 40b33a wsprintfA 18558->18560 18561 40b312 FileTimeToSystemTime 18559->18561 18560->18410 18561->18558 18564 40ad71 18563->18564 18569 40ad26 lstrlenA 18563->18569 18566 40ad85 18564->18566 18567 40ad79 lstrcpyA 18564->18567 18566->18542 18567->18566 18568 40ad68 lstrlenA 18568->18564 18569->18564 18569->18568 18571 40f428 14 API calls 18570->18571 18572 40198a 18571->18572 18573 401990 closesocket 18572->18573 18574 401998 18572->18574 18573->18574 18574->18163 18576 402d21 6 API calls 18575->18576 18577 402f01 18576->18577 18578 402f0f 18577->18578 18591 402df2 GetModuleHandleA 18577->18591 18580 402684 2 API calls 18578->18580 18582 402f1f 18578->18582 18581 402f1d 18580->18581 18581->18166 18582->18166 18584 401c80 18583->18584 18585 401d1c 18584->18585 18586 401cc2 wsprintfA 18584->18586 18590 401d79 18584->18590 18585->18585 18588 401d47 wsprintfA 18585->18588 18587 402684 2 API calls 18586->18587 18587->18584 18589 402684 2 API calls 18588->18589 18589->18590 18590->18161 18592 402e10 LoadLibraryA 18591->18592 18593 402e0b 18591->18593 18594 402e17 18592->18594 18593->18592 18593->18594 18595 402ef1 18594->18595 18596 402e28 GetProcAddress 18594->18596 18595->18578 18596->18595 18597 402e3e GetProcessHeap HeapAlloc 18596->18597 18598 402e62 18597->18598 18598->18595 18599 402ede GetProcessHeap HeapFree 18598->18599 18600 402e7f htons inet_addr 18598->18600 18601 402ea5 gethostbyname 18598->18601 18603 402ceb 18598->18603 18599->18595 18600->18598 18600->18601 18601->18598 18604 402cf2 18603->18604 18606 402d1c 18604->18606 18607 402d0e Sleep 18604->18607 18608 402a62 GetProcessHeap HeapAlloc 18604->18608 18606->18598 18607->18604 18607->18606 18609 402a92 18608->18609 18610 402a99 socket 18608->18610 18609->18604 18611 402cd3 GetProcessHeap HeapFree 18610->18611 18612 402ab4 18610->18612 18611->18609 18612->18611 18622 402abd 18612->18622 18613 402adb htons 18628 4026ff 18613->18628 18615 402b04 select 18615->18622 18616 402ca4 18617 402cb3 GetProcessHeap HeapFree closesocket 18616->18617 18617->18609 18618 402b3f recv 18618->18622 18619 402b66 htons 18619->18616 18619->18622 18620 402b87 htons 18620->18616 18620->18622 18622->18613 18622->18615 18622->18616 18622->18617 18622->18618 18622->18619 18622->18620 18624 402bf3 GetProcessHeap HeapAlloc 18622->18624 18625 402c17 htons 18622->18625 18627 402c4d GetProcessHeap HeapFree 18622->18627 18635 402923 18622->18635 18647 402904 18622->18647 18624->18622 18643 402871 18625->18643 18627->18622 18629 402717 18628->18629 18631 40271d 18628->18631 18630 40ebcc 4 API calls 18629->18630 18630->18631 18632 40272b GetTickCount htons 18631->18632 18633 4027cc htons htons sendto 18632->18633 18634 40278a 18632->18634 18633->18622 18634->18633 18636 402944 18635->18636 18639 40293d 18635->18639 18651 402816 htons 18636->18651 18638 402950 18638->18639 18640 402871 htons 18638->18640 18641 4029bd htons htons htons 18638->18641 18639->18622 18640->18638 18641->18639 18642 4029f6 GetProcessHeap HeapAlloc 18641->18642 18642->18638 18642->18639 18644 4028e3 18643->18644 18646 402889 18643->18646 18644->18622 18645 4028c3 htons 18645->18644 18645->18646 18646->18644 18646->18645 18648 402921 18647->18648 18649 402908 18647->18649 18648->18622 18650 402909 GetProcessHeap HeapFree 18649->18650 18650->18648 18650->18650 18652 40286b 18651->18652 18653 402836 18651->18653 18652->18638 18653->18652 18654 40285c htons 18653->18654 18654->18652 18654->18653 18656 406bc0 18655->18656 18657 406bbc 18655->18657 18658 40ebcc 4 API calls 18656->18658 18660 406bd4 18656->18660 18657->18194 18659 406be4 18658->18659 18659->18660 18661 406c07 CreateFileA 18659->18661 18662 406bfc 18659->18662 18660->18194 18664 406c34 WriteFile 18661->18664 18665 406c2a 18661->18665 18663 40ec2e codecvt 4 API calls 18662->18663 18663->18660 18667 406c49 CloseHandle DeleteFileA 18664->18667 18668 406c5a CloseHandle 18664->18668 18666 40ec2e codecvt 4 API calls 18665->18666 18666->18660 18667->18665 18669 40ec2e codecvt 4 API calls 18668->18669 18669->18660 18685 42540d 18688 4250b9 18685->18688 18687 425412 18689 4250df 18688->18689 18690 42513f 11 API calls 18689->18690 18692 4251b7 18689->18692 18690->18692 18691 4251d7 SetCommMask GetTickCount GetDateFormatA GetSystemTimes 18691->18692 18693 425230 18691->18693 18692->18691 18694 42522e 18692->18694 18693->18694 18695 425239 FoldStringA 18693->18695 18696 425331 GlobalAlloc 18694->18696 18697 425251 GetTimeFormatA HeapLock FormatMessageW 18694->18697 18695->18694 18698 425376 LoadLibraryA VirtualProtect 18696->18698 18699 42534f 18696->18699 18704 4252bc 18697->18704 18705 425028 18698->18705 18699->18698 18701 4253aa GetProcessIoCounters UnlockFile 18702 42539f 18701->18702 18702->18701 18703 4253d3 18702->18703 18703->18687 18704->18696 18706 425064 18705->18706 18707 425054 GetFullPathNameA 18705->18707 18716 424f2b 18706->18716 18707->18706 18710 425080 18719 424f61 18710->18719 18711 425079 FreeEnvironmentStringsW 18711->18710 18714 425095 HeapCreate SetFileShortNameA 18715 4250aa 18714->18715 18715->18702 18717 424f42 GetCommMask LoadLibraryA 18716->18717 18718 424f54 18716->18718 18717->18718 18718->18710 18718->18711 18720 424f8a GetNumaHighestNodeNumber 18719->18720 18721 424f91 18719->18721 18720->18721 18722 425002 18721->18722 18724 424fc0 GetNumaProcessorNode GetComputerNameA SetCalendarInfoW OpenJobObjectA 18721->18724 18725 424f56 18721->18725 18722->18714 18722->18715 18724->18721 18728 424eee 18725->18728 18729 424f14 18728->18729 18730 424f0a VirtualLock 18728->18730 18729->18721 18730->18729 16992 5d0005 16997 5d092b GetPEB 16992->16997 16994 5d0030 16999 5d003c 16994->16999 16998 5d0972 16997->16998 16998->16994 17000 5d0049 16999->17000 17014 5d0e0f SetErrorMode SetErrorMode 17000->17014 17005 5d0265 17006 5d02ce VirtualProtect 17005->17006 17008 5d030b 17006->17008 17007 5d0439 VirtualFree 17009 5d04be 17007->17009 17010 5d05f4 LoadLibraryA 17007->17010 17008->17007 17009->17010 17011 5d04e3 LoadLibraryA 17009->17011 17013 5d08c7 17010->17013 17011->17009 17015 5d0223 17014->17015 17016 5d0d90 17015->17016 17017 5d0dad 17016->17017 17018 5d0dbb GetPEB 17017->17018 17019 5d0238 VirtualAlloc 17017->17019 17018->17019 17019->17005 18670 62321e 18671 62322d 18670->18671 18674 6239be 18671->18674 18676 6239d9 18674->18676 18675 6239e2 CreateToolhelp32Snapshot 18675->18676 18677 6239fe Module32First 18675->18677 18676->18675 18676->18677 18678 623236 18677->18678 18679 623a0d 18677->18679 18681 62367d 18679->18681 18682 6236a8 18681->18682 18683 6236f1 18682->18683 18684 6236b9 VirtualAlloc 18682->18684 18683->18683 18684->18683
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                        • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                        • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                        • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                      • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                      • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                      • ExitProcess.KERNEL32 ref: 00409C06
                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                      • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                      • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                      • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                      • wsprintfA.USER32 ref: 0040A0B6
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                      • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                        • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                      • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                      • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                      • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                      • DeleteFileA.KERNEL32(C:\Users\user\Desktop\bEsOrli29K.exe), ref: 0040A407
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                      • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                      • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                      • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                      • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\bEsOrli29K.exe$C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe$D$P$\$edgikboy
                                                                                      • API String ID: 2089075347-4142227159
                                                                                      • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                      • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                      • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                      • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 264 4250b9-4250dd 265 4250df-4250e5 264->265 266 4250f1-4250f6 265->266 267 4250e7-4250ec 265->267 268 4250f8-4250ff 266->268 269 425109-425110 266->269 267->266 268->269 269->265 270 425112-425117 269->270 271 425119-42511f 270->271 272 425121-425127 271->272 273 42512d-425134 271->273 272->273 273->271 274 425136-425139 273->274 275 4251d5 274->275 276 42513f-4251b5 lstrcatW InterlockedExchangeAdd GetActiveWindow LoadIconA InflateRect FlushInstructionCache GetAtomNameA InitAtomTable GetCurrentConsoleFont DebugBreak EnumDateFormatsW 274->276 277 4251d7-425223 SetCommMask GetTickCount GetDateFormatA GetSystemTimes 275->277 278 4251c7-4251d4 276->278 279 4251b7-4251c0 276->279 280 425230-425237 277->280 281 425225-42522c 277->281 278->275 279->278 284 425244-42524b 280->284 285 425239-42523e FoldStringA 280->285 281->277 283 42522e 281->283 283->284 287 425331-42534d GlobalAlloc 284->287 288 425251-42532e GetTimeFormatA HeapLock FormatMessageW 284->288 285->284 290 425376-42539a LoadLibraryA VirtualProtect call 425028 287->290 291 42534f-425365 287->291 288->287 296 42539f 290->296 292 425371-425374 291->292 293 425367 291->293 292->290 292->291 293->292 297 4253a1-4253a8 296->297 299 4253aa-4253b7 GetProcessIoCounters UnlockFile 297->299 300 4253bd-4253c3 297->300 299->300 301 4253c5 call 424ee3 300->301 302 4253ca-4253d1 300->302 301->302 302->297 305 4253d3 302->305 307 4253dd-4253e3 305->307 308 4253e5-4253ed 307->308 309 4253ef-4253f6 307->309 308->309 311 4253f8-42540c 308->311 309->307 309->311
                                                                                      APIs
                                                                                      • lstrcatW.KERNEL32(?,00000000), ref: 00425148
                                                                                      • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00425154
                                                                                      • GetActiveWindow.USER32 ref: 0042515A
                                                                                      • LoadIconA.USER32(00000000,00000000), ref: 00425162
                                                                                      • InflateRect.USER32(00000000,00000000,00000000), ref: 0042516F
                                                                                      • FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 00425178
                                                                                      • GetAtomNameA.KERNEL32(00000000,?,00000000), ref: 00425185
                                                                                      • InitAtomTable.KERNEL32(00000000), ref: 0042518C
                                                                                      • GetCurrentConsoleFont.KERNEL32(00000000,00000000,?), ref: 00425199
                                                                                      • DebugBreak.KERNEL32 ref: 0042519F
                                                                                      • EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 004251A8
                                                                                      • SetCommMask.KERNELBASE(00000000,00000000), ref: 004251D9
                                                                                      • GetTickCount.KERNEL32 ref: 004251DF
                                                                                      • GetDateFormatA.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 00425203
                                                                                      • GetSystemTimes.KERNELBASE(?,?,?), ref: 00425218
                                                                                      • FoldStringA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0042523E
                                                                                      • GetTimeFormatA.KERNEL32(00000000,00000000,0042C4E0,0042C4E0,?,00000000), ref: 0042527F
                                                                                      • HeapLock.KERNEL32(00000000), ref: 00425286
                                                                                      • FormatMessageW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0042529A
                                                                                      • GlobalAlloc.KERNELBASE(00000000), ref: 00425338
                                                                                      • LoadLibraryA.KERNELBASE(0042C520), ref: 0042537B
                                                                                      • VirtualProtect.KERNELBASE(00000040,?), ref: 00425394
                                                                                      • GetProcessIoCounters.KERNEL32(00000000,00000000), ref: 004253AC
                                                                                      • UnlockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004253B7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281330949.0000000000418000.00000020.00000001.01000000.00000005.sdmp, Offset: 00418000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_418000_pwdgvjcm.jbxd
                                                                                      Similarity
                                                                                      • API ID: Format$AtomDateLoad$ActiveAllocBreakCacheCommConsoleCountCountersCurrentDebugEnumExchangeFileFlushFoldFontFormatsGlobalHeapIconInflateInitInstructionInterlockedLibraryLockMaskMessageNameProcessProtectRectStringSystemTableTickTimeTimesUnlockVirtualWindowlstrcat
                                                                                      • String ID: k`$}$
                                                                                      • API String ID: 1758670013-956986773
                                                                                      • Opcode ID: 11a06e5e142067575ebe82f8eff95b9e5a09bdf74230d629ed085f9a8f10a717
                                                                                      • Instruction ID: 06bb82473ef69684721e713d6b0dfcdbaab8e4b9c375e17e3125242d7fe09b8c
                                                                                      • Opcode Fuzzy Hash: 11a06e5e142067575ebe82f8eff95b9e5a09bdf74230d629ed085f9a8f10a717
                                                                                      • Instruction Fuzzy Hash: 6E81E671602A30BBC225AB62FC49DAF7B6CFF4A355B40103AF545D21A1D7389542CBEE

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 543 40637c-406384 544 406386-406389 543->544 545 40638a-4063b4 GetModuleHandleA VirtualAlloc 543->545 546 4063f5-4063f7 545->546 547 4063b6-4063d4 call 40ee08 VirtualAllocEx 545->547 549 40640b-40640f 546->549 547->546 551 4063d6-4063f3 call 4062b7 WriteProcessMemory 547->551 551->546 554 4063f9-40640a 551->554 554->549
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                      • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                      • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1965334864-0
                                                                                      • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                      • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                      • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                      • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 321 4073ff-407419 322 40741b 321->322 323 40741d-407422 321->323 322->323 324 407424 323->324 325 407426-40742b 323->325 324->325 326 407430-407435 325->326 327 40742d 325->327 328 407437 326->328 329 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 326->329 327->326 328->329 334 407487-40749d call 40ee2a 329->334 335 4077f9-4077fe call 40ee2a 329->335 340 407703-40770e RegEnumKeyA 334->340 341 407801 335->341 342 4074a2-4074b1 call 406cad 340->342 343 407714-40771d RegCloseKey 340->343 344 407804-407808 341->344 347 4074b7-4074cc call 40f1a5 342->347 348 4076ed-407700 342->348 343->341 347->348 351 4074d2-4074f8 RegOpenKeyExA 347->351 348->340 352 407727-40772a 351->352 353 4074fe-407530 call 402544 RegQueryValueExA 351->353 354 407755-407764 call 40ee2a 352->354 355 40772c-407740 call 40ef00 352->355 353->352 361 407536-40753c 353->361 366 4076df-4076e2 354->366 363 407742-407745 RegCloseKey 355->363 364 40774b-40774e 355->364 365 40753f-407544 361->365 363->364 368 4077ec-4077f7 RegCloseKey 364->368 365->365 367 407546-40754b 365->367 366->348 369 4076e4-4076e7 RegCloseKey 366->369 367->354 370 407551-40756b call 40ee95 367->370 368->344 369->348 370->354 373 407571-407593 call 402544 call 40ee95 370->373 378 407753 373->378 379 407599-4075a0 373->379 378->354 380 4075a2-4075c6 call 40ef00 call 40ed03 379->380 381 4075c8-4075d7 call 40ed03 379->381 386 4075d8-4075da 380->386 381->386 389 4075dc 386->389 390 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 386->390 389->390 399 407626-40762b 390->399 399->399 400 40762d-407634 399->400 401 407637-40763c 400->401 401->401 402 40763e-407642 401->402 403 407644-407656 call 40ed77 402->403 404 40765c-407673 call 40ed23 402->404 403->404 409 407769-40777c call 40ef00 403->409 410 407680 404->410 411 407675-40767e 404->411 416 4077e3-4077e6 RegCloseKey 409->416 413 407683-40768e call 406cad 410->413 411->413 418 407722-407725 413->418 419 407694-4076bf call 40f1a5 call 406c96 413->419 416->368 420 4076dd 418->420 425 4076c1-4076c7 419->425 426 4076d8 419->426 420->366 425->426 427 4076c9-4076d2 425->427 426->420 427->426 428 40777e-407797 GetFileAttributesExA 427->428 429 407799 428->429 430 40779a-40779f 428->430 429->430 431 4077a1 430->431 432 4077a3-4077a8 430->432 431->432 433 4077c4-4077c8 432->433 434 4077aa-4077c0 call 40ee08 432->434 436 4077d7-4077dc 433->436 437 4077ca-4077d6 call 40ef00 433->437 434->433 440 4077e0-4077e2 436->440 441 4077de 436->441 437->436 440->416 441->440
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                      • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                      • String ID: "
                                                                                      • API String ID: 3433985886-123907689
                                                                                      • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                      • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                      • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                      • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 443 5d003c-5d0047 444 5d004c-5d0263 call 5d0a3f call 5d0e0f call 5d0d90 VirtualAlloc 443->444 445 5d0049 443->445 460 5d028b-5d0292 444->460 461 5d0265-5d0289 call 5d0a69 444->461 445->444 463 5d02a1-5d02b0 460->463 465 5d02ce-5d03c2 VirtualProtect call 5d0cce call 5d0ce7 461->465 463->465 466 5d02b2-5d02cc 463->466 472 5d03d1-5d03e0 465->472 466->463 473 5d0439-5d04b8 VirtualFree 472->473 474 5d03e2-5d0437 call 5d0ce7 472->474 476 5d04be-5d04cd 473->476 477 5d05f4-5d05fe 473->477 474->472 479 5d04d3-5d04dd 476->479 480 5d077f-5d0789 477->480 481 5d0604-5d060d 477->481 479->477 485 5d04e3-5d0505 LoadLibraryA 479->485 483 5d078b-5d07a3 480->483 484 5d07a6-5d07b0 480->484 481->480 486 5d0613-5d0637 481->486 483->484 487 5d086e-5d08be LoadLibraryA 484->487 488 5d07b6-5d07cb 484->488 489 5d0517-5d0520 485->489 490 5d0507-5d0515 485->490 491 5d063e-5d0648 486->491 495 5d08c7-5d08f9 487->495 492 5d07d2-5d07d5 488->492 493 5d0526-5d0547 489->493 490->493 491->480 494 5d064e-5d065a 491->494 496 5d0824-5d0833 492->496 497 5d07d7-5d07e0 492->497 498 5d054d-5d0550 493->498 494->480 499 5d0660-5d066a 494->499 502 5d08fb-5d0901 495->502 503 5d0902-5d091d 495->503 501 5d0839-5d083c 496->501 504 5d07e4-5d0822 497->504 505 5d07e2 497->505 506 5d0556-5d056b 498->506 507 5d05e0-5d05ef 498->507 500 5d067a-5d0689 499->500 510 5d068f-5d06b2 500->510 511 5d0750-5d077a 500->511 501->487 512 5d083e-5d0847 501->512 502->503 504->492 505->496 508 5d056d 506->508 509 5d056f-5d057a 506->509 507->479 508->507 513 5d057c-5d0599 509->513 514 5d059b-5d05bb 509->514 515 5d06ef-5d06fc 510->515 516 5d06b4-5d06ed 510->516 511->491 517 5d0849 512->517 518 5d084b-5d086c 512->518 526 5d05bd-5d05db 513->526 514->526 520 5d06fe-5d0748 515->520 521 5d074b 515->521 516->515 517->487 518->501 520->521 521->500 526->498
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005D024D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID: cess$kernel32.dll
                                                                                      • API String ID: 4275171209-1230238691
                                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                      • Instruction ID: fc9b128c1f50d28fefb36c0545add9695854d6336b218cbceaeb3d9a397e2676
                                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                      • Instruction Fuzzy Hash: 7D526A74A01229DFDB64CF58C985BA8BBB1BF09314F1480DAE94DAB351DB30AE85DF14

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 527 40977c-4097b9 call 40ee2a CreateProcessA 530 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 527->530 531 4097bb-4097bd 527->531 535 409801-40981c call 40637c 530->535 536 4097f5 530->536 532 409864-409866 531->532 537 4097f6-4097ff TerminateProcess 535->537 540 40981e-409839 WriteProcessMemory 535->540 536->537 537->531 540->536 541 40983b-409856 Wow64SetThreadContext 540->541 541->536 542 409858-409863 ResumeThread 541->542 542->532
                                                                                      APIs
                                                                                      • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                      • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                      • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                      • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                      • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                      • String ID: D
                                                                                      • API String ID: 2098669666-2746444292
                                                                                      • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                      • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                      • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                      • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 555 404000-404008 556 40400b-40402a CreateFileA 555->556 557 404057 556->557 558 40402c-404035 GetLastError 556->558 561 404059-40405c 557->561 559 404052 558->559 560 404037-40403a 558->560 563 404054-404056 559->563 560->559 562 40403c-40403f 560->562 561->563 562->561 564 404041-404050 Sleep 562->564 564->556 564->559
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                      • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                      • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateErrorFileLastSleep
                                                                                      • String ID:
                                                                                      • API String ID: 408151869-0
                                                                                      • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                      • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                      • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                      • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                      • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                                      • String ID:
                                                                                      • API String ID: 1209300637-0
                                                                                      • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                      • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                      • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                      • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 566 406dc2-406dd5 567 406e33-406e35 566->567 568 406dd7-406df1 call 406cc9 call 40ef00 566->568 573 406df4-406df9 568->573 573->573 574 406dfb-406e00 573->574 575 406e02-406e22 GetVolumeInformationA 574->575 576 406e24 574->576 575->576 577 406e2e 575->577 576->577 577->567
                                                                                      APIs
                                                                                        • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                        • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                        • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                        • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,xa,,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                      • String ID: xa,
                                                                                      • API String ID: 1823874839-1065553563
                                                                                      • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                      • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                      • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                      • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 578 406e36-406e5d GetUserNameW 579 406ebe-406ec2 578->579 580 406e5f-406e95 LookupAccountNameW 578->580 580->579 581 406e97-406e9b 580->581 582 406ebb-406ebd 581->582 583 406e9d-406ea3 581->583 582->579 583->582 584 406ea5-406eaa 583->584 585 406eb7-406eb9 584->585 586 406eac-406eb0 584->586 585->579 586->582 587 406eb2-406eb5 586->587 587->582 587->585
                                                                                      APIs
                                                                                      • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountLookupUser
                                                                                      • String ID:
                                                                                      • API String ID: 2370142434-0
                                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 588 6239be-6239d7 589 6239d9-6239db 588->589 590 6239e2-6239ee CreateToolhelp32Snapshot 589->590 591 6239dd 589->591 592 6239f0-6239f6 590->592 593 6239fe-623a0b Module32First 590->593 591->590 592->593 600 6239f8-6239fc 592->600 594 623a14-623a1c 593->594 595 623a0d-623a0e call 62367d 593->595 598 623a13 595->598 598->594 600->589 600->593
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006239E6
                                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 00623A06
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281554914.0000000000623000.00000040.00000020.00020000.00000000.sdmp, Offset: 00623000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_623000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                      • String ID:
                                                                                      • API String ID: 3833638111-0
                                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction ID: e664b543b6a69eabb91ed830653466acb989a401e717214d0a02ca4e310a6f45
                                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction Fuzzy Hash: 11F06831600B346BD7203AB5A88DBAA76EDAF45724F100529F646912C0D7B4ED454E61

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 601 5d0e0f-5d0e24 SetErrorMode * 2 602 5d0e2b-5d0e2c 601->602 603 5d0e26 601->603 603->602
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,005D0223,?,?), ref: 005D0E19
                                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,005D0223,?,?), ref: 005D0E1E
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorMode
                                                                                      • String ID:
                                                                                      • API String ID: 2340568224-0
                                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                      • Instruction ID: c5d6d6fa0513ea3056317b239f3eb2f6e5cae715dba88dd75ef451771bbf1679
                                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                      • Instruction Fuzzy Hash: 47D0123114512877D7102A94DC09BCD7F1CDF05B62F008412FB0DD9180C770994046E5

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 604 409892-4098c0 605 4098c2-4098c5 604->605 606 4098d9 604->606 605->606 607 4098c7-4098d7 605->607 608 4098e0-4098f1 SetServiceStatus 606->608 607->608
                                                                                      APIs
                                                                                      • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ServiceStatus
                                                                                      • String ID:
                                                                                      • API String ID: 3969395364-0
                                                                                      • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                      • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                      • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                      • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 609 62367d-6236b7 call 623990 612 623705 609->612 613 6236b9-6236ec VirtualAlloc call 62370a 609->613 612->612 615 6236f1-623703 613->615 615->612
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006236CE
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281554914.0000000000623000.00000040.00000020.00020000.00000000.sdmp, Offset: 00623000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_623000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 4275171209-0
                                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction ID: 01f884fe29f1804d3baa5dd0f66adbba95108582e4eee9bec5b5d3d9b0ce145a
                                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction Fuzzy Hash: E2113C79A00218EFDB01DF98C985E98BFF5AF08350F058094F9489B362E375EA90DF84

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 616 4098f2-4098f4 617 4098f6-409902 call 404280 616->617 620 409904-409913 Sleep 617->620 621 409917 617->621 620->617 622 409915 620->622 623 409919-409942 call 402544 call 40977c 621->623 624 40995e-409960 621->624 622->621 628 409947-409957 call 40ee2a 623->628 628->624
                                                                                      APIs
                                                                                        • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                      • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEventSleep
                                                                                      • String ID:
                                                                                      • API String ID: 3100162736-0
                                                                                      • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                      • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                      • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                      • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 005D65F6
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 005D6610
                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 005D6631
                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 005D6652
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1965334864-0
                                                                                      • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                      • Instruction ID: 724f06db76546f9bca8909c5dca4465b28895f363dc74277375ac69ae824fa31
                                                                                      • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                      • Instruction Fuzzy Hash: F6119171600219BFDB219F69EC0AF9B3FA8FB057A5F104026F909A7251D7B1DD40C7A4
                                                                                      APIs
                                                                                      • ExitProcess.KERNEL32 ref: 005D9E6D
                                                                                      • lstrcpy.KERNEL32(?,00000000), ref: 005D9FE1
                                                                                      • lstrcat.KERNEL32(?,?), ref: 005D9FF2
                                                                                      • lstrcat.KERNEL32(?,0041070C), ref: 005DA004
                                                                                      • GetFileAttributesExA.KERNEL32(?,?,?), ref: 005DA054
                                                                                      • DeleteFileA.KERNEL32(?), ref: 005DA09F
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 005DA0D6
                                                                                      • lstrcpy.KERNEL32 ref: 005DA12F
                                                                                      • lstrlen.KERNEL32(00000022), ref: 005DA13C
                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 005D9F13
                                                                                        • Part of subcall function 005D7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,xa,,00000000,00000000,00000000,00000000), ref: 005D7081
                                                                                        • Part of subcall function 005D6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\utwyareo,005D7043), ref: 005D6F4E
                                                                                        • Part of subcall function 005D6F30: GetProcAddress.KERNEL32(00000000), ref: 005D6F55
                                                                                        • Part of subcall function 005D6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 005D6F7B
                                                                                        • Part of subcall function 005D6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 005D6F92
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 005DA1A2
                                                                                      • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 005DA1C5
                                                                                      • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 005DA214
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 005DA21B
                                                                                      • GetDriveTypeA.KERNEL32(?), ref: 005DA265
                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 005DA29F
                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 005DA2C5
                                                                                      • lstrcat.KERNEL32(?,00000022), ref: 005DA2D9
                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 005DA2F4
                                                                                      • wsprintfA.USER32 ref: 005DA31D
                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 005DA345
                                                                                      • lstrcat.KERNEL32(?,?), ref: 005DA364
                                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 005DA387
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 005DA398
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 005DA1D1
                                                                                        • Part of subcall function 005D9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 005D999D
                                                                                        • Part of subcall function 005D9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 005D99BD
                                                                                        • Part of subcall function 005D9966: RegCloseKey.ADVAPI32(?), ref: 005D99C6
                                                                                      • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 005DA3DB
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 005DA3E2
                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 005DA41D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                      • String ID: "$"$"$D$P$\
                                                                                      • API String ID: 1653845638-2605685093
                                                                                      • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                      • Instruction ID: 790afc0e6fa49e5b8049351824d8046ada3f71bb4c1c9cd8be9b06b06ea534f5
                                                                                      • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                      • Instruction Fuzzy Hash: 8EF130B1D4025AAFDF21DBA4CC49EEF7BBCBB48300F1444A7E605E2241E7758A858F65
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                      • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                      • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                      • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                      • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                      • API String ID: 2238633743-3228201535
                                                                                      • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                      • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                      • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                      • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                      • wsprintfA.USER32 ref: 0040B3B7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                      • API String ID: 766114626-2976066047
                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                      • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                      • String ID: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe$D
                                                                                      • API String ID: 2976863881-1963506762
                                                                                      • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                      • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                      • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                      • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 005D7D21
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 005D7D46
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 005D7D7D
                                                                                      • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 005D7DA2
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 005D7DC0
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 005D7DD1
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 005D7DE5
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 005D7DF3
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 005D7E03
                                                                                      • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 005D7E12
                                                                                      • LocalFree.KERNEL32(00000000), ref: 005D7E19
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005D7E35
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                      • String ID: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe$D
                                                                                      • API String ID: 2976863881-1963506762
                                                                                      • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                      • Instruction ID: 0a0f89206935e58106474aff8587a6e83d350837e38f3ceff30143f30c251fd0
                                                                                      • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                      • Instruction Fuzzy Hash: 8CA13F7190021DAFDB218FA4DD88BEEBF7DFB48340F14806BE505E6250E7758A85CB64
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                      • API String ID: 2400214276-165278494
                                                                                      • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                      • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                      • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                      • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 0040A7FB
                                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                      • wsprintfA.USER32 ref: 0040A8AF
                                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                      • wsprintfA.USER32 ref: 0040A8E2
                                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                      • wsprintfA.USER32 ref: 0040A9B9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                      • API String ID: 3650048968-2394369944
                                                                                      • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                      • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                      • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                      • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                      • String ID: D
                                                                                      • API String ID: 3722657555-2746444292
                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 005D7A96
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 005D7ACD
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 005D7ADF
                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 005D7B01
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 005D7B1F
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 005D7B39
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 005D7B4A
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 005D7B58
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 005D7B68
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 005D7B77
                                                                                      • LocalFree.KERNEL32(00000000), ref: 005D7B7E
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005D7B9A
                                                                                      • GetAce.ADVAPI32(?,?,?), ref: 005D7BCA
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 005D7BF1
                                                                                      • DeleteAce.ADVAPI32(?,?), ref: 005D7C0A
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 005D7C2C
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 005D7CB1
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 005D7CBF
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 005D7CD0
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 005D7CE0
                                                                                      • LocalFree.KERNEL32(00000000), ref: 005D7CEE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                      • String ID: D
                                                                                      • API String ID: 3722657555-2746444292
                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction ID: b73b75a8f9cee4a95fb75306b40a337752de714441a5ff4e3c4379bcdec78e07
                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction Fuzzy Hash: E1812A7190421DAFDB218FA8DD48BEEBFB8BB0C304F04806BE515E6250E7759A45CB64
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                      • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                      • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                      • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseOpenQuery
                                                                                      • String ID: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe$localcfg
                                                                                      • API String ID: 237177642-3670105814
                                                                                      • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                      • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                      • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                      • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShelllstrlen
                                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                      • API String ID: 1628651668-3716895483
                                                                                      • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                      • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                      • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                      • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                      • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                      • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                        • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                      • API String ID: 4207808166-1381319158
                                                                                      • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                      • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                      • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                      • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                      • API String ID: 835516345-270533642
                                                                                      • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                      • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                      • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                      • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 005D865A
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 005D867B
                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 005D86A8
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 005D86B1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseOpenQuery
                                                                                      • String ID: "$C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe
                                                                                      • API String ID: 237177642-4283548912
                                                                                      • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                      • Instruction ID: 49859bb115af94fcd2b2799caf0e8e1723cd782c2f5213d18b969d2233e6b25e
                                                                                      • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                      • Instruction Fuzzy Hash: 2EC1B171900109BEEB31ABA8DC89EFF7FBCFB54300F144067F605E6251EA718A949B65
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                      • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                      • htons.WS2_32(00000000), ref: 00402ADB
                                                                                      • select.WS2_32 ref: 00402B28
                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                      • htons.WS2_32(?), ref: 00402B71
                                                                                      • htons.WS2_32(?), ref: 00402B8C
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                      • String ID:
                                                                                      • API String ID: 1639031587-0
                                                                                      • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                      • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                      • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                      • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(?), ref: 005D1601
                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 005D17D8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShelllstrlen
                                                                                      • String ID: $<$@$D
                                                                                      • API String ID: 1628651668-1974347203
                                                                                      • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                      • Instruction ID: 1f587ea8c9f1cbea464a086a24dec4981ceb02a69caea8780c262e8bd5aeea8f
                                                                                      • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                      • Instruction Fuzzy Hash: 9EF18FB1508741AFD720CF68C898BABBBE5FB88301F10892EF595973A0D7749944CB5A
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 005D76D9
                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 005D7757
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 005D778F
                                                                                      • ___ascii_stricmp.LIBCMT ref: 005D78B4
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 005D794E
                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 005D796D
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 005D797E
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 005D79AC
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 005D7A56
                                                                                        • Part of subcall function 005DF40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,005D772A,?), ref: 005DF414
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 005D79F6
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 005D7A4D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                      • String ID: "
                                                                                      • API String ID: 3433985886-123907689
                                                                                      • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                      • Instruction ID: 09e32d7d0ac96380636e1dcf572ebb4d3c4b846ea5951cd4d857d757c7b959bd
                                                                                      • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                      • Instruction Fuzzy Hash: 61C1637290410AABDB319BA8DC49FEE7FB9FF49310F1440A7F505E6251EB719A84CB60
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                      • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                      • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                      • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                      • String ID: $"
                                                                                      • API String ID: 4293430545-3817095088
                                                                                      • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                      • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                      • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                      • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005D2CED
                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 005D2D07
                                                                                      • htons.WS2_32(00000000), ref: 005D2D42
                                                                                      • select.WS2_32 ref: 005D2D8F
                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 005D2DB1
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 005D2E62
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                      • String ID:
                                                                                      • API String ID: 127016686-0
                                                                                      • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                      • Instruction ID: c0d1e1bf965b5e4e9165bd2a8f232fe101f3bce11028e885538dccef172360ad
                                                                                      • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                      • Instruction Fuzzy Hash: 3761C071504306ABC330AF68DC09B6BBFE8FBA8341F14481BF98597351D7B598819BA6
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                        • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                        • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                        • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                        • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                      • wsprintfA.USER32 ref: 0040AEA5
                                                                                        • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                      • wsprintfA.USER32 ref: 0040AE4F
                                                                                      • wsprintfA.USER32 ref: 0040AE5E
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                      • API String ID: 3631595830-1816598006
                                                                                      • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                      • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                      • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                      • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                      • htons.WS2_32(00000035), ref: 00402E88
                                                                                      • inet_addr.WS2_32(?), ref: 00402E93
                                                                                      • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                      • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                                      • API String ID: 929413710-2099955842
                                                                                      • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                      • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                      • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                      • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                      APIs
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                      • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                      • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                      • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                      • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                      • CloseHandle.KERNEL32(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                      • String ID:
                                                                                      • API String ID: 2622201749-0
                                                                                      • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                      • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                      • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                      • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                      • wsprintfA.USER32 ref: 004093CE
                                                                                      • wsprintfA.USER32 ref: 0040940C
                                                                                      • wsprintfA.USER32 ref: 0040948D
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                      • String ID: runas
                                                                                      • API String ID: 3696105349-4000483414
                                                                                      • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                      • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                      • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                      • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 0040B467
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$wsprintf
                                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                      • API String ID: 1220175532-2340906255
                                                                                      • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                      • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                      • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                      • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 005D202D
                                                                                      • GetSystemInfo.KERNEL32(?), ref: 005D204F
                                                                                      • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 005D206A
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 005D2071
                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 005D2082
                                                                                      • GetTickCount.KERNEL32 ref: 005D2230
                                                                                        • Part of subcall function 005D1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 005D1E7C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                      • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                      • API String ID: 4207808166-1391650218
                                                                                      • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                      • Instruction ID: 12629b9a0b39aed31878ea22c3882ea0726a22e6013ef7cd0d5cb396972604e1
                                                                                      • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                      • Instruction Fuzzy Hash: A551C4B0500745AFE330AF698C8AF67BEECFF94704F00491FF99686242D6B5A944C765
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00402078
                                                                                      • GetTickCount.KERNEL32 ref: 004020D4
                                                                                      • GetTickCount.KERNEL32 ref: 004020DB
                                                                                      • GetTickCount.KERNEL32 ref: 0040212B
                                                                                      • GetTickCount.KERNEL32 ref: 00402132
                                                                                      • GetTickCount.KERNEL32 ref: 00402142
                                                                                        • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                        • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                        • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                        • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                        • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                      • API String ID: 3976553417-1522128867
                                                                                      • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                      • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                      • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                      • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                      APIs
                                                                                      • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                      • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesockethtonssocket
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 311057483-2401304539
                                                                                      • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                      • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                      • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                      • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                      • ExitProcess.KERNEL32 ref: 00404121
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEventExitProcess
                                                                                      • String ID:
                                                                                      • API String ID: 2404124870-0
                                                                                      • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                      • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                      • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                      • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                      APIs
                                                                                        • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                        • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                      • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                      • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                      • GetTickCount.KERNEL32 ref: 0040C363
                                                                                      • GetTickCount.KERNEL32 ref: 0040C378
                                                                                      • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                      • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                      • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1553760989-1857712256
                                                                                      • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                      • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                      • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                      • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 005D3068
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 005D3078
                                                                                      • GetProcAddress.KERNEL32(00000000,00410408), ref: 005D3095
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005D30B6
                                                                                      • htons.WS2_32(00000035), ref: 005D30EF
                                                                                      • inet_addr.WS2_32(?), ref: 005D30FA
                                                                                      • gethostbyname.WS2_32(?), ref: 005D310D
                                                                                      • HeapFree.KERNEL32(00000000), ref: 005D314D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                      • String ID: iphlpapi.dll
                                                                                      • API String ID: 2869546040-3565520932
                                                                                      • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                      • Instruction ID: 13b66ea3028828ed5eb07d4188f46e69ea1cd91e3421b318907603c670b0c912
                                                                                      • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                      • Instruction Fuzzy Hash: 3F317331A00607ABDB219BFC9C48AAE7FB8BF04760F144167E518E7390DB74DA81CB59
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?), ref: 005D95A7
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 005D95D5
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 005D95DC
                                                                                      • wsprintfA.USER32 ref: 005D9635
                                                                                      • wsprintfA.USER32 ref: 005D9673
                                                                                      • wsprintfA.USER32 ref: 005D96F4
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 005D9758
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 005D978D
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 005D97D8
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                      • String ID:
                                                                                      • API String ID: 3696105349-0
                                                                                      • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                      • Instruction ID: 145fcbf2f72bb3197a6aacea06b5466b13db8b1a6ec8106c2a55e10a7fc367b5
                                                                                      • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                      • Instruction Fuzzy Hash: 03A17BB1900209EBEB31DFA8DC49FDA3BACFB45741F104027FA0592252E7B5D984DBA5
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                                      • API String ID: 3560063639-3847274415
                                                                                      • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                      • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                      • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                      • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                      APIs
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmpi
                                                                                      • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                      • API String ID: 1586166983-1625972887
                                                                                      • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                      • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                      • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                      • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                      • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                      • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                      • String ID:
                                                                                      • API String ID: 3188212458-0
                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                      APIs
                                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 005D67C3
                                                                                      • htonl.WS2_32(?), ref: 005D67DF
                                                                                      • htonl.WS2_32(?), ref: 005D67EE
                                                                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 005D68F1
                                                                                      • ExitProcess.KERNEL32 ref: 005D69BC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Processhtonl$CurrentExitHugeRead
                                                                                      • String ID: except_info$localcfg
                                                                                      • API String ID: 1150517154-3605449297
                                                                                      • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                      • Instruction ID: 295462ccc4268915ade6b3c39272996d0f0279c3afa61970c2733f812bc8d769
                                                                                      • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                      • Instruction Fuzzy Hash: 84616F71940208AFDB609FB4DC45FEA7BE9FB48300F148066F96DD2261DA7599908F54
                                                                                      APIs
                                                                                      • htons.WS2_32(005DCC84), ref: 005DF5B4
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 005DF5CE
                                                                                      • closesocket.WS2_32(00000000), ref: 005DF5DC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesockethtonssocket
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 311057483-2401304539
                                                                                      • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                      • Instruction ID: da277ce23ba1222ad4196c45ea0effbc84f01b73f05317e0c70c9b40256d735e
                                                                                      • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                      • Instruction Fuzzy Hash: 37314D71900119ABDB20DFA9EC899EE7BBCFF89310F104567F916D3250E7709A818BA5
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                      • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                      • wsprintfA.USER32 ref: 00407036
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                      • String ID: /%d$|
                                                                                      • API String ID: 676856371-4124749705
                                                                                      • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                      • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                      • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                      • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 005D2FA1
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 005D2FB1
                                                                                      • GetProcAddress.KERNEL32(00000000,004103F0), ref: 005D2FC8
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 005D3000
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005D3007
                                                                                      • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 005D3032
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                      • String ID: dnsapi.dll
                                                                                      • API String ID: 1242400761-3175542204
                                                                                      • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                      • Instruction ID: 7f98211b1bf62594838183bfa313379f746b948d64238f18bd40ae43c54d94d4
                                                                                      • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                      • Instruction Fuzzy Hash: 0621607190162ABBCB319B59DC49AAEBFB8FF18B50F104423F905E7240D7B49E8187E4
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                      • API String ID: 1082366364-3395550214
                                                                                      • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                      • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                      • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                      • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 005D9A18
                                                                                      • GetThreadContext.KERNEL32(?,?), ref: 005D9A52
                                                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 005D9A60
                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 005D9A98
                                                                                      • SetThreadContext.KERNEL32(?,00010002), ref: 005D9AB5
                                                                                      • ResumeThread.KERNEL32(?), ref: 005D9AC2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                      • String ID: D
                                                                                      • API String ID: 2981417381-2746444292
                                                                                      • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                      • Instruction ID: 15e8748a3d9238e8cb73c1661cd2990465b1a0e6b1bd375ba30fe2a2cc18282e
                                                                                      • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                      • Instruction Fuzzy Hash: D2213D72901119BBDB219BA5DC09EEFBFBCFF04750F404062BA19E5150E7758A84CBA4
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(004102D8), ref: 005D1C18
                                                                                      • LoadLibraryA.KERNEL32(004102C8), ref: 005D1C26
                                                                                      • GetProcessHeap.KERNEL32 ref: 005D1C84
                                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 005D1C9D
                                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 005D1CC1
                                                                                      • HeapFree.KERNEL32(?,00000000,00000000), ref: 005D1D02
                                                                                      • FreeLibrary.KERNEL32(?), ref: 005D1D0B
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                      • String ID:
                                                                                      • API String ID: 2324436984-0
                                                                                      • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                      • Instruction ID: 1a3d4c5b01d3d4b07eca3babc8f7cb355f6881fe6fff4e51dc0ab96d13d0abc1
                                                                                      • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                      • Instruction Fuzzy Hash: 6A311271D00619BFCB219FA8DC888AEBFB5FB45751B24447BE501A6210D7B54D80DB58
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 005D6CE4
                                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 005D6D22
                                                                                      • GetLastError.KERNEL32 ref: 005D6DA7
                                                                                      • CloseHandle.KERNEL32(?), ref: 005D6DB5
                                                                                      • GetLastError.KERNEL32 ref: 005D6DD6
                                                                                      • DeleteFileA.KERNEL32(?), ref: 005D6DE7
                                                                                      • GetLastError.KERNEL32 ref: 005D6DFD
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                      • String ID:
                                                                                      • API String ID: 3873183294-0
                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction ID: e940d2a75dc8df214f1952524e739723f20180dfcfd671173984c90933cfec93
                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction Fuzzy Hash: C631F376A00149BFCB21EFA8AD49ADE7F7AFB48300F148067E251E7351D7708986CB61
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\utwyareo,005D7043), ref: 005D6F4E
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 005D6F55
                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 005D6F7B
                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 005D6F92
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                      • String ID: C:\Windows\SysWOW64\$\\.\pipe\utwyareo
                                                                                      • API String ID: 1082366364-2792396914
                                                                                      • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                      • Instruction ID: 08f246d0a85f00304f40e4e9589a4c5ad059f787a6f5d8b727220001d5d2ad6a
                                                                                      • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                      • Instruction Fuzzy Hash: D12126217443457AF7325339AC8DFFB2E4CAB66710F1880A7F404D62C1EAD988D6826D
                                                                                      APIs
                                                                                      • GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00424F8B
                                                                                      • GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00424FC7
                                                                                      • GetComputerNameA.KERNEL32(?,?), ref: 00424FDB
                                                                                      • SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,0042C41C), ref: 00424FE9
                                                                                      • OpenJobObjectA.KERNEL32(00000000,00000000,0042C428), ref: 00424FF6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281330949.0000000000418000.00000020.00000001.01000000.00000005.sdmp, Offset: 00418000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_418000_pwdgvjcm.jbxd
                                                                                      Similarity
                                                                                      • API ID: NodeNuma$CalendarComputerHighestInfoNameNumberObjectOpenProcessor
                                                                                      • String ID: -
                                                                                      • API String ID: 3293808458-2547889144
                                                                                      • Opcode ID: cbd7c5c07cb5078078958f77ac79951bebb201362ab674e3885adec3f36132ee
                                                                                      • Instruction ID: 0eccb1aac1e8823434b1d3e5e9d8e26066e9430f249d9380e5c281313551a7e7
                                                                                      • Opcode Fuzzy Hash: cbd7c5c07cb5078078958f77ac79951bebb201362ab674e3885adec3f36132ee
                                                                                      • Instruction Fuzzy Hash: 1C11D271600228EFCB21AF21ED8499F7BB8FB84318F408179E629A6141C7385A86CF5C
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen
                                                                                      • String ID: $localcfg
                                                                                      • API String ID: 1659193697-2018645984
                                                                                      • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                      • Instruction ID: a78bf875bbf6f48c1acdfdf1d6f051be1f1f7f37a021c34f95d1d7062c5ae462
                                                                                      • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                      • Instruction Fuzzy Hash: 95711871A00305AAEF319B5CDC85BEF3F6ABB40315F244427F905A62E1DB618DC4875B
                                                                                      APIs
                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                      • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                      • String ID: flags_upd$localcfg
                                                                                      • API String ID: 204374128-3505511081
                                                                                      • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                      • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                      • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                      • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                      APIs
                                                                                        • Part of subcall function 005DDF6C: GetCurrentThreadId.KERNEL32 ref: 005DDFBA
                                                                                      • lstrcmp.KERNEL32(00410178,00000000), ref: 005DE8FA
                                                                                      • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,005D6128), ref: 005DE950
                                                                                      • lstrcmp.KERNEL32(?,00000008), ref: 005DE989
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                      • String ID: A$ A$ A
                                                                                      • API String ID: 2920362961-1846390581
                                                                                      • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                      • Instruction ID: 4c328d0610a80c2960574834c60f5b8af0e76569538d5d1fbd5bf0187ab3abcf
                                                                                      • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                      • Instruction Fuzzy Hash: EE318F31601706DBDB71AF28C89ABA67FE4FB05721F10892BE5558B751D370E881CB91
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Code
                                                                                      • String ID:
                                                                                      • API String ID: 3609698214-0
                                                                                      • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                      • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                      • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                      • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Code
                                                                                      • String ID:
                                                                                      • API String ID: 3609698214-0
                                                                                      • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                      • Instruction ID: ecdcc4afc8e05ff0c8d6f00896c901b4c770158dd5a7ee9ed7de7cda028deeb7
                                                                                      • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                      • Instruction Fuzzy Hash: 1B214D76104115FFDB20ABA8EC49EDF3FADEB49361B208427F502D5291EB709A4196B4
                                                                                      APIs
                                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                      • wsprintfA.USER32 ref: 004090E9
                                                                                      • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 2439722600-0
                                                                                      • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                      • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                      • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                      • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                      APIs
                                                                                      • GetTempPathA.KERNEL32(00000400,?), ref: 005D92E2
                                                                                      • wsprintfA.USER32 ref: 005D9350
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 005D9375
                                                                                      • lstrlen.KERNEL32(?,?,00000000), ref: 005D9389
                                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 005D9394
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 005D939B
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 2439722600-0
                                                                                      • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                      • Instruction ID: ef4917c6cbf98d75ce25ed568e8581b1dfa7febf4c17f263ca8e9b33fc5370a4
                                                                                      • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                      • Instruction Fuzzy Hash: 281172B16401157BE7317735EC0EFEF3E6EEBC8B10F008067BB09A5191EAB44A918664
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                      • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                      • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                      • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 3819781495-0
                                                                                      • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                      • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                      • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                      • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 005DC6B4
                                                                                      • InterlockedIncrement.KERNEL32(005DC74B), ref: 005DC715
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,005DC747), ref: 005DC728
                                                                                      • CloseHandle.KERNEL32(00000000,?,005DC747,00413588,005D8A77), ref: 005DC733
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1026198776-1857712256
                                                                                      • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                      • Instruction ID: ef5c8d2c690d3bc639a3424b6281501a24b8c16aa4649ca8598b61e41de10acf
                                                                                      • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                      • Instruction Fuzzy Hash: 115105B1A01B428FD7749F6DD68562ABEE9FB88300B50593FE18BC7B90D674E844CB50
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                        • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                        • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                        • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                      • String ID: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe
                                                                                      • API String ID: 124786226-2804431639
                                                                                      • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                      • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                      • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                      • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,005DE50A,00000000,00000000,00000000,00020106,00000000,005DE50A,00000000,000000E4), ref: 005DE319
                                                                                      • RegSetValueExA.ADVAPI32(005DE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 005DE38E
                                                                                      • RegDeleteValueA.ADVAPI32(005DE50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D]), ref: 005DE3BF
                                                                                      • RegCloseKey.ADVAPI32(005DE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D],005DE50A), ref: 005DE3C8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseCreateDelete
                                                                                      • String ID: D]
                                                                                      • API String ID: 2667537340-1711158228
                                                                                      • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                      • Instruction ID: 0533f3a7296e50370b9fedde217470e36ca5c30c9c8367686a16d37b510a5297
                                                                                      • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                      • Instruction Fuzzy Hash: 46215271A0021DBBDF209FA9EC8AEEE7F79EF09750F008422F905D7251E2719A54D790
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 005D71E1
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 005D7228
                                                                                      • LocalFree.KERNEL32(?,?,?), ref: 005D7286
                                                                                      • wsprintfA.USER32 ref: 005D729D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                      • String ID: |
                                                                                      • API String ID: 2539190677-2343686810
                                                                                      • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                      • Instruction ID: 93dfb6f77ab81f858740611d9f939a844f30dc6b31eb7c22d25469abd89e6e2a
                                                                                      • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                      • Instruction Fuzzy Hash: 1E312976904209BBCB11DFA8DC49ADA7FACFF08314F148167F859DB201EB75DA488B94
                                                                                      APIs
                                                                                      • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                                      • String ID: LocalHost
                                                                                      • API String ID: 3695455745-3154191806
                                                                                      • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                      • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                      • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                      • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                      • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: QueryValue$CloseOpen
                                                                                      • String ID:
                                                                                      • API String ID: 1586453840-0
                                                                                      • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                      • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                      • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                      • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 005DB51A
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005DB529
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 005DB548
                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 005DB590
                                                                                      • wsprintfA.USER32 ref: 005DB61E
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 4026320513-0
                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction ID: 81b44bffddd77b389158e06481a58dfb2b0799f740e1d12bada9c0614a3dcc9f
                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction Fuzzy Hash: D5512171D0021DEADF24DFD5D8495EEBBB9BF48304F10815BE501A6250E7B84AC9CF94
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                      • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                      • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$CreateEvent
                                                                                      • String ID:
                                                                                      • API String ID: 1371578007-0
                                                                                      • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                      • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                      • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                      • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                      APIs
                                                                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                      • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 2438460464-0
                                                                                      • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                      • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                      • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                      • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                      APIs
                                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 005D6303
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 005D632A
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 005D63B1
                                                                                      • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 005D6405
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: HugeRead$AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 3498078134-0
                                                                                      • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                      • Instruction ID: cd87d22501b673e2ccd1111604e32b0fe0a116d817727f1f9c0e8c22c3ea68f9
                                                                                      • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                      • Instruction Fuzzy Hash: DF413A71A0020AEBDB24CF5CC884AA9BBB8FF14354F24896BE815D7390E775ED42DB50
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                      • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                      • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                      • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                      APIs
                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                      • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                      • String ID: A$ A
                                                                                      • API String ID: 3343386518-686259309
                                                                                      • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                      • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                      • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                      • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040272E
                                                                                      • htons.WS2_32(00000001), ref: 00402752
                                                                                      • htons.WS2_32(0000000F), ref: 004027D5
                                                                                      • htons.WS2_32(00000001), ref: 004027E3
                                                                                      • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                        • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                        • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                      • String ID:
                                                                                      • API String ID: 1802437671-0
                                                                                      • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                      • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                      • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                      • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                      APIs
                                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: setsockopt
                                                                                      • String ID:
                                                                                      • API String ID: 3981526788-0
                                                                                      • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                      • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                      • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                      • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                      • CharToOemA.USER32(?,?), ref: 00409174
                                                                                      • wsprintfA.USER32 ref: 004091A9
                                                                                        • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                        • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                        • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                        • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                        • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                        • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 3857584221-0
                                                                                      • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                      • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                      • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                      • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 005D93C6
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 005D93CD
                                                                                      • CharToOemA.USER32(?,?), ref: 005D93DB
                                                                                      • wsprintfA.USER32 ref: 005D9410
                                                                                        • Part of subcall function 005D92CB: GetTempPathA.KERNEL32(00000400,?), ref: 005D92E2
                                                                                        • Part of subcall function 005D92CB: wsprintfA.USER32 ref: 005D9350
                                                                                        • Part of subcall function 005D92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 005D9375
                                                                                        • Part of subcall function 005D92CB: lstrlen.KERNEL32(?,?,00000000), ref: 005D9389
                                                                                        • Part of subcall function 005D92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 005D9394
                                                                                        • Part of subcall function 005D92CB: CloseHandle.KERNEL32(00000000), ref: 005D939B
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 005D9448
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 3857584221-0
                                                                                      • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                      • Instruction ID: 37431542392af53c1b046721dc73c329a1c317a73f60199580d465bee98a69c9
                                                                                      • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                      • Instruction Fuzzy Hash: 7A0192F69001187BDB30A7619D4DEDF3B7CEB95701F0000A2BB09E2080EAB496C58F75
                                                                                      APIs
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$lstrcmpi
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1808961391-1857712256
                                                                                      • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                      • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                      • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                      • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                      • API String ID: 2574300362-1087626847
                                                                                      • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                      • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                      • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                      • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                      APIs
                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: hi_id$localcfg
                                                                                      • API String ID: 2777991786-2393279970
                                                                                      • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                      • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                      • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                      • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                      APIs
                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                      • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                      • String ID: *p@
                                                                                      • API String ID: 3429775523-2474123842
                                                                                      • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                      • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                      • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                      • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynameinet_addr
                                                                                      • String ID: time_cfg$u6A
                                                                                      • API String ID: 1594361348-1940331995
                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction ID: 70faf734500188528e8d2273c3796b91b82e51b9fa39a070ed032831f4cf0cf6
                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction Fuzzy Hash: C6E082306082218FCB208B2CF848ACA3BA4AF2A330F008182F080C32A1C7349CC0AB80
                                                                                      APIs
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 005D69E5
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 005D6A26
                                                                                      • GetFileSize.KERNEL32(000000FF,00000000), ref: 005D6A3A
                                                                                      • CloseHandle.KERNEL32(000000FF), ref: 005D6BD8
                                                                                        • Part of subcall function 005DEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,005D1DCF,?), ref: 005DEEA8
                                                                                        • Part of subcall function 005DEE95: HeapFree.KERNEL32(00000000), ref: 005DEEAF
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                      • String ID:
                                                                                      • API String ID: 3384756699-0
                                                                                      • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                      • Instruction ID: 1bfbcd70b105b14779d9c81b2eab0bdef2c08d6f103b13e5ae6fa7ee2c337295
                                                                                      • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                      • Instruction Fuzzy Hash: 95710671900219EFDB20DFA8CC849EEBFB9FB08314F10456BE515E6290D7749E92DB50
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                      • API String ID: 2111968516-120809033
                                                                                      • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                      • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                      • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                      • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                      • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                      • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                      • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseCreateDelete
                                                                                      • String ID:
                                                                                      • API String ID: 2667537340-0
                                                                                      • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                      • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                      • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                      • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                      APIs
                                                                                      • GetFullPathNameA.KERNEL32(00000000,00000000,?,00000000), ref: 0042505E
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042507A
                                                                                      • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 00425098
                                                                                      • SetFileShortNameA.KERNEL32(00000000,0042C460), ref: 004250A4
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281330949.0000000000418000.00000020.00000001.01000000.00000005.sdmp, Offset: 00418000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_418000_pwdgvjcm.jbxd
                                                                                      Similarity
                                                                                      • API ID: Name$CreateEnvironmentFileFreeFullHeapPathShortStrings
                                                                                      • String ID:
                                                                                      • API String ID: 4071102102-0
                                                                                      • Opcode ID: bc69b1226fcf67db89fe464c706799af24d95d8a8024064d16ebc773a46ea2e6
                                                                                      • Instruction ID: 5c8f484b8e6f5073547a08100acdc7810c7886e53351bf40ac3baed53192359c
                                                                                      • Opcode Fuzzy Hash: bc69b1226fcf67db89fe464c706799af24d95d8a8024064d16ebc773a46ea2e6
                                                                                      • Instruction Fuzzy Hash: 6E015E76701514ABC721AB66FD88D6F77BCE7C9709780102AF601D2190DA385942CAAD
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281330949.0000000000418000.00000020.00000001.01000000.00000005.sdmp, Offset: 00418000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_418000_pwdgvjcm.jbxd
                                                                                      Similarity
                                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                      • String ID:
                                                                                      • API String ID: 3016257755-0
                                                                                      • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                      • Instruction ID: 62ab4b8ba8e517d9559e8c491edd40464884d24b5327c3800230cc66b45608ab
                                                                                      • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                      • Instruction Fuzzy Hash: BE11923211455EBBCF125F84ED05CEE3F22BB18354F998416FE1859130D33ACAB2AB89
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                      • GetLastError.KERNEL32 ref: 00403F4E
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3373104450-0
                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                      • GetLastError.KERNEL32 ref: 00403FC2
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 888215731-0
                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 005D41AB
                                                                                      • GetLastError.KERNEL32 ref: 005D41B5
                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 005D41C6
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 005D41D9
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3373104450-0
                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction ID: 938ea05c2b33ebe07b19f718510d6ea4b465b2fd2e03758917cc72b0f1c6447b
                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction Fuzzy Hash: D501E57691110AABDF11DF94ED84BEE7BACFB18355F108062F901E2150D7709AA4CFB6
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 005D421F
                                                                                      • GetLastError.KERNEL32 ref: 005D4229
                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 005D423A
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 005D424D
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 888215731-0
                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction ID: b5ace9c324a562269a34ee6a3f8d4f65acccef4e513d0ea2852e7db145b6e14a
                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction Fuzzy Hash: 4C01E272911209ABDF11DF94EE85BEE7BACFB08356F108462F901E2150D770AA548FB6
                                                                                      APIs
                                                                                      • lstrcmp.KERNEL32(?,80000009), ref: 005DE066
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp
                                                                                      • String ID: A$ A$ A
                                                                                      • API String ID: 1534048567-1846390581
                                                                                      • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                      • Instruction ID: f88f3c38dde413f6c3b730ffbc7260450f7f2244f7696d2f07ed0d68900fb4db
                                                                                      • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                      • Instruction Fuzzy Hash: E7F06831200701DBCB30EF19D888982BBE9FB05321B44862BE158C7160D3B4A899CB51
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                      • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                      • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                      • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                      • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                      • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                      • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                      • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                      • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                      • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                      • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                      • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                      • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                      • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00403103
                                                                                      • GetTickCount.KERNEL32 ref: 0040310F
                                                                                      • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                      • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                      • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                      • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000001,D],00000000,00000000,00000000), ref: 005DE470
                                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 005DE484
                                                                                        • Part of subcall function 005DE2FC: RegCreateKeyExA.ADVAPI32(80000001,005DE50A,00000000,00000000,00000000,00020106,00000000,005DE50A,00000000,000000E4), ref: 005DE319
                                                                                        • Part of subcall function 005DE2FC: RegSetValueExA.ADVAPI32(005DE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 005DE38E
                                                                                        • Part of subcall function 005DE2FC: RegDeleteValueA.ADVAPI32(005DE50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D]), ref: 005DE3BF
                                                                                        • Part of subcall function 005DE2FC: RegCloseKey.ADVAPI32(005DE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D],005DE50A), ref: 005DE3C8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                      • String ID: D]
                                                                                      • API String ID: 4151426672-1711158228
                                                                                      • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                      • Instruction ID: dc5496224fa060664e5f9d6dc4f23cf0dcee1aa31aef93f0ffce418c5a7d3b2a
                                                                                      • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                      • Instruction Fuzzy Hash: 4841E771900205BAEB30BA598C4BFEF3F6CFB54764F048027F90998292E2B58A50D6B5
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 005D83C6
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 005D8477
                                                                                        • Part of subcall function 005D69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 005D69E5
                                                                                        • Part of subcall function 005D69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 005D6A26
                                                                                        • Part of subcall function 005D69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 005D6A3A
                                                                                        • Part of subcall function 005DEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,005D1DCF,?), ref: 005DEEA8
                                                                                        • Part of subcall function 005DEE95: HeapFree.KERNEL32(00000000), ref: 005DEEAF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                      • String ID: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe
                                                                                      • API String ID: 359188348-2804431639
                                                                                      • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                      • Instruction ID: 8179ea95022e2f9fde0385f33fb398217087cd3b7af4c29a4966163595f7c7cd
                                                                                      • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                      • Instruction Fuzzy Hash: C24140B290010ABEDF30EBA89E85DFF7F6CFB44344F1444A7E505D6211EAB05A588B55
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 005DAFFF
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 005DB00D
                                                                                        • Part of subcall function 005DAF6F: gethostname.WS2_32(?,00000080), ref: 005DAF83
                                                                                        • Part of subcall function 005DAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 005DAFE6
                                                                                        • Part of subcall function 005D331C: gethostname.WS2_32(?,00000080), ref: 005D333F
                                                                                        • Part of subcall function 005D331C: gethostbyname.WS2_32(?), ref: 005D3349
                                                                                        • Part of subcall function 005DAA0A: inet_ntoa.WS2_32(00000000), ref: 005DAA10
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                      • String ID: %OUTLOOK_BND_
                                                                                      • API String ID: 1981676241-3684217054
                                                                                      • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                      • Instruction ID: 1a07532295d09df3ccb16a71453da254db496f2d83bce4828bcdaf45b5263558
                                                                                      • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                      • Instruction Fuzzy Hash: 6441507290020DABDB25EFA4DC4AEEF3BADFF48300F144427F92592252EA75D694CB54
                                                                                      APIs
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 005D9536
                                                                                      • Sleep.KERNEL32(000001F4), ref: 005D955D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShellSleep
                                                                                      • String ID:
                                                                                      • API String ID: 4194306370-3916222277
                                                                                      • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                      • Instruction ID: d0bcdb184b75eb0bb3398d3c43d0dab347ce8eb8529f2bc606201c95fa7578d0
                                                                                      • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                      • Instruction Fuzzy Hash: 8741F3B19083856EEF379B6CE88D7A67FA4BF02314F2841B7D486973A3D6B44D818711
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                      • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID: ,k@
                                                                                      • API String ID: 3934441357-1053005162
                                                                                      • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                      • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                      • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                      • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 005DB9D9
                                                                                      • InterlockedIncrement.KERNEL32(00413648), ref: 005DBA3A
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 005DBA94
                                                                                      • GetTickCount.KERNEL32 ref: 005DBB79
                                                                                      • GetTickCount.KERNEL32 ref: 005DBB99
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 005DBE15
                                                                                      • closesocket.WS2_32(00000000), ref: 005DBEB4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountIncrementInterlockedTick$closesocket
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 1869671989-2903620461
                                                                                      • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                      • Instruction ID: 83a3d023157e6739ef1b1234f663778593bd58c7d8e52f674008127dff3540b8
                                                                                      • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                      • Instruction Fuzzy Hash: 23316D71400248DFEF35DFA8DC48AE97BB9FB48700F204557FA2482251DB30DA85CB14
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 536389180-1857712256
                                                                                      • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                      • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                      • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                      • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                      APIs
                                                                                      Strings
                                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTickwsprintf
                                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                      • API String ID: 2424974917-1012700906
                                                                                      • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                      • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                      • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                      • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                      APIs
                                                                                        • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                        • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 3716169038-2903620461
                                                                                      • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                      • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                      • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                      • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                      APIs
                                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 005D70BC
                                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 005D70F4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountLookupUser
                                                                                      • String ID: |
                                                                                      • API String ID: 2370142434-2343686810
                                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction ID: 3f7ee894e840d76203ecb8ec0937873798e74ea021d5f28c057c364682c219a7
                                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction Fuzzy Hash: 7511007290411CEBDF21CFD8DC85ADEBBBDBB08715F1442A7E501E6150E6709B44DBA0
                                                                                      APIs
                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2777991786-1857712256
                                                                                      • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                      • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                      • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                      • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                      APIs
                                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                      • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 224340156-2903620461
                                                                                      • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                      • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                      • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                      • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                      APIs
                                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                      • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2112563974-1857712256
                                                                                      • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                      • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                      • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                      • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                      • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynameinet_addr
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 1594361348-2401304539
                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: ntdll.dll
                                                                                      • API String ID: 2574300362-2227199552
                                                                                      • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                      • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                      • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                      • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                      APIs
                                                                                        • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                        • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281311296.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1017166417-0
                                                                                      • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                      • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                      • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                      • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                      APIs
                                                                                        • Part of subcall function 005D2F88: GetModuleHandleA.KERNEL32(?), ref: 005D2FA1
                                                                                        • Part of subcall function 005D2F88: LoadLibraryA.KERNEL32(?), ref: 005D2FB1
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005D31DA
                                                                                      • HeapFree.KERNEL32(00000000), ref: 005D31E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.2281478494.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_5d0000_pwdgvjcm.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1017166417-0
                                                                                      • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                      • Instruction ID: d344f1e241af3476aa63c6902cade786c5bbc1f6f4a257e2c1cdc5436b4201e0
                                                                                      • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                      • Instruction Fuzzy Hash: 2251AA7590024AAFCB219F68D8889EABB75FF19300F14456AEC96C7311E7329A19CB91

                                                                                      Execution Graph

                                                                                      Execution Coverage:15%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:0.7%
                                                                                      Total number of Nodes:1807
                                                                                      Total number of Limit Nodes:18
                                                                                      execution_graph 7910 4c5e4d 7915 4c5048 7910->7915 7916 4c4bd1 4 API calls 7915->7916 7917 4c5056 7916->7917 7918 4cec2e codecvt 4 API calls 7917->7918 7919 4c508b 7917->7919 7918->7919 8057 4c5e0d 8060 4c50dc 8057->8060 8059 4c5e20 8061 4c4bd1 4 API calls 8060->8061 8062 4c50f2 8061->8062 8063 4c4ae6 8 API calls 8062->8063 8069 4c50ff 8063->8069 8064 4c5130 8066 4c4ae6 8 API calls 8064->8066 8065 4c4ae6 8 API calls 8067 4c5110 lstrcmpA 8065->8067 8068 4c5138 8066->8068 8067->8064 8067->8069 8071 4c513e 8068->8071 8072 4c516e 8068->8072 8073 4c4ae6 8 API calls 8068->8073 8069->8064 8069->8065 8070 4c4ae6 8 API calls 8069->8070 8070->8069 8071->8059 8072->8071 8074 4c4ae6 8 API calls 8072->8074 8075 4c515e 8073->8075 8076 4c51b6 8074->8076 8075->8072 8078 4c4ae6 8 API calls 8075->8078 8103 4c4a3d 8076->8103 8078->8072 8080 4c4ae6 8 API calls 8081 4c51c7 8080->8081 8082 4c4ae6 8 API calls 8081->8082 8083 4c51d7 8082->8083 8084 4c4ae6 8 API calls 8083->8084 8085 4c51e7 8084->8085 8085->8071 8086 4c4ae6 8 API calls 8085->8086 8087 4c5219 8086->8087 8088 4c4ae6 8 API calls 8087->8088 8089 4c5227 8088->8089 8090 4c4ae6 8 API calls 8089->8090 8091 4c524f lstrcpyA 8090->8091 8092 4c4ae6 8 API calls 8091->8092 8094 4c5263 8092->8094 8093 4c4ae6 8 API calls 8095 4c5315 8093->8095 8094->8093 8096 4c4ae6 8 API calls 8095->8096 8097 4c5323 8096->8097 8098 4c4ae6 8 API calls 8097->8098 8100 4c5331 8098->8100 8099 4c4ae6 8 API calls 8099->8100 8100->8071 8100->8099 8101 4c4ae6 8 API calls 8100->8101 8102 4c5351 lstrcmpA 8101->8102 8102->8071 8102->8100 8104 4c4a4a 8103->8104 8110 4c4a53 8103->8110 8105 4cebed 8 API calls 8104->8105 8105->8110 8106 4c4a78 8108 4c4a8e 8106->8108 8109 4c4aa3 8106->8109 8107 4cebed 8 API calls 8107->8106 8111 4c4a9b 8108->8111 8112 4cec2e codecvt 4 API calls 8108->8112 8109->8111 8113 4cebed 8 API calls 8109->8113 8110->8106 8110->8107 8111->8080 8112->8111 8113->8111 8114 4c4c0d 8115 4c4ae6 8 API calls 8114->8115 8116 4c4c17 8115->8116 7920 4ce749 7921 4cdd05 6 API calls 7920->7921 7922 4ce751 7921->7922 7923 4ce781 lstrcmpA 7922->7923 7924 4ce799 7922->7924 7923->7922 7925 4c444a 7926 4c4458 7925->7926 7927 4c446a 7926->7927 7929 4c1940 7926->7929 7930 4cec2e codecvt 4 API calls 7929->7930 7931 4c1949 7930->7931 7931->7927 8130 4cf304 8133 4cf26d setsockopt setsockopt setsockopt setsockopt setsockopt 8130->8133 8132 4cf312 8133->8132 8134 4c5b84 IsBadWritePtr 8135 4c5b99 8134->8135 8136 4c5b9d 8134->8136 8137 4c4bd1 4 API calls 8136->8137 8138 4c5bcc 8137->8138 8139 4c5472 18 API calls 8138->8139 8140 4c5be5 8139->8140 8141 4c5c05 IsBadWritePtr 8142 4c5ca6 8141->8142 8143 4c5c24 IsBadWritePtr 8141->8143 8143->8142 8144 4c5c32 8143->8144 8145 4c5c82 8144->8145 8146 4c4bd1 4 API calls 8144->8146 8147 4c4bd1 4 API calls 8145->8147 8146->8145 8148 4c5c90 8147->8148 8149 4c5472 18 API calls 8148->8149 8149->8142 8150 4cf483 WSAStartup 8151 4c5099 8152 4c4bd1 4 API calls 8151->8152 8153 4c50a2 8152->8153 7932 4c195b 7933 4c196b 7932->7933 7934 4c1971 7932->7934 7935 4cec2e codecvt 4 API calls 7933->7935 7935->7934 8154 4c8314 8155 4c675c 21 API calls 8154->8155 8156 4c8324 8155->8156 7936 4c8c51 7937 4c8c86 7936->7937 7938 4c8c5d 7936->7938 7939 4c8c8b lstrcmpA 7937->7939 7949 4c8c7b 7937->7949 7942 4c8c7d 7938->7942 7943 4c8c6e 7938->7943 7940 4c8c9e 7939->7940 7939->7949 7941 4c8cad 7940->7941 7944 4cec2e codecvt 4 API calls 7940->7944 7948 4cebcc 4 API calls 7941->7948 7941->7949 7958 4c8bb3 7942->7958 7950 4c8be7 7943->7950 7944->7941 7948->7949 7951 4c8bf2 7950->7951 7957 4c8c2a 7950->7957 7952 4c8bb3 6 API calls 7951->7952 7953 4c8bf8 7952->7953 7962 4c6410 7953->7962 7955 4c8c01 7955->7957 7977 4c6246 7955->7977 7957->7949 7959 4c8be4 7958->7959 7960 4c8bbc 7958->7960 7960->7959 7961 4c6246 6 API calls 7960->7961 7961->7959 7963 4c641e 7962->7963 7964 4c6421 7962->7964 7963->7955 7965 4c643a 7964->7965 7966 4c643e VirtualAlloc 7964->7966 7965->7955 7967 4c645b VirtualAlloc 7966->7967 7968 4c6472 7966->7968 7967->7968 7976 4c64fb 7967->7976 7969 4cebcc 4 API calls 7968->7969 7970 4c6479 7969->7970 7970->7976 7987 4c6069 7970->7987 7973 4c64da 7975 4c6246 6 API calls 7973->7975 7973->7976 7975->7976 7976->7955 7978 4c6252 7977->7978 7986 4c62b3 7977->7986 7979 4c6297 7978->7979 7980 4c628f 7978->7980 7983 4c6281 FreeLibrary 7978->7983 7981 4c62ad 7979->7981 7982 4c62a0 VirtualFree 7979->7982 7984 4cec2e codecvt 4 API calls 7980->7984 7985 4cec2e codecvt 4 API calls 7981->7985 7982->7981 7983->7978 7984->7979 7985->7986 7986->7957 7988 4c6090 IsBadReadPtr 7987->7988 7989 4c6089 7987->7989 7988->7989 7994 4c60aa 7988->7994 7989->7973 7997 4c5f3f 7989->7997 7990 4c60c0 LoadLibraryA 7990->7989 7990->7994 7991 4cebed 8 API calls 7991->7994 7992 4cebcc 4 API calls 7992->7994 7993 4c6191 IsBadReadPtr 7993->7989 7993->7994 7994->7989 7994->7990 7994->7991 7994->7992 7994->7993 7995 4c6155 GetProcAddress 7994->7995 7996 4c6141 GetProcAddress 7994->7996 7995->7994 7996->7994 7998 4c5fe6 7997->7998 8000 4c5f61 7997->8000 7998->7973 7999 4c5fbf VirtualProtect 7999->7998 7999->8000 8000->7998 8000->7999 8157 4c6511 wsprintfA IsBadReadPtr 8158 4c674e 8157->8158 8159 4c656a htonl htonl wsprintfA wsprintfA 8157->8159 8160 4ce318 23 API calls 8158->8160 8164 4c65f3 8159->8164 8161 4c6753 ExitProcess 8160->8161 8162 4c668a GetCurrentProcess StackWalk64 8163 4c66a0 wsprintfA 8162->8163 8162->8164 8165 4c66ba 8163->8165 8164->8162 8164->8163 8166 4c6652 wsprintfA 8164->8166 8167 4c6712 wsprintfA 8165->8167 8169 4c66ed wsprintfA 8165->8169 8170 4c66da wsprintfA 8165->8170 8166->8164 8168 4ce8a1 30 API calls 8167->8168 8171 4c6739 8168->8171 8169->8165 8170->8169 8172 4ce318 23 API calls 8171->8172 8173 4c6741 8172->8173 8001 4c43d2 8002 4c43e0 8001->8002 8003 4c43ef 8002->8003 8004 4c1940 4 API calls 8002->8004 8004->8003 8174 4c4e92 GetTickCount 8175 4c4ec0 InterlockedExchange 8174->8175 8176 4c4ead GetTickCount 8175->8176 8177 4c4ec9 8175->8177 8176->8177 8178 4c4eb8 Sleep 8176->8178 8178->8175 8005 4c5453 8010 4c543a 8005->8010 8011 4c5048 8 API calls 8010->8011 8012 4c544b 8011->8012 8013 4c4ed3 8018 4c4c9a 8013->8018 8019 4c4ca9 8018->8019 8020 4c4cd8 8018->8020 8021 4cec2e codecvt 4 API calls 8019->8021 8021->8020 8179 4c5d93 IsBadWritePtr 8180 4c5da8 8179->8180 8182 4c5ddc 8179->8182 8180->8182 8183 4c5389 8180->8183 8184 4c4bd1 4 API calls 8183->8184 8185 4c53a5 8184->8185 8186 4c4ae6 8 API calls 8185->8186 8188 4c53ad 8186->8188 8187 4c4ae6 8 API calls 8187->8188 8188->8187 8189 4c5407 8188->8189 8189->8182 8190 4c5029 8195 4c4a02 8190->8195 8196 4c4a18 8195->8196 8197 4c4a12 8195->8197 8198 4c4a26 8196->8198 8200 4cec2e codecvt 4 API calls 8196->8200 8199 4cec2e codecvt 4 API calls 8197->8199 8201 4c4a34 8198->8201 8202 4cec2e codecvt 4 API calls 8198->8202 8199->8196 8200->8198 8202->8201 6138 4c9a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6254 4cec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6138->6254 6140 4c9a95 6141 4c9aa3 GetModuleHandleA GetModuleFileNameA 6140->6141 6147 4ca3cc 6140->6147 6152 4c9ac4 6141->6152 6142 4ca41c CreateThread WSAStartup 6255 4ce52e 6142->6255 7329 4c405e CreateEventA 6142->7329 6143 4ca406 DeleteFileA 6146 4ca40d 6143->6146 6143->6147 6145 4c9afd GetCommandLineA 6148 4c9b22 6145->6148 6146->6142 6147->6142 6147->6143 6147->6146 6150 4ca3ed GetLastError 6147->6150 6158 4c9c0c 6148->6158 6165 4c9b47 6148->6165 6149 4ca445 6274 4ceaaf 6149->6274 6150->6146 6153 4ca3f8 Sleep 6150->6153 6152->6145 6153->6143 6154 4ca44d 6278 4c1d96 6154->6278 6156 4ca457 6326 4c80c9 6156->6326 6518 4c96aa 6158->6518 6169 4c9b96 lstrlenA 6165->6169 6175 4c9b58 6165->6175 6166 4c9c39 6170 4ca167 GetModuleHandleA GetModuleFileNameA 6166->6170 6524 4c4280 CreateEventA 6166->6524 6167 4ca1d2 6171 4ca1e3 GetCommandLineA 6167->6171 6169->6175 6173 4ca189 6170->6173 6174 4c9c05 ExitProcess 6170->6174 6197 4ca205 6171->6197 6173->6174 6182 4ca1b2 GetDriveTypeA 6173->6182 6175->6174 6477 4c675c 6175->6477 6182->6174 6184 4ca1c5 6182->6184 6625 4c9145 GetModuleHandleA GetModuleFileNameA CharToOemA 6184->6625 6185 4c675c 21 API calls 6187 4c9c79 6185->6187 6187->6170 6192 4c9e3e 6187->6192 6193 4c9ca0 GetTempPathA 6187->6193 6189 4c9bff 6189->6174 6190 4ca491 6191 4ca49f GetTickCount 6190->6191 6194 4ca4be Sleep 6190->6194 6200 4ca4b7 GetTickCount 6190->6200 6373 4cc913 6190->6373 6191->6190 6191->6194 6204 4c9e6b GetEnvironmentVariableA 6192->6204 6206 4c9e04 6192->6206 6193->6192 6196 4c9cba 6193->6196 6194->6190 6550 4c99d2 lstrcpyA 6196->6550 6201 4ca285 lstrlenA 6197->6201 6215 4ca239 6197->6215 6200->6194 6201->6215 6205 4c9e7d 6204->6205 6204->6206 6207 4c99d2 16 API calls 6205->6207 6620 4cec2e 6206->6620 6209 4c9e9d 6207->6209 6209->6206 6213 4c9eb0 lstrcpyA lstrlenA 6209->6213 6210 4c9d5f 6564 4c6cc9 6210->6564 6212 4ca3c2 6637 4c98f2 6212->6637 6214 4c9ef4 6213->6214 6218 4c6dc2 6 API calls 6214->6218 6222 4c9f03 6214->6222 6215->6215 6633 4c6ec3 6215->6633 6218->6222 6219 4ca39d StartServiceCtrlDispatcherA 6219->6212 6220 4c9d72 lstrcpyA lstrcatA lstrcatA 6224 4c9cf6 6220->6224 6221 4ca3c7 6221->6147 6223 4c9f32 RegOpenKeyExA 6222->6223 6226 4c9f48 RegSetValueExA RegCloseKey 6223->6226 6229 4c9f70 6223->6229 6573 4c9326 6224->6573 6225 4ca35f 6225->6212 6225->6219 6226->6229 6234 4c9f9d GetModuleHandleA GetModuleFileNameA 6229->6234 6230 4c9dde GetFileAttributesExA 6231 4c9e0c DeleteFileA 6230->6231 6232 4c9df7 6230->6232 6231->6192 6232->6206 6610 4c96ff 6232->6610 6236 4ca093 6234->6236 6237 4c9fc2 6234->6237 6238 4ca103 CreateProcessA 6236->6238 6239 4ca0a4 wsprintfA 6236->6239 6237->6236 6243 4c9ff1 GetDriveTypeA 6237->6243 6240 4ca13a 6238->6240 6241 4ca12a DeleteFileA 6238->6241 6616 4c2544 6239->6616 6240->6206 6247 4c96ff 3 API calls 6240->6247 6241->6240 6243->6236 6245 4ca00d 6243->6245 6249 4ca02d lstrcatA 6245->6249 6247->6206 6250 4ca046 6249->6250 6251 4ca064 lstrcatA 6250->6251 6252 4ca052 lstrcatA 6250->6252 6251->6236 6253 4ca081 lstrcatA 6251->6253 6252->6251 6253->6236 6254->6140 6644 4cdd05 GetTickCount 6255->6644 6257 4ce538 6652 4cdbcf 6257->6652 6259 4ce544 6260 4ce555 GetFileSize 6259->6260 6264 4ce5b8 6259->6264 6261 4ce566 6260->6261 6262 4ce5b1 CloseHandle 6260->6262 6676 4cdb2e 6261->6676 6262->6264 6662 4ce3ca RegOpenKeyExA 6264->6662 6266 4ce576 ReadFile 6266->6262 6268 4ce58d 6266->6268 6680 4ce332 6268->6680 6271 4ce629 6271->6149 6272 4ce5f2 6272->6271 6273 4ce3ca 19 API calls 6272->6273 6273->6271 6275 4ceabe 6274->6275 6277 4ceaba 6274->6277 6276 4cdd05 6 API calls 6275->6276 6275->6277 6276->6277 6277->6154 6279 4cee2a 6278->6279 6280 4c1db4 GetVersionExA 6279->6280 6281 4c1dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6280->6281 6283 4c1e24 6281->6283 6284 4c1e16 GetCurrentProcess 6281->6284 6738 4ce819 6283->6738 6284->6283 6286 4c1e3d 6287 4ce819 11 API calls 6286->6287 6288 4c1e4e 6287->6288 6296 4c1e77 6288->6296 6779 4cdf70 6288->6779 6291 4c1e6c 6294 4cdf70 12 API calls 6291->6294 6293 4ce819 11 API calls 6295 4c1e93 6293->6295 6294->6296 6749 4c199c inet_addr LoadLibraryA 6295->6749 6745 4cea84 6296->6745 6299 4ce819 11 API calls 6300 4c1eb9 6299->6300 6301 4c1ed8 6300->6301 6302 4cf04e 4 API calls 6300->6302 6303 4ce819 11 API calls 6301->6303 6305 4c1ec9 6302->6305 6304 4c1eee 6303->6304 6306 4c1f0a 6304->6306 6763 4c1b71 6304->6763 6307 4cea84 30 API calls 6305->6307 6309 4ce819 11 API calls 6306->6309 6307->6301 6311 4c1f23 6309->6311 6310 4c1efd 6312 4cea84 30 API calls 6310->6312 6313 4c1f3f 6311->6313 6767 4c1bdf 6311->6767 6312->6306 6315 4ce819 11 API calls 6313->6315 6316 4c1f5e 6315->6316 6318 4c1f77 6316->6318 6320 4cea84 30 API calls 6316->6320 6775 4c30b5 6318->6775 6319 4cea84 30 API calls 6319->6313 6320->6318 6324 4c6ec3 2 API calls 6325 4c1f8e GetTickCount 6324->6325 6325->6156 6327 4c6ec3 2 API calls 6326->6327 6328 4c80eb 6327->6328 6329 4c80ef 6328->6329 6330 4c80f9 6328->6330 6833 4c7ee6 6329->6833 6846 4c704c 6330->6846 6333 4c80f4 6335 4c675c 21 API calls 6333->6335 6345 4c8269 CreateThread 6333->6345 6334 4c8110 6334->6333 6336 4c8156 RegOpenKeyExA 6334->6336 6338 4c8244 6335->6338 6337 4c816d RegQueryValueExA 6336->6337 6341 4c8216 6336->6341 6339 4c818d 6337->6339 6340 4c81f7 6337->6340 6343 4cec2e codecvt 4 API calls 6338->6343 6338->6345 6339->6340 6346 4cebcc 4 API calls 6339->6346 6342 4c820d RegCloseKey 6340->6342 6344 4cec2e codecvt 4 API calls 6340->6344 6341->6333 6342->6341 6343->6345 6351 4c81dd 6344->6351 6352 4c5e6c 6345->6352 7307 4c877e 6345->7307 6347 4c81a0 6346->6347 6347->6342 6348 4c81aa RegQueryValueExA 6347->6348 6348->6340 6349 4c81c4 6348->6349 6350 4cebcc 4 API calls 6349->6350 6350->6351 6351->6342 6948 4cec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6352->6948 6354 4c5e71 6949 4ce654 6354->6949 6356 4c5ec1 6357 4c3132 6356->6357 6358 4cdf70 12 API calls 6357->6358 6359 4c313b 6358->6359 6360 4cc125 6359->6360 6960 4cec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6360->6960 6362 4cc12d 6363 4ce654 13 API calls 6362->6363 6364 4cc2bd 6363->6364 6365 4ce654 13 API calls 6364->6365 6366 4cc2c9 6365->6366 6367 4ce654 13 API calls 6366->6367 6368 4ca47a 6367->6368 6369 4c8db1 6368->6369 6370 4c8dbc 6369->6370 6371 4ce654 13 API calls 6370->6371 6372 4c8dec Sleep 6371->6372 6372->6190 6374 4cc92f 6373->6374 6375 4cc93c 6374->6375 6972 4cc517 6374->6972 6377 4cca2b 6375->6377 6378 4ce819 11 API calls 6375->6378 6377->6190 6379 4cc96a 6378->6379 6380 4ce819 11 API calls 6379->6380 6381 4cc97d 6380->6381 6382 4ce819 11 API calls 6381->6382 6383 4cc990 6382->6383 6384 4cc9aa 6383->6384 6385 4cebcc 4 API calls 6383->6385 6384->6377 6961 4c2684 6384->6961 6385->6384 6390 4cca26 6989 4cc8aa 6390->6989 6393 4cca44 6394 4cca4b closesocket 6393->6394 6395 4cca83 6393->6395 6394->6390 6396 4cea84 30 API calls 6395->6396 6397 4ccaac 6396->6397 6398 4cf04e 4 API calls 6397->6398 6399 4ccab2 6398->6399 6400 4cea84 30 API calls 6399->6400 6401 4ccaca 6400->6401 6402 4cea84 30 API calls 6401->6402 6403 4ccad9 6402->6403 6993 4cc65c 6403->6993 6406 4ccb60 closesocket 6406->6377 6408 4cdad2 closesocket 6409 4ce318 23 API calls 6408->6409 6410 4cdae0 6409->6410 6410->6377 6411 4cdf4c 20 API calls 6432 4ccb70 6411->6432 6416 4ce654 13 API calls 6416->6432 6422 4cc65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6422->6432 6423 4cea84 30 API calls 6423->6432 6424 4cd569 closesocket Sleep 7040 4ce318 6424->7040 6425 4cd815 wsprintfA 6425->6432 6426 4ccc1c GetTempPathA 6426->6432 6427 4cc517 23 API calls 6427->6432 6429 4cf04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6429->6432 6430 4cd582 ExitProcess 6431 4ce8a1 30 API calls 6431->6432 6432->6408 6432->6411 6432->6416 6432->6422 6432->6423 6432->6424 6432->6425 6432->6426 6432->6427 6432->6429 6432->6431 6433 4ccfe3 GetSystemDirectoryA 6432->6433 6434 4ccfad GetEnvironmentVariableA 6432->6434 6435 4c675c 21 API calls 6432->6435 6436 4cd027 GetSystemDirectoryA 6432->6436 6437 4cd105 lstrcatA 6432->6437 6438 4cef1e lstrlenA 6432->6438 6439 4ccc9f CreateFileA 6432->6439 6440 4cec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6432->6440 6442 4c8e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6432->6442 6443 4cd15b CreateFileA 6432->6443 6448 4cd149 SetFileAttributesA 6432->6448 6449 4cd36e GetEnvironmentVariableA 6432->6449 6450 4cd1bf SetFileAttributesA 6432->6450 6452 4cd22d GetEnvironmentVariableA 6432->6452 6453 4c7ead 6 API calls 6432->6453 6455 4cd3af lstrcatA 6432->6455 6457 4c7fcf 64 API calls 6432->6457 6458 4cd3f2 CreateFileA 6432->6458 6464 4cd3e0 SetFileAttributesA 6432->6464 6465 4cd26e lstrcatA 6432->6465 6467 4cd4b1 CreateProcessA 6432->6467 6468 4cd2b1 CreateFileA 6432->6468 6470 4cd452 SetFileAttributesA 6432->6470 6472 4c7ee6 64 API calls 6432->6472 6473 4cd29f SetFileAttributesA 6432->6473 6476 4cd31d SetFileAttributesA 6432->6476 7001 4cc75d 6432->7001 7013 4c7e2f 6432->7013 7035 4c7ead 6432->7035 7045 4c31d0 6432->7045 7062 4c3c09 6432->7062 7072 4c3a00 6432->7072 7076 4ce7b4 6432->7076 7079 4cc06c 6432->7079 7085 4c6f5f GetUserNameA 6432->7085 7096 4ce854 6432->7096 7106 4c7dd6 6432->7106 6433->6432 6434->6432 6435->6432 6436->6432 6437->6432 6438->6432 6439->6432 6441 4cccc6 WriteFile 6439->6441 6440->6432 6444 4ccdcc CloseHandle 6441->6444 6445 4ccced CloseHandle 6441->6445 6442->6432 6443->6432 6446 4cd182 WriteFile CloseHandle 6443->6446 6444->6432 6451 4ccd2f 6445->6451 6446->6432 6447 4ccd16 wsprintfA 6447->6451 6448->6443 6449->6432 6450->6432 6451->6447 7022 4c7fcf 6451->7022 6452->6432 6453->6432 6455->6432 6455->6458 6457->6432 6458->6432 6459 4cd415 WriteFile CloseHandle 6458->6459 6459->6432 6460 4ccda5 6463 4c7ee6 64 API calls 6460->6463 6461 4ccd81 WaitForSingleObject CloseHandle CloseHandle 6462 4cf04e 4 API calls 6461->6462 6462->6460 6466 4ccdbd DeleteFileA 6463->6466 6464->6458 6465->6432 6465->6468 6466->6432 6467->6432 6469 4cd4e8 CloseHandle CloseHandle 6467->6469 6468->6432 6471 4cd2d8 WriteFile CloseHandle 6468->6471 6469->6432 6470->6432 6471->6432 6472->6432 6473->6468 6476->6432 6478 4c677a SetFileAttributesA 6477->6478 6479 4c6784 CreateFileA 6477->6479 6478->6479 6480 4c67a4 CreateFileA 6479->6480 6481 4c67b5 6479->6481 6480->6481 6482 4c67ba SetFileAttributesA 6481->6482 6483 4c67c5 6481->6483 6482->6483 6484 4c67cf GetFileSize 6483->6484 6485 4c6977 6483->6485 6486 4c67e5 6484->6486 6504 4c6965 6484->6504 6485->6174 6505 4c6a60 CreateFileA 6485->6505 6488 4c67ed ReadFile 6486->6488 6486->6504 6487 4c696e FindCloseChangeNotification 6487->6485 6489 4c6811 SetFilePointer 6488->6489 6488->6504 6490 4c682a ReadFile 6489->6490 6489->6504 6491 4c6848 SetFilePointer 6490->6491 6490->6504 6492 4c6867 6491->6492 6491->6504 6493 4c6878 ReadFile 6492->6493 6494 4c68d5 6492->6494 6495 4c68d0 6493->6495 6497 4c6891 6493->6497 6494->6487 6496 4cebcc 4 API calls 6494->6496 6495->6494 6498 4c68f8 6496->6498 6497->6493 6497->6495 6499 4c6900 SetFilePointer 6498->6499 6498->6504 6500 4c690d ReadFile 6499->6500 6501 4c695a 6499->6501 6500->6501 6502 4c6922 6500->6502 6503 4cec2e codecvt 4 API calls 6501->6503 6502->6487 6503->6504 6504->6487 6506 4c6b8c GetLastError 6505->6506 6507 4c6a8f GetDiskFreeSpaceA 6505->6507 6508 4c6b86 6506->6508 6509 4c6ac5 6507->6509 6516 4c6ad7 6507->6516 6508->6189 7191 4ceb0e 6509->7191 6513 4c6b56 CloseHandle 6513->6508 6515 4c6b65 GetLastError CloseHandle 6513->6515 6514 4c6b36 GetLastError CloseHandle 6517 4c6b7f DeleteFileA 6514->6517 6515->6517 7195 4c6987 6516->7195 6517->6508 6519 4c96b9 6518->6519 6520 4c73ff 17 API calls 6519->6520 6521 4c96e2 6520->6521 6522 4c96f7 6521->6522 6523 4c704c 16 API calls 6521->6523 6522->6166 6522->6167 6523->6522 6525 4c429d 6524->6525 6526 4c42a5 6524->6526 6525->6170 6525->6185 7201 4c3ecd 6526->7201 6528 4c42b0 7205 4c4000 6528->7205 6530 4c43c1 CloseHandle 6530->6525 6531 4c42b6 6531->6525 6531->6530 7211 4c3f18 WriteFile 6531->7211 6536 4c43ba CloseHandle 6536->6530 6537 4c4318 6538 4c3f18 4 API calls 6537->6538 6539 4c4331 6538->6539 6540 4c3f18 4 API calls 6539->6540 6541 4c434a 6540->6541 6542 4cebcc 4 API calls 6541->6542 6543 4c4350 6542->6543 6544 4c3f18 4 API calls 6543->6544 6545 4c4389 6544->6545 6546 4cec2e codecvt 4 API calls 6545->6546 6547 4c438f 6546->6547 6548 4c3f8c 4 API calls 6547->6548 6549 4c439f CloseHandle CloseHandle 6548->6549 6549->6525 6551 4c99eb 6550->6551 6552 4c9a2f lstrcatA 6551->6552 6553 4cee2a 6552->6553 6554 4c9a4b lstrcatA 6553->6554 6555 4c6a60 13 API calls 6554->6555 6556 4c9a60 6555->6556 6556->6192 6556->6224 6557 4c6dc2 6556->6557 6558 4c6dd7 6557->6558 6559 4c6e33 6557->6559 6560 4c6cc9 5 API calls 6558->6560 6559->6210 6561 4c6ddc 6560->6561 6561->6561 6562 4c6e24 6561->6562 6563 4c6e02 GetVolumeInformationA 6561->6563 6562->6559 6563->6562 6565 4c6cdc GetModuleHandleA GetProcAddress 6564->6565 6570 4c6d8b 6564->6570 6566 4c6cfd 6565->6566 6567 4c6d12 GetSystemDirectoryA 6565->6567 6566->6567 6566->6570 6568 4c6d1e 6567->6568 6569 4c6d27 GetWindowsDirectoryA 6567->6569 6568->6569 6568->6570 6572 4c6d42 6569->6572 6570->6220 6571 4cef1e lstrlenA 6571->6570 6572->6571 7219 4c1910 6573->7219 6576 4c934a GetModuleHandleA GetModuleFileNameA 6578 4c937f 6576->6578 6579 4c93d9 6578->6579 6580 4c93a4 6578->6580 6582 4c9401 wsprintfA 6579->6582 6581 4c93c3 wsprintfA 6580->6581 6583 4c9415 6581->6583 6582->6583 6586 4c6cc9 5 API calls 6583->6586 6607 4c94a0 6583->6607 6584 4c6edd 5 API calls 6585 4c94ac 6584->6585 6587 4c962f 6585->6587 6589 4c94e8 RegOpenKeyExA 6585->6589 6591 4c9439 6586->6591 6588 4c9646 6587->6588 7234 4c1820 6587->7234 6603 4c95d6 6588->6603 7240 4c91eb 6588->7240 6590 4c9502 6589->6590 6597 4c94fb 6589->6597 6594 4c951f RegQueryValueExA 6590->6594 6595 4cef1e lstrlenA 6591->6595 6598 4c9539 6594->6598 6599 4c9530 6594->6599 6600 4c9462 6595->6600 6596 4c958a 6596->6588 6601 4c9593 6596->6601 6597->6587 6597->6596 6604 4c9556 RegQueryValueExA 6598->6604 6602 4c956e RegCloseKey 6599->6602 6605 4c947e wsprintfA 6600->6605 6601->6603 7221 4cf0e4 6601->7221 6602->6597 6603->6230 6603->6231 6604->6599 6604->6602 6605->6607 6607->6584 6608 4c95bb 6608->6603 7228 4c18e0 6608->7228 6611 4c2544 6610->6611 6612 4c972d RegOpenKeyExA 6611->6612 6613 4c9765 6612->6613 6614 4c9740 6612->6614 6613->6206 6615 4c974f RegDeleteValueA RegCloseKey 6614->6615 6615->6613 6617 4c2554 lstrcatA 6616->6617 6618 4cee2a 6617->6618 6619 4ca0ec lstrcatA 6618->6619 6619->6238 6621 4ca15d 6620->6621 6622 4cec37 6620->6622 6621->6170 6621->6174 6623 4ceba0 codecvt 2 API calls 6622->6623 6624 4cec3d GetProcessHeap RtlFreeHeap 6623->6624 6624->6621 6626 4c2544 6625->6626 6627 4c919e wsprintfA 6626->6627 6628 4c91bb 6627->6628 7278 4c9064 GetTempPathA 6628->7278 6631 4c91d5 ShellExecuteA 6632 4c91e7 6631->6632 6632->6189 6634 4c6ed5 6633->6634 6635 4c6ecc 6633->6635 6634->6225 6636 4c6e36 2 API calls 6635->6636 6636->6634 6638 4c98f6 6637->6638 6639 4c4280 30 API calls 6638->6639 6640 4c9904 Sleep 6638->6640 6641 4c9915 6638->6641 6639->6638 6640->6638 6640->6641 6643 4c9947 6641->6643 7285 4c977c 6641->7285 6643->6221 6645 4cdd41 InterlockedExchange 6644->6645 6646 4cdd4a 6645->6646 6647 4cdd20 GetCurrentThreadId 6645->6647 6649 4cdd53 GetCurrentThreadId 6646->6649 6648 4cdd2e GetTickCount 6647->6648 6647->6649 6650 4cdd4c 6648->6650 6651 4cdd39 Sleep 6648->6651 6649->6257 6650->6649 6651->6645 6653 4cdbf0 6652->6653 6685 4cdb67 GetEnvironmentVariableA 6653->6685 6655 4cdc19 6656 4cdcda 6655->6656 6657 4cdb67 3 API calls 6655->6657 6656->6259 6658 4cdc5c 6657->6658 6658->6656 6659 4cdb67 3 API calls 6658->6659 6660 4cdc9b 6659->6660 6660->6656 6661 4cdb67 3 API calls 6660->6661 6661->6656 6663 4ce528 6662->6663 6664 4ce3f4 6662->6664 6663->6272 6665 4ce434 RegQueryValueExA 6664->6665 6666 4ce51d RegCloseKey 6665->6666 6667 4ce458 6665->6667 6666->6663 6668 4ce46e RegQueryValueExA 6667->6668 6668->6667 6669 4ce488 6668->6669 6669->6666 6670 4cdb2e 8 API calls 6669->6670 6671 4ce499 6670->6671 6671->6666 6672 4ce4b9 RegQueryValueExA 6671->6672 6673 4ce4e8 6671->6673 6672->6671 6672->6673 6673->6666 6674 4ce332 14 API calls 6673->6674 6675 4ce513 6674->6675 6675->6666 6677 4cdb3a 6676->6677 6678 4cdb55 6676->6678 6689 4cebed 6677->6689 6678->6262 6678->6266 6707 4cf04e SystemTimeToFileTime GetSystemTimeAsFileTime 6680->6707 6682 4ce3be 6682->6262 6683 4ce342 6683->6682 6710 4cde24 6683->6710 6686 4cdb89 lstrcpyA CreateFileA 6685->6686 6687 4cdbca 6685->6687 6686->6655 6687->6655 6690 4cebf6 6689->6690 6691 4cec01 6689->6691 6698 4cebcc GetProcessHeap RtlAllocateHeap 6690->6698 6701 4ceba0 6691->6701 6699 4ceb74 2 API calls 6698->6699 6700 4cebe8 6699->6700 6700->6678 6702 4cebbf GetProcessHeap RtlReAllocateHeap 6701->6702 6703 4ceba7 GetProcessHeap HeapSize 6701->6703 6704 4ceb74 6702->6704 6703->6702 6705 4ceb93 6704->6705 6706 4ceb7b GetProcessHeap HeapSize 6704->6706 6705->6678 6706->6705 6721 4ceb41 6707->6721 6709 4cf0b7 6709->6683 6711 4cde3a 6710->6711 6718 4cde4e 6711->6718 6730 4cdd84 6711->6730 6714 4cde9e 6715 4cebed 8 API calls 6714->6715 6714->6718 6719 4cdef6 6715->6719 6716 4cde76 6734 4cddcf 6716->6734 6718->6683 6719->6718 6720 4cddcf lstrcmpA 6719->6720 6720->6718 6722 4ceb4a 6721->6722 6723 4ceb61 6721->6723 6726 4ceae4 6722->6726 6723->6709 6725 4ceb54 6725->6709 6725->6723 6727 4ceaed LoadLibraryA 6726->6727 6728 4ceb02 GetProcAddress 6726->6728 6727->6728 6729 4ceb01 6727->6729 6728->6725 6729->6725 6731 4cddc5 6730->6731 6732 4cdd96 6730->6732 6731->6714 6731->6716 6732->6731 6733 4cddad lstrcmpiA 6732->6733 6733->6731 6733->6732 6735 4cde20 6734->6735 6736 4cdddd 6734->6736 6735->6718 6736->6735 6737 4cddfa lstrcmpA 6736->6737 6737->6736 6739 4cdd05 6 API calls 6738->6739 6740 4ce821 6739->6740 6741 4cdd84 lstrcmpiA 6740->6741 6742 4ce82c 6741->6742 6743 4ce844 6742->6743 6788 4c2480 6742->6788 6743->6286 6746 4cea98 6745->6746 6797 4ce8a1 6746->6797 6748 4c1e84 6748->6293 6750 4c19d5 GetProcAddress GetProcAddress GetProcAddress 6749->6750 6753 4c19ce 6749->6753 6751 4c1a04 6750->6751 6752 4c1ab3 FreeLibrary 6750->6752 6751->6752 6754 4c1a14 GetBestInterface GetProcessHeap 6751->6754 6752->6753 6753->6299 6754->6753 6755 4c1a2e HeapAlloc 6754->6755 6755->6753 6756 4c1a42 GetAdaptersInfo 6755->6756 6757 4c1a62 6756->6757 6758 4c1a52 HeapReAlloc 6756->6758 6759 4c1a69 GetAdaptersInfo 6757->6759 6760 4c1aa1 FreeLibrary 6757->6760 6758->6757 6759->6760 6761 4c1a75 HeapFree 6759->6761 6760->6753 6761->6760 6825 4c1ac3 LoadLibraryA 6763->6825 6766 4c1bcf 6766->6310 6768 4c1ac3 13 API calls 6767->6768 6769 4c1c09 6768->6769 6770 4c1c0d GetComputerNameA 6769->6770 6771 4c1c5a 6769->6771 6772 4c1c1f 6770->6772 6773 4c1c45 GetVolumeInformationA 6770->6773 6771->6319 6772->6773 6774 4c1c41 6772->6774 6773->6771 6774->6771 6776 4cee2a 6775->6776 6777 4c30d0 gethostname gethostbyname 6776->6777 6778 4c1f82 6777->6778 6778->6324 6778->6325 6780 4cdd05 6 API calls 6779->6780 6781 4cdf7c 6780->6781 6782 4cdd84 lstrcmpiA 6781->6782 6784 4cdf89 6782->6784 6783 4cdfc4 6783->6291 6784->6783 6785 4cddcf lstrcmpA 6784->6785 6786 4cec2e codecvt 4 API calls 6784->6786 6787 4cdd84 lstrcmpiA 6784->6787 6785->6784 6786->6784 6787->6784 6791 4c2419 lstrlenA 6788->6791 6790 4c2491 6790->6743 6792 4c243d lstrlenA 6791->6792 6793 4c2474 6791->6793 6794 4c244e lstrcmpiA 6792->6794 6795 4c2464 lstrlenA 6792->6795 6793->6790 6794->6795 6796 4c245c 6794->6796 6795->6792 6795->6793 6796->6793 6796->6795 6798 4cdd05 6 API calls 6797->6798 6799 4ce8b4 6798->6799 6800 4cdd84 lstrcmpiA 6799->6800 6801 4ce8c0 6800->6801 6802 4ce8c8 lstrcpynA 6801->6802 6803 4ce90a 6801->6803 6804 4ce8f5 6802->6804 6805 4c2419 4 API calls 6803->6805 6813 4cea27 6803->6813 6818 4cdf4c 6804->6818 6806 4ce926 lstrlenA lstrlenA 6805->6806 6807 4ce94c lstrlenA 6806->6807 6808 4ce96a 6806->6808 6807->6808 6812 4cebcc 4 API calls 6808->6812 6808->6813 6810 4ce901 6811 4cdd84 lstrcmpiA 6810->6811 6811->6803 6814 4ce98f 6812->6814 6813->6748 6814->6813 6815 4cdf4c 20 API calls 6814->6815 6816 4cea1e 6815->6816 6817 4cec2e codecvt 4 API calls 6816->6817 6817->6813 6819 4cdd05 6 API calls 6818->6819 6820 4cdf51 6819->6820 6821 4cf04e 4 API calls 6820->6821 6822 4cdf58 6821->6822 6823 4cde24 10 API calls 6822->6823 6824 4cdf63 6823->6824 6824->6810 6826 4c1ae2 GetProcAddress 6825->6826 6830 4c1b68 GetComputerNameA GetVolumeInformationA 6825->6830 6827 4c1af5 6826->6827 6826->6830 6828 4c1b1c GetAdaptersAddresses 6827->6828 6829 4cebed 8 API calls 6827->6829 6831 4c1b29 6827->6831 6828->6827 6828->6831 6829->6827 6830->6766 6831->6830 6832 4cec2e codecvt 4 API calls 6831->6832 6832->6830 6834 4c6ec3 2 API calls 6833->6834 6835 4c7ef4 6834->6835 6845 4c7fc9 6835->6845 6869 4c73ff 6835->6869 6837 4c7f16 6837->6845 6889 4c7809 GetUserNameA 6837->6889 6839 4c7f63 6839->6845 6913 4cef1e lstrlenA 6839->6913 6842 4cef1e lstrlenA 6843 4c7fb7 6842->6843 6915 4c7a95 RegOpenKeyExA 6843->6915 6845->6333 6847 4c7073 6846->6847 6848 4c70b9 RegOpenKeyExA 6847->6848 6849 4c70d0 6848->6849 6863 4c71b8 6848->6863 6850 4c6dc2 6 API calls 6849->6850 6853 4c70d5 6850->6853 6851 4c719b RegEnumValueA 6852 4c71af RegCloseKey 6851->6852 6851->6853 6852->6863 6853->6851 6855 4c71d0 6853->6855 6946 4cf1a5 lstrlenA 6853->6946 6856 4c7205 RegCloseKey 6855->6856 6857 4c7227 6855->6857 6856->6863 6858 4c728e RegCloseKey 6857->6858 6859 4c72b8 ___ascii_stricmp 6857->6859 6858->6863 6860 4c72cd RegCloseKey 6859->6860 6861 4c72dd 6859->6861 6860->6863 6862 4c7311 RegCloseKey 6861->6862 6864 4c7335 6861->6864 6862->6863 6863->6334 6865 4c73d5 RegCloseKey 6864->6865 6867 4c737e GetFileAttributesExA 6864->6867 6868 4c7397 6864->6868 6866 4c73e4 6865->6866 6867->6868 6868->6865 6870 4c741b 6869->6870 6871 4c6dc2 6 API calls 6870->6871 6872 4c743f 6871->6872 6873 4c7469 RegOpenKeyExA 6872->6873 6875 4c77f9 6873->6875 6884 4c7487 ___ascii_stricmp 6873->6884 6874 4c7703 RegEnumKeyA 6876 4c7714 RegCloseKey 6874->6876 6874->6884 6875->6837 6876->6875 6877 4c74d2 RegOpenKeyExA 6877->6884 6878 4c772c 6880 4c774b 6878->6880 6881 4c7742 RegCloseKey 6878->6881 6879 4c7521 RegQueryValueExA 6879->6884 6882 4c77ec RegCloseKey 6880->6882 6881->6880 6882->6875 6883 4c76e4 RegCloseKey 6883->6884 6884->6874 6884->6877 6884->6878 6884->6879 6884->6883 6885 4c7769 6884->6885 6887 4cf1a5 lstrlenA 6884->6887 6888 4c777e GetFileAttributesExA 6884->6888 6886 4c77e3 RegCloseKey 6885->6886 6886->6882 6887->6884 6888->6885 6890 4c783d LookupAccountNameA 6889->6890 6896 4c7a8d 6889->6896 6891 4c7874 GetLengthSid GetFileSecurityA 6890->6891 6890->6896 6892 4c78a8 GetSecurityDescriptorOwner 6891->6892 6891->6896 6893 4c791d GetSecurityDescriptorDacl 6892->6893 6894 4c78c5 EqualSid 6892->6894 6893->6896 6907 4c7941 6893->6907 6894->6893 6895 4c78dc LocalAlloc 6894->6895 6895->6893 6897 4c78ef InitializeSecurityDescriptor 6895->6897 6896->6839 6898 4c78fb SetSecurityDescriptorOwner 6897->6898 6899 4c7916 LocalFree 6897->6899 6898->6899 6901 4c790b SetFileSecurityA 6898->6901 6899->6893 6900 4c795b GetAce 6900->6907 6901->6899 6902 4c7980 EqualSid 6902->6907 6903 4c7a3d 6903->6896 6906 4c7a43 LocalAlloc 6903->6906 6904 4c79be EqualSid 6904->6907 6905 4c799d DeleteAce 6905->6907 6906->6896 6908 4c7a56 InitializeSecurityDescriptor 6906->6908 6907->6896 6907->6900 6907->6902 6907->6903 6907->6904 6907->6905 6909 4c7a86 LocalFree 6908->6909 6910 4c7a62 SetSecurityDescriptorDacl 6908->6910 6909->6896 6910->6909 6911 4c7a73 SetFileSecurityA 6910->6911 6911->6909 6912 4c7a83 6911->6912 6912->6909 6914 4c7fa6 6913->6914 6914->6842 6916 4c7acb GetUserNameA 6915->6916 6917 4c7ac4 6915->6917 6918 4c7aed LookupAccountNameA 6916->6918 6919 4c7da7 RegCloseKey 6916->6919 6917->6845 6918->6919 6920 4c7b24 RegGetKeySecurity 6918->6920 6919->6917 6920->6919 6921 4c7b49 GetSecurityDescriptorOwner 6920->6921 6922 4c7bb8 GetSecurityDescriptorDacl 6921->6922 6923 4c7b63 EqualSid 6921->6923 6924 4c7da6 6922->6924 6938 4c7bdc 6922->6938 6923->6922 6925 4c7b74 LocalAlloc 6923->6925 6924->6919 6925->6922 6926 4c7b8a InitializeSecurityDescriptor 6925->6926 6928 4c7b96 SetSecurityDescriptorOwner 6926->6928 6929 4c7bb1 LocalFree 6926->6929 6927 4c7bf8 GetAce 6927->6938 6928->6929 6930 4c7ba6 RegSetKeySecurity 6928->6930 6929->6922 6930->6929 6931 4c7c1d EqualSid 6931->6938 6932 4c7cd9 6932->6924 6935 4c7d5a LocalAlloc 6932->6935 6936 4c7cf2 RegOpenKeyExA 6932->6936 6933 4c7c5f EqualSid 6933->6938 6934 4c7c3a DeleteAce 6934->6938 6935->6924 6937 4c7d70 InitializeSecurityDescriptor 6935->6937 6936->6935 6943 4c7d0f 6936->6943 6939 4c7d7c SetSecurityDescriptorDacl 6937->6939 6940 4c7d9f LocalFree 6937->6940 6938->6924 6938->6927 6938->6931 6938->6932 6938->6933 6938->6934 6939->6940 6941 4c7d8c RegSetKeySecurity 6939->6941 6940->6924 6941->6940 6942 4c7d9c 6941->6942 6942->6940 6944 4c7d43 RegSetValueExA 6943->6944 6944->6935 6945 4c7d54 6944->6945 6945->6935 6947 4cf1c3 6946->6947 6947->6853 6948->6354 6950 4cdd05 6 API calls 6949->6950 6953 4ce65f 6950->6953 6951 4ce6a5 6952 4cebcc 4 API calls 6951->6952 6956 4ce6f5 6951->6956 6955 4ce6b0 6952->6955 6953->6951 6954 4ce68c lstrcmpA 6953->6954 6954->6953 6955->6956 6958 4ce6b7 6955->6958 6959 4ce6e0 lstrcpynA 6955->6959 6957 4ce71d lstrcmpA 6956->6957 6956->6958 6957->6956 6958->6356 6959->6956 6960->6362 6962 4c2692 inet_addr 6961->6962 6964 4c268e 6961->6964 6963 4c269e gethostbyname 6962->6963 6962->6964 6963->6964 6965 4cf428 6964->6965 7113 4cf315 6965->7113 6968 4cf43e 6969 4cf473 recv 6968->6969 6970 4cf47c 6969->6970 6971 4cf458 6969->6971 6970->6393 6971->6969 6971->6970 6973 4cc532 6972->6973 6974 4cc525 6972->6974 6975 4cc548 6973->6975 7126 4ce7ff 6973->7126 6974->6973 6977 4cec2e codecvt 4 API calls 6974->6977 6978 4ce7ff lstrcmpiA 6975->6978 6985 4cc54f 6975->6985 6977->6973 6979 4cc615 6978->6979 6980 4cebcc 4 API calls 6979->6980 6979->6985 6980->6985 6982 4cc5d1 6983 4cebcc 4 API calls 6982->6983 6983->6985 6984 4ce819 11 API calls 6986 4cc5b7 6984->6986 6985->6375 6987 4cf04e 4 API calls 6986->6987 6988 4cc5bf 6987->6988 6988->6975 6988->6982 6991 4cc8d2 6989->6991 6990 4cc907 6990->6377 6991->6990 6992 4cc517 23 API calls 6991->6992 6992->6990 6994 4cc670 6993->6994 6997 4cc67d 6993->6997 6995 4cebcc 4 API calls 6994->6995 6995->6997 6996 4cebcc 4 API calls 6999 4cc699 6996->6999 6997->6996 6997->6999 6998 4cc6f3 6998->6406 6998->6432 6999->6998 7000 4cc73c send 6999->7000 7000->6998 7002 4cc770 7001->7002 7003 4cc77d 7001->7003 7004 4cebcc 4 API calls 7002->7004 7005 4cc799 7003->7005 7007 4cebcc 4 API calls 7003->7007 7004->7003 7006 4cc7b5 7005->7006 7008 4cebcc 4 API calls 7005->7008 7009 4cf43e recv 7006->7009 7007->7005 7008->7006 7010 4cc7cb 7009->7010 7011 4cf43e recv 7010->7011 7012 4cc7d3 7010->7012 7011->7012 7012->6432 7129 4c7db7 7013->7129 7016 4cf04e 4 API calls 7018 4c7e4c 7016->7018 7017 4c7e96 7017->6432 7020 4cf04e 4 API calls 7018->7020 7021 4c7e70 7018->7021 7019 4cf04e 4 API calls 7019->7017 7020->7021 7021->7017 7021->7019 7023 4c6ec3 2 API calls 7022->7023 7024 4c7fdd 7023->7024 7025 4c73ff 17 API calls 7024->7025 7034 4c80c2 CreateProcessA 7024->7034 7026 4c7fff 7025->7026 7027 4c7809 21 API calls 7026->7027 7026->7034 7028 4c804d 7027->7028 7029 4cef1e lstrlenA 7028->7029 7028->7034 7030 4c809e 7029->7030 7031 4cef1e lstrlenA 7030->7031 7032 4c80af 7031->7032 7033 4c7a95 24 API calls 7032->7033 7033->7034 7034->6460 7034->6461 7036 4c7db7 2 API calls 7035->7036 7037 4c7eb8 7036->7037 7038 4cf04e 4 API calls 7037->7038 7039 4c7ece DeleteFileA 7038->7039 7039->6432 7041 4cdd05 6 API calls 7040->7041 7042 4ce31d 7041->7042 7133 4ce177 7042->7133 7044 4ce326 7044->6430 7046 4c31f3 7045->7046 7048 4c31ec 7045->7048 7047 4cebcc 4 API calls 7046->7047 7061 4c31fc 7047->7061 7048->6432 7049 4c349d 7051 4cec2e codecvt 4 API calls 7049->7051 7050 4c3459 7052 4cf04e 4 API calls 7050->7052 7051->7048 7053 4c345f 7052->7053 7055 4c30fa 4 API calls 7053->7055 7054 4cebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7054->7061 7055->7048 7056 4c344d 7057 4cec2e codecvt 4 API calls 7056->7057 7058 4c344b 7057->7058 7058->7049 7058->7050 7060 4c3141 lstrcmpiA 7060->7061 7061->7048 7061->7054 7061->7056 7061->7058 7061->7060 7159 4c30fa GetTickCount 7061->7159 7063 4c30fa 4 API calls 7062->7063 7064 4c3c1a 7063->7064 7065 4c3ce6 7064->7065 7164 4c3a72 7064->7164 7065->6432 7068 4c3a72 9 API calls 7070 4c3c5e 7068->7070 7069 4c3a72 9 API calls 7069->7070 7070->7065 7070->7069 7071 4cec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7070->7071 7071->7070 7073 4c3a10 7072->7073 7074 4c30fa 4 API calls 7073->7074 7075 4c3a1a 7074->7075 7075->6432 7077 4cdd05 6 API calls 7076->7077 7078 4ce7be 7077->7078 7078->6432 7080 4cc07e wsprintfA 7079->7080 7081 4cc105 7079->7081 7173 4cbfce GetTickCount wsprintfA 7080->7173 7081->6432 7083 4cc0ef 7174 4cbfce GetTickCount wsprintfA 7083->7174 7086 4c6f88 LookupAccountNameA 7085->7086 7087 4c7047 7085->7087 7089 4c6fcb 7086->7089 7090 4c7025 7086->7090 7087->6432 7092 4c6fdb ConvertSidToStringSidA 7089->7092 7175 4c6edd 7090->7175 7092->7090 7094 4c6ff1 7092->7094 7095 4c7013 LocalFree 7094->7095 7095->7090 7097 4cdd05 6 API calls 7096->7097 7098 4ce85c 7097->7098 7099 4cdd84 lstrcmpiA 7098->7099 7100 4ce867 7099->7100 7101 4ce885 lstrcpyA 7100->7101 7186 4c24a5 7100->7186 7189 4cdd69 7101->7189 7107 4c7db7 2 API calls 7106->7107 7108 4c7de1 7107->7108 7109 4c7e16 7108->7109 7110 4cf04e 4 API calls 7108->7110 7109->6432 7111 4c7df2 7110->7111 7111->7109 7112 4cf04e 4 API calls 7111->7112 7112->7109 7114 4cf33b 7113->7114 7121 4cca1d 7113->7121 7115 4cf347 htons socket 7114->7115 7116 4cf374 closesocket 7115->7116 7117 4cf382 ioctlsocket 7115->7117 7116->7121 7118 4cf39d 7117->7118 7119 4cf3aa connect select 7117->7119 7120 4cf39f closesocket 7118->7120 7119->7121 7122 4cf3f2 __WSAFDIsSet 7119->7122 7120->7121 7121->6390 7121->6968 7122->7120 7123 4cf403 ioctlsocket 7122->7123 7125 4cf26d setsockopt setsockopt setsockopt setsockopt setsockopt 7123->7125 7125->7121 7127 4cdd84 lstrcmpiA 7126->7127 7128 4cc58e 7127->7128 7128->6975 7128->6982 7128->6984 7130 4c7dc8 InterlockedExchange 7129->7130 7131 4c7dd4 7130->7131 7132 4c7dc0 Sleep 7130->7132 7131->7016 7131->7021 7132->7130 7135 4ce184 7133->7135 7134 4ce2e4 7134->7044 7135->7134 7136 4ce223 7135->7136 7149 4cdfe2 7135->7149 7136->7134 7138 4cdfe2 8 API calls 7136->7138 7143 4ce23c 7138->7143 7139 4ce1be 7139->7136 7140 4cdbcf 3 API calls 7139->7140 7142 4ce1d6 7140->7142 7141 4ce21a CloseHandle 7141->7136 7142->7136 7142->7141 7144 4ce1f9 WriteFile 7142->7144 7143->7134 7153 4ce095 RegCreateKeyExA 7143->7153 7144->7141 7146 4ce213 7144->7146 7146->7141 7147 4ce2a3 7147->7134 7148 4ce095 4 API calls 7147->7148 7148->7134 7150 4cdffc 7149->7150 7152 4ce024 7149->7152 7151 4cdb2e 8 API calls 7150->7151 7150->7152 7151->7152 7152->7139 7154 4ce172 7153->7154 7155 4ce0c0 7153->7155 7154->7147 7157 4ce115 RegSetValueExA 7155->7157 7158 4ce13d 7155->7158 7156 4ce14e RegDeleteValueA RegCloseKey 7156->7154 7157->7155 7157->7158 7158->7156 7160 4c3122 InterlockedExchange 7159->7160 7161 4c312e 7160->7161 7162 4c310f GetTickCount 7160->7162 7161->7061 7162->7161 7163 4c311a Sleep 7162->7163 7163->7160 7165 4cf04e 4 API calls 7164->7165 7172 4c3a83 7165->7172 7166 4c3ac1 7166->7065 7166->7068 7167 4c3be6 7169 4cec2e codecvt 4 API calls 7167->7169 7168 4c3bc0 7168->7167 7170 4cec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7168->7170 7169->7166 7170->7168 7171 4c3b66 lstrlenA 7171->7166 7171->7172 7172->7166 7172->7168 7172->7171 7173->7083 7174->7081 7176 4c6f55 wsprintfA 7175->7176 7177 4c6eef AllocateAndInitializeSid 7175->7177 7176->7087 7178 4c6f1c CheckTokenMembership 7177->7178 7179 4c6f44 7177->7179 7180 4c6f2e 7178->7180 7181 4c6f3b FreeSid 7178->7181 7179->7176 7183 4c6e36 GetUserNameW 7179->7183 7180->7181 7181->7179 7184 4c6e5f LookupAccountNameW 7183->7184 7185 4c6e97 7183->7185 7184->7185 7185->7176 7187 4c2419 4 API calls 7186->7187 7188 4c24b6 7187->7188 7188->7101 7190 4cdd79 lstrlenA 7189->7190 7190->6432 7192 4ceb21 7191->7192 7193 4ceb17 7191->7193 7192->6516 7194 4ceae4 2 API calls 7193->7194 7194->7192 7197 4c69b9 WriteFile 7195->7197 7198 4c6a3c 7197->7198 7200 4c69ff 7197->7200 7198->6513 7198->6514 7199 4c6a10 WriteFile 7199->7198 7199->7200 7200->7198 7200->7199 7202 4c3edc 7201->7202 7203 4c3ee2 7201->7203 7204 4c6dc2 6 API calls 7202->7204 7203->6528 7204->7203 7206 4c400b CreateFileA 7205->7206 7207 4c402c GetLastError 7206->7207 7209 4c4052 7206->7209 7208 4c4037 7207->7208 7207->7209 7208->7209 7210 4c4041 Sleep 7208->7210 7209->6531 7210->7206 7210->7209 7212 4c3f4e GetLastError 7211->7212 7213 4c3f7c 7211->7213 7212->7213 7214 4c3f5b WaitForSingleObject GetOverlappedResult 7212->7214 7215 4c3f8c ReadFile 7213->7215 7214->7213 7216 4c3ff0 7215->7216 7217 4c3fc2 GetLastError 7215->7217 7216->6536 7216->6537 7217->7216 7218 4c3fcf WaitForSingleObject GetOverlappedResult 7217->7218 7218->7216 7220 4c1924 GetVersionExA 7219->7220 7220->6576 7222 4cf0ed 7221->7222 7223 4cf0f1 7221->7223 7222->6608 7224 4cf119 7223->7224 7225 4cf0fa lstrlenA SysAllocStringByteLen 7223->7225 7226 4cf11c MultiByteToWideChar 7224->7226 7225->7226 7227 4cf117 7225->7227 7226->7227 7227->6608 7229 4c1820 17 API calls 7228->7229 7230 4c18f2 7229->7230 7231 4c18f9 7230->7231 7245 4c1280 7230->7245 7231->6603 7233 4c1908 7233->6603 7257 4c1000 7234->7257 7236 4c1839 7237 4c183d 7236->7237 7238 4c1851 GetCurrentProcess 7236->7238 7237->6588 7239 4c1864 7238->7239 7239->6588 7242 4c920e 7240->7242 7244 4c9308 7240->7244 7241 4c92f1 Sleep 7241->7242 7242->7241 7243 4c92bf ShellExecuteA 7242->7243 7242->7244 7243->7242 7243->7244 7244->6603 7246 4c12e1 7245->7246 7246->7246 7247 4c16f9 GetLastError 7246->7247 7255 4c13a8 7246->7255 7248 4c1699 7247->7248 7248->7233 7249 4c1570 lstrlenW 7249->7255 7250 4c15be GetStartupInfoW 7250->7255 7251 4c15ff CreateProcessWithLogonW 7252 4c16bf GetLastError 7251->7252 7253 4c163f WaitForSingleObject 7251->7253 7252->7248 7254 4c1659 CloseHandle 7253->7254 7253->7255 7254->7255 7255->7248 7255->7249 7255->7250 7255->7251 7256 4c1668 CloseHandle 7255->7256 7256->7255 7258 4c100d LoadLibraryA 7257->7258 7268 4c1023 7257->7268 7259 4c1021 7258->7259 7258->7268 7259->7236 7260 4c10b5 GetProcAddress 7261 4c127b 7260->7261 7262 4c10d1 GetProcAddress 7260->7262 7261->7236 7262->7261 7263 4c10f0 GetProcAddress 7262->7263 7263->7261 7264 4c1110 GetProcAddress 7263->7264 7264->7261 7265 4c1130 GetProcAddress 7264->7265 7265->7261 7266 4c114f GetProcAddress 7265->7266 7266->7261 7267 4c116f GetProcAddress 7266->7267 7267->7261 7269 4c118f GetProcAddress 7267->7269 7268->7260 7277 4c10ae 7268->7277 7269->7261 7270 4c11ae GetProcAddress 7269->7270 7270->7261 7271 4c11ce GetProcAddress 7270->7271 7271->7261 7272 4c11ee GetProcAddress 7271->7272 7272->7261 7273 4c1209 GetProcAddress 7272->7273 7273->7261 7274 4c1225 GetProcAddress 7273->7274 7274->7261 7275 4c1241 GetProcAddress 7274->7275 7275->7261 7276 4c125c GetProcAddress 7275->7276 7276->7261 7277->7236 7279 4c908d 7278->7279 7280 4c90e2 wsprintfA 7279->7280 7281 4cee2a 7280->7281 7282 4c90fd CreateFileA 7281->7282 7283 4c913f 7282->7283 7284 4c911a lstrlenA WriteFile CloseHandle 7282->7284 7283->6631 7283->6632 7284->7283 7286 4cee2a 7285->7286 7287 4c9794 CreateProcessA 7286->7287 7288 4c97bb 7287->7288 7289 4c97c2 7287->7289 7288->6643 7290 4c97d4 GetThreadContext 7289->7290 7291 4c97f5 7290->7291 7292 4c9801 7290->7292 7293 4c97f6 TerminateProcess 7291->7293 7299 4c637c 7292->7299 7293->7288 7295 4c9816 7295->7293 7296 4c981e WriteProcessMemory 7295->7296 7296->7291 7297 4c983b SetThreadContext 7296->7297 7297->7291 7298 4c9858 ResumeThread 7297->7298 7298->7288 7300 4c638a GetModuleHandleA VirtualAlloc 7299->7300 7301 4c6386 7299->7301 7302 4c63b6 7300->7302 7303 4c63f5 7300->7303 7301->7295 7304 4c63be VirtualAllocEx 7302->7304 7303->7295 7304->7303 7305 4c63d6 7304->7305 7306 4c63df WriteProcessMemory 7305->7306 7306->7303 7308 4c879f 7307->7308 7309 4c8791 7307->7309 7310 4c87bc 7308->7310 7312 4cf04e 4 API calls 7308->7312 7311 4cf04e 4 API calls 7309->7311 7313 4ce819 11 API calls 7310->7313 7311->7308 7312->7310 7314 4c87d7 7313->7314 7323 4c8803 7314->7323 7462 4c26b2 gethostbyaddr 7314->7462 7317 4c87eb 7319 4ce8a1 30 API calls 7317->7319 7317->7323 7319->7323 7322 4ce819 11 API calls 7322->7323 7323->7322 7324 4c88a0 Sleep 7323->7324 7325 4cf04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7323->7325 7327 4c26b2 2 API calls 7323->7327 7328 4ce8a1 30 API calls 7323->7328 7359 4c8cee 7323->7359 7367 4cc4d6 7323->7367 7370 4cc4e2 7323->7370 7373 4c2011 7323->7373 7408 4c8328 7323->7408 7324->7323 7325->7323 7327->7323 7328->7323 7330 4c407d 7329->7330 7331 4c4084 7329->7331 7332 4c3ecd 6 API calls 7331->7332 7333 4c408f 7332->7333 7334 4c4000 3 API calls 7333->7334 7335 4c4095 7334->7335 7336 4c4130 7335->7336 7337 4c40c0 7335->7337 7338 4c3ecd 6 API calls 7336->7338 7342 4c3f18 4 API calls 7337->7342 7339 4c4159 CreateNamedPipeA 7338->7339 7340 4c4188 ConnectNamedPipe 7339->7340 7341 4c4167 Sleep 7339->7341 7345 4c4195 GetLastError 7340->7345 7355 4c41ab 7340->7355 7341->7336 7343 4c4176 CloseHandle 7341->7343 7344 4c40da 7342->7344 7343->7340 7347 4c3f8c 4 API calls 7344->7347 7346 4c425e DisconnectNamedPipe 7345->7346 7345->7355 7346->7340 7348 4c40ec 7347->7348 7349 4c4127 CloseHandle 7348->7349 7350 4c4101 7348->7350 7349->7336 7352 4c3f18 4 API calls 7350->7352 7351 4c3f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7351->7355 7353 4c411c ExitProcess 7352->7353 7354 4c3f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7354->7355 7355->7340 7355->7346 7355->7351 7355->7354 7356 4c426a CloseHandle CloseHandle 7355->7356 7357 4ce318 23 API calls 7356->7357 7358 4c427b 7357->7358 7358->7358 7360 4c8dae 7359->7360 7361 4c8d02 GetTickCount 7359->7361 7360->7323 7361->7360 7364 4c8d19 7361->7364 7362 4c8da1 GetTickCount 7362->7360 7364->7362 7366 4c8d89 7364->7366 7467 4ca677 7364->7467 7470 4ca688 7364->7470 7366->7362 7478 4cc2dc 7367->7478 7371 4cc2dc 142 API calls 7370->7371 7372 4cc4ec 7371->7372 7372->7323 7374 4c202e 7373->7374 7375 4c2020 7373->7375 7377 4c204b 7374->7377 7379 4cf04e 4 API calls 7374->7379 7376 4cf04e 4 API calls 7375->7376 7376->7374 7378 4c206e GetTickCount 7377->7378 7380 4cf04e 4 API calls 7377->7380 7381 4c20db GetTickCount 7378->7381 7392 4c2090 7378->7392 7379->7377 7383 4c2068 7380->7383 7382 4c2132 GetTickCount GetTickCount 7381->7382 7395 4c20e7 7381->7395 7386 4cf04e 4 API calls 7382->7386 7383->7378 7384 4c20d4 GetTickCount 7384->7381 7385 4c212b GetTickCount 7385->7382 7388 4c2159 7386->7388 7387 4c2684 2 API calls 7387->7392 7389 4c21b4 7388->7389 7391 4ce854 13 API calls 7388->7391 7393 4cf04e 4 API calls 7389->7393 7394 4c218e 7391->7394 7392->7384 7392->7387 7398 4c20ce 7392->7398 7818 4c1978 7392->7818 7397 4c21d1 7393->7397 7399 4ce819 11 API calls 7394->7399 7395->7385 7400 4c1978 15 API calls 7395->7400 7401 4c2125 7395->7401 7808 4c2ef8 7395->7808 7402 4c21f2 7397->7402 7404 4cea84 30 API calls 7397->7404 7398->7384 7403 4c219c 7399->7403 7400->7395 7401->7385 7402->7323 7403->7389 7823 4c1c5f 7403->7823 7405 4c21ec 7404->7405 7406 4cf04e 4 API calls 7405->7406 7406->7402 7409 4c7dd6 6 API calls 7408->7409 7410 4c833c 7409->7410 7411 4c8340 7410->7411 7412 4c6ec3 2 API calls 7410->7412 7411->7323 7413 4c834f 7412->7413 7414 4c835c 7413->7414 7416 4c846b 7413->7416 7415 4c73ff 17 API calls 7414->7415 7437 4c8373 7415->7437 7419 4c84a7 RegOpenKeyExA 7416->7419 7449 4c8450 7416->7449 7417 4c8626 GetTempPathA 7421 4c8638 7417->7421 7418 4c675c 21 API calls 7431 4c85df 7418->7431 7422 4c84c0 RegQueryValueExA 7419->7422 7424 4c852f 7419->7424 7452 4c8671 7421->7452 7425 4c8521 RegCloseKey 7422->7425 7429 4c84dd 7422->7429 7423 4c86ad 7426 4c8762 7423->7426 7428 4c7e2f 6 API calls 7423->7428 7427 4c8564 RegOpenKeyExA 7424->7427 7434 4c85a5 7424->7434 7425->7424 7430 4c8768 7426->7430 7432 4c8573 7427->7432 7427->7434 7442 4c86bb 7428->7442 7429->7425 7433 4cebcc 4 API calls 7429->7433 7430->7411 7436 4cec2e codecvt 4 API calls 7430->7436 7431->7417 7431->7430 7431->7452 7432->7432 7438 4c8585 RegSetValueExA RegCloseKey 7432->7438 7439 4c84f0 7433->7439 7445 4cec2e codecvt 4 API calls 7434->7445 7434->7449 7435 4c875b DeleteFileA 7435->7426 7436->7411 7437->7411 7440 4c83ea RegOpenKeyExA 7437->7440 7437->7449 7438->7434 7439->7425 7441 4c84f8 RegQueryValueExA 7439->7441 7443 4c83fd RegQueryValueExA 7440->7443 7440->7449 7441->7425 7444 4c8515 7441->7444 7442->7435 7450 4c86e0 lstrcpyA lstrlenA 7442->7450 7446 4c842d RegSetValueExA 7443->7446 7447 4c841e 7443->7447 7448 4cec2e codecvt 4 API calls 7444->7448 7445->7449 7453 4c8447 RegCloseKey 7446->7453 7447->7446 7447->7453 7454 4c851d 7448->7454 7449->7418 7449->7431 7451 4c7fcf 64 API calls 7450->7451 7455 4c8719 CreateProcessA 7451->7455 7895 4c6ba7 IsBadCodePtr 7452->7895 7453->7449 7454->7425 7456 4c873d CloseHandle CloseHandle 7455->7456 7457 4c874f 7455->7457 7456->7430 7458 4c7ee6 64 API calls 7457->7458 7459 4c8754 7458->7459 7460 4c7ead 6 API calls 7459->7460 7461 4c875a 7460->7461 7461->7435 7463 4c26cd 7462->7463 7464 4c26fb 7462->7464 7465 4c26e1 inet_ntoa 7463->7465 7466 4c26de 7463->7466 7464->7317 7465->7466 7466->7317 7473 4ca63d 7467->7473 7469 4ca685 7469->7364 7471 4ca63d GetTickCount 7470->7471 7472 4ca696 7471->7472 7472->7364 7474 4ca64d 7473->7474 7475 4ca645 7473->7475 7476 4ca65e GetTickCount 7474->7476 7477 4ca66e 7474->7477 7475->7469 7476->7477 7477->7469 7495 4ca4c7 GetTickCount 7478->7495 7481 4cc47a 7486 4cc4ab InterlockedIncrement CreateThread 7481->7486 7487 4cc4d2 7481->7487 7482 4cc326 7484 4cc337 7482->7484 7485 4cc32b GetTickCount 7482->7485 7483 4cc300 GetTickCount 7483->7484 7484->7481 7489 4cc363 GetTickCount 7484->7489 7485->7484 7486->7487 7488 4cc4cb CloseHandle 7486->7488 7500 4cb535 7486->7500 7487->7323 7488->7487 7489->7481 7490 4cc373 7489->7490 7491 4cc378 GetTickCount 7490->7491 7492 4cc37f 7490->7492 7491->7492 7493 4cc43b GetTickCount 7492->7493 7494 4cc45e 7493->7494 7494->7481 7496 4ca4f7 InterlockedExchange 7495->7496 7497 4ca4e4 GetTickCount 7496->7497 7498 4ca500 7496->7498 7497->7498 7499 4ca4ef Sleep 7497->7499 7498->7481 7498->7482 7498->7483 7499->7496 7501 4cb566 7500->7501 7502 4cebcc 4 API calls 7501->7502 7503 4cb587 7502->7503 7504 4cebcc 4 API calls 7503->7504 7551 4cb590 7504->7551 7505 4cbdcd InterlockedDecrement 7506 4cbde2 7505->7506 7508 4cec2e codecvt 4 API calls 7506->7508 7509 4cbdea 7508->7509 7510 4cec2e codecvt 4 API calls 7509->7510 7512 4cbdf2 7510->7512 7511 4cbdb7 Sleep 7511->7551 7514 4cbe05 7512->7514 7515 4cec2e codecvt 4 API calls 7512->7515 7513 4cbdcc 7513->7505 7515->7514 7516 4cebed 8 API calls 7516->7551 7519 4cb6b6 lstrlenA 7519->7551 7520 4c30b5 2 API calls 7520->7551 7521 4ce819 11 API calls 7521->7551 7522 4cb6ed lstrcpyA 7575 4c5ce1 7522->7575 7525 4cb71f lstrcmpA 7526 4cb731 lstrlenA 7525->7526 7525->7551 7526->7551 7527 4cb772 GetTickCount 7527->7551 7528 4cbd49 InterlockedIncrement 7669 4ca628 7528->7669 7531 4c38f0 6 API calls 7531->7551 7532 4cbc5b InterlockedIncrement 7532->7551 7533 4cb7ce InterlockedIncrement 7585 4cacd7 7533->7585 7536 4cb912 GetTickCount 7536->7551 7537 4cb826 InterlockedIncrement 7537->7527 7538 4cbcdc closesocket 7538->7551 7539 4cb932 GetTickCount 7540 4cbc6d InterlockedIncrement 7539->7540 7539->7551 7540->7551 7541 4c5ce1 22 API calls 7541->7551 7545 4cbba6 InterlockedIncrement 7545->7551 7547 4cbc4c closesocket 7547->7551 7548 4c5ded 12 API calls 7548->7551 7549 4ca7c1 22 API calls 7549->7551 7551->7505 7551->7511 7551->7513 7551->7516 7551->7519 7551->7520 7551->7521 7551->7522 7551->7525 7551->7526 7551->7527 7551->7528 7551->7531 7551->7532 7551->7533 7551->7536 7551->7537 7551->7538 7551->7539 7551->7541 7551->7545 7551->7547 7551->7548 7551->7549 7552 4cba71 wsprintfA 7551->7552 7553 4cab81 lstrcpynA InterlockedIncrement 7551->7553 7555 4cef1e lstrlenA 7551->7555 7556 4ca688 GetTickCount 7551->7556 7557 4c3e10 7551->7557 7560 4c3e4f 7551->7560 7563 4c384f 7551->7563 7583 4ca7a3 inet_ntoa 7551->7583 7590 4cabee 7551->7590 7602 4c1feb GetTickCount 7551->7602 7623 4c3cfb 7551->7623 7626 4cb3c5 7551->7626 7657 4cab81 7551->7657 7603 4ca7c1 7552->7603 7553->7551 7555->7551 7556->7551 7558 4c30fa 4 API calls 7557->7558 7559 4c3e1d 7558->7559 7559->7551 7561 4c30fa 4 API calls 7560->7561 7562 4c3e5c 7561->7562 7562->7551 7564 4c30fa 4 API calls 7563->7564 7566 4c3863 7564->7566 7565 4c38b2 7565->7551 7566->7565 7567 4c38b9 7566->7567 7568 4c3889 7566->7568 7678 4c35f9 7567->7678 7672 4c3718 7568->7672 7573 4c3718 6 API calls 7573->7565 7574 4c35f9 6 API calls 7574->7565 7576 4c5cec 7575->7576 7577 4c5cf4 7575->7577 7684 4c4bd1 GetTickCount 7576->7684 7579 4c4bd1 4 API calls 7577->7579 7580 4c5d02 7579->7580 7689 4c5472 7580->7689 7584 4ca7b9 7583->7584 7584->7551 7586 4cf315 14 API calls 7585->7586 7587 4caceb 7586->7587 7588 4cf315 14 API calls 7587->7588 7589 4cacff 7587->7589 7588->7589 7589->7551 7591 4cabfb 7590->7591 7594 4cac65 7591->7594 7752 4c2f22 7591->7752 7593 4cf315 14 API calls 7593->7594 7594->7593 7595 4cac8a 7594->7595 7596 4cac6f 7594->7596 7595->7551 7598 4cab81 2 API calls 7596->7598 7597 4cac23 7597->7594 7599 4c2684 2 API calls 7597->7599 7600 4cac81 7598->7600 7599->7597 7760 4c38f0 7600->7760 7602->7551 7604 4ca87d lstrlenA send 7603->7604 7605 4ca7df 7603->7605 7606 4ca8bf 7604->7606 7607 4ca899 7604->7607 7605->7604 7608 4ca8f2 7605->7608 7613 4ca7fa wsprintfA 7605->7613 7615 4ca80a 7605->7615 7606->7608 7610 4ca8c4 send 7606->7610 7609 4ca8a5 wsprintfA 7607->7609 7616 4ca89e 7607->7616 7611 4ca978 recv 7608->7611 7614 4ca9b0 wsprintfA 7608->7614 7617 4ca982 7608->7617 7609->7616 7610->7608 7612 4ca8d8 wsprintfA 7610->7612 7611->7608 7611->7617 7612->7616 7613->7615 7614->7616 7615->7604 7616->7551 7617->7616 7618 4c30b5 2 API calls 7617->7618 7619 4cab05 7618->7619 7620 4ce819 11 API calls 7619->7620 7621 4cab17 7620->7621 7622 4ca7a3 inet_ntoa 7621->7622 7622->7616 7624 4c30fa 4 API calls 7623->7624 7625 4c3d0b 7624->7625 7625->7551 7627 4c5ce1 22 API calls 7626->7627 7628 4cb3e6 7627->7628 7629 4c5ce1 22 API calls 7628->7629 7630 4cb404 7629->7630 7631 4cb440 7630->7631 7632 4cef7c 3 API calls 7630->7632 7633 4cef7c 3 API calls 7631->7633 7634 4cb42b 7632->7634 7635 4cb458 wsprintfA 7633->7635 7636 4cef7c 3 API calls 7634->7636 7637 4cef7c 3 API calls 7635->7637 7636->7631 7638 4cb480 7637->7638 7639 4cef7c 3 API calls 7638->7639 7640 4cb493 7639->7640 7641 4cef7c 3 API calls 7640->7641 7642 4cb4bb 7641->7642 7776 4cad89 GetLocalTime SystemTimeToFileTime 7642->7776 7646 4cb4cc 7647 4cef7c 3 API calls 7646->7647 7648 4cb4dd 7647->7648 7649 4cb211 7 API calls 7648->7649 7650 4cb4ec 7649->7650 7651 4cef7c 3 API calls 7650->7651 7652 4cb4fd 7651->7652 7653 4cb211 7 API calls 7652->7653 7654 4cb509 7653->7654 7655 4cef7c 3 API calls 7654->7655 7656 4cb51a 7655->7656 7656->7551 7658 4cabe9 GetTickCount 7657->7658 7660 4cab8c 7657->7660 7662 4ca51d 7658->7662 7659 4caba8 lstrcpynA 7659->7660 7660->7658 7660->7659 7661 4cabe1 InterlockedIncrement 7660->7661 7661->7660 7663 4ca4c7 4 API calls 7662->7663 7664 4ca52c 7663->7664 7665 4ca542 GetTickCount 7664->7665 7667 4ca539 GetTickCount 7664->7667 7665->7667 7668 4ca56c 7667->7668 7668->7551 7670 4ca4c7 4 API calls 7669->7670 7671 4ca633 7670->7671 7671->7551 7673 4cf04e 4 API calls 7672->7673 7675 4c372a 7673->7675 7674 4c3847 7674->7565 7674->7573 7675->7674 7676 4c37b3 GetCurrentThreadId 7675->7676 7676->7675 7677 4c37c8 GetCurrentThreadId 7676->7677 7677->7675 7679 4cf04e 4 API calls 7678->7679 7680 4c360c 7679->7680 7681 4c36da GetCurrentThreadId 7680->7681 7683 4c36f1 7680->7683 7682 4c36e5 GetCurrentThreadId 7681->7682 7681->7683 7682->7683 7683->7565 7683->7574 7685 4c4bff InterlockedExchange 7684->7685 7686 4c4bec GetTickCount 7685->7686 7687 4c4c08 7685->7687 7686->7687 7688 4c4bf7 Sleep 7686->7688 7687->7577 7688->7685 7708 4c4763 7689->7708 7691 4c5b58 7718 4c4699 7691->7718 7694 4c4763 lstrlenA 7695 4c5b6e 7694->7695 7739 4c4f9f 7695->7739 7697 4c5b79 7697->7551 7699 4c5549 lstrlenA 7700 4c548a 7699->7700 7700->7691 7702 4c558d lstrcpynA 7700->7702 7703 4c4ae6 8 API calls 7700->7703 7704 4c5a9f lstrcpyA 7700->7704 7705 4c5935 lstrcpynA 7700->7705 7706 4c5472 13 API calls 7700->7706 7707 4c58e7 lstrcpyA 7700->7707 7712 4c4ae6 7700->7712 7716 4cef7c lstrlenA lstrlenA lstrlenA 7700->7716 7702->7700 7703->7700 7704->7700 7705->7700 7706->7700 7707->7700 7710 4c477a 7708->7710 7709 4c4859 7709->7700 7710->7709 7711 4c480d lstrlenA 7710->7711 7711->7710 7713 4c4af3 7712->7713 7715 4c4b03 7712->7715 7714 4cebed 8 API calls 7713->7714 7714->7715 7715->7699 7717 4cefb4 7716->7717 7717->7700 7744 4c45b3 7718->7744 7721 4c45b3 7 API calls 7722 4c46c6 7721->7722 7723 4c45b3 7 API calls 7722->7723 7724 4c46d8 7723->7724 7725 4c45b3 7 API calls 7724->7725 7726 4c46ea 7725->7726 7727 4c45b3 7 API calls 7726->7727 7728 4c46ff 7727->7728 7729 4c45b3 7 API calls 7728->7729 7730 4c4711 7729->7730 7731 4c45b3 7 API calls 7730->7731 7732 4c4723 7731->7732 7733 4cef7c 3 API calls 7732->7733 7734 4c4735 7733->7734 7735 4cef7c 3 API calls 7734->7735 7736 4c474a 7735->7736 7737 4cef7c 3 API calls 7736->7737 7738 4c475c 7737->7738 7738->7694 7740 4c4fac 7739->7740 7741 4c4fb0 7739->7741 7740->7697 7742 4c4ffd 7741->7742 7743 4c4fd5 IsBadCodePtr 7741->7743 7742->7697 7743->7741 7745 4c45c1 7744->7745 7747 4c45c8 7744->7747 7746 4cebcc 4 API calls 7745->7746 7746->7747 7748 4cebcc 4 API calls 7747->7748 7750 4c45e1 7747->7750 7748->7750 7749 4c4691 7749->7721 7750->7749 7751 4cef7c 3 API calls 7750->7751 7751->7750 7767 4c2d21 GetModuleHandleA 7752->7767 7755 4c2f4f 7757 4c2f6b GetProcessHeap HeapFree 7755->7757 7756 4c2fcf GetProcessHeap HeapFree 7759 4c2f44 7756->7759 7757->7759 7758 4c2f85 7758->7756 7759->7597 7761 4c3900 7760->7761 7763 4c3980 7760->7763 7762 4c30fa 4 API calls 7761->7762 7766 4c390a 7762->7766 7763->7595 7764 4c391b GetCurrentThreadId 7764->7766 7765 4c3939 GetCurrentThreadId 7765->7766 7766->7763 7766->7764 7766->7765 7768 4c2d5b GetProcAddress 7767->7768 7769 4c2d46 LoadLibraryA 7767->7769 7770 4c2d54 7768->7770 7771 4c2d6b DnsQuery_A 7768->7771 7769->7768 7769->7770 7770->7755 7770->7758 7770->7759 7771->7770 7772 4c2d7d 7771->7772 7772->7770 7773 4c2d97 GetProcessHeap HeapAlloc 7772->7773 7773->7770 7775 4c2dac 7773->7775 7774 4c2db5 lstrcpynA 7774->7775 7775->7772 7775->7774 7777 4cadbf 7776->7777 7801 4cad08 gethostname 7777->7801 7780 4c30b5 2 API calls 7781 4cadd3 7780->7781 7782 4ca7a3 inet_ntoa 7781->7782 7783 4cade4 7781->7783 7782->7783 7784 4cae85 wsprintfA 7783->7784 7787 4cae36 wsprintfA wsprintfA 7783->7787 7785 4cef7c 3 API calls 7784->7785 7786 4caebb 7785->7786 7789 4cef7c 3 API calls 7786->7789 7788 4cef7c 3 API calls 7787->7788 7788->7783 7790 4caed2 7789->7790 7791 4cb211 7790->7791 7792 4cb2af GetLocalTime 7791->7792 7793 4cb2bb FileTimeToLocalFileTime FileTimeToSystemTime 7791->7793 7794 4cb2d2 7792->7794 7793->7794 7795 4cb31c GetTimeZoneInformation 7794->7795 7796 4cb2d9 SystemTimeToFileTime 7794->7796 7798 4cb33a wsprintfA 7795->7798 7797 4cb2ec 7796->7797 7799 4cb312 FileTimeToSystemTime 7797->7799 7798->7646 7799->7795 7802 4cad71 7801->7802 7807 4cad26 lstrlenA 7801->7807 7803 4cad79 lstrcpyA 7802->7803 7804 4cad85 7802->7804 7803->7804 7804->7780 7806 4cad68 lstrlenA 7806->7802 7807->7802 7807->7806 7809 4c2d21 7 API calls 7808->7809 7810 4c2f01 7809->7810 7811 4c2f14 7810->7811 7812 4c2f06 7810->7812 7814 4c2684 2 API calls 7811->7814 7831 4c2df2 GetModuleHandleA 7812->7831 7816 4c2f1d 7814->7816 7816->7395 7817 4c2f1f 7817->7395 7819 4cf428 14 API calls 7818->7819 7820 4c198a 7819->7820 7821 4c1998 7820->7821 7822 4c1990 closesocket 7820->7822 7821->7392 7822->7821 7825 4c1c80 7823->7825 7824 4c1d1c 7828 4c1d47 wsprintfA 7824->7828 7825->7824 7826 4c1cc2 wsprintfA 7825->7826 7829 4c1d79 7825->7829 7827 4c2684 2 API calls 7826->7827 7827->7825 7830 4c2684 2 API calls 7828->7830 7829->7389 7830->7829 7832 4c2e0b 7831->7832 7833 4c2e10 LoadLibraryA 7831->7833 7832->7833 7834 4c2e17 7832->7834 7833->7834 7835 4c2ef1 7834->7835 7836 4c2e28 GetProcAddress 7834->7836 7835->7811 7835->7817 7836->7835 7837 4c2e3e GetProcessHeap HeapAlloc 7836->7837 7840 4c2e62 7837->7840 7838 4c2ede GetProcessHeap HeapFree 7838->7835 7839 4c2e7f htons inet_addr 7839->7840 7841 4c2ea5 gethostbyname 7839->7841 7840->7835 7840->7838 7840->7839 7840->7841 7843 4c2ceb 7840->7843 7841->7840 7844 4c2cf2 7843->7844 7846 4c2d1c 7844->7846 7847 4c2d0e Sleep 7844->7847 7848 4c2a62 GetProcessHeap HeapAlloc 7844->7848 7846->7840 7847->7844 7847->7846 7849 4c2a99 socket 7848->7849 7850 4c2a92 7848->7850 7851 4c2ab4 7849->7851 7852 4c2cd3 GetProcessHeap HeapFree 7849->7852 7850->7844 7851->7852 7860 4c2abd 7851->7860 7852->7850 7853 4c2adb htons 7868 4c26ff 7853->7868 7855 4c2b04 select 7855->7860 7856 4c2ca4 7857 4c2cb3 GetProcessHeap HeapFree closesocket 7856->7857 7857->7850 7858 4c2b3f recv 7858->7860 7859 4c2b66 htons 7859->7856 7859->7860 7860->7853 7860->7855 7860->7856 7860->7857 7860->7858 7860->7859 7861 4c2b87 htons 7860->7861 7864 4c2bf3 GetProcessHeap HeapAlloc 7860->7864 7865 4c2c17 htons 7860->7865 7867 4c2c4d GetProcessHeap HeapFree 7860->7867 7875 4c2923 7860->7875 7887 4c2904 7860->7887 7861->7856 7861->7860 7864->7860 7883 4c2871 7865->7883 7867->7860 7869 4c2717 7868->7869 7870 4c271d 7868->7870 7871 4cebcc 4 API calls 7869->7871 7872 4c272b GetTickCount htons 7870->7872 7871->7870 7873 4c27cc htons htons sendto 7872->7873 7874 4c278a 7872->7874 7873->7860 7874->7873 7876 4c2944 7875->7876 7878 4c293d 7875->7878 7891 4c2816 htons 7876->7891 7878->7860 7879 4c2871 htons 7880 4c2950 7879->7880 7880->7878 7880->7879 7881 4c29bd htons htons htons 7880->7881 7881->7878 7882 4c29f6 GetProcessHeap HeapAlloc 7881->7882 7882->7878 7882->7880 7884 4c28e3 7883->7884 7885 4c2889 7883->7885 7884->7860 7885->7884 7886 4c28c3 htons 7885->7886 7886->7884 7886->7885 7888 4c2908 7887->7888 7889 4c2921 7887->7889 7890 4c2909 GetProcessHeap HeapFree 7888->7890 7889->7860 7890->7889 7890->7890 7892 4c286b 7891->7892 7893 4c2836 7891->7893 7892->7880 7893->7892 7894 4c285c htons 7893->7894 7894->7892 7894->7893 7896 4c6bbc 7895->7896 7897 4c6bc0 7895->7897 7896->7423 7898 4c6bd4 7897->7898 7899 4cebcc 4 API calls 7897->7899 7898->7423 7900 4c6be4 7899->7900 7900->7898 7901 4c6bfc 7900->7901 7902 4c6c07 CreateFileA 7900->7902 7903 4cec2e codecvt 4 API calls 7901->7903 7904 4c6c2a 7902->7904 7905 4c6c34 WriteFile 7902->7905 7903->7898 7906 4cec2e codecvt 4 API calls 7904->7906 7907 4c6c49 CloseHandle DeleteFileA 7905->7907 7908 4c6c5a CloseHandle 7905->7908 7906->7898 7907->7904 7909 4cec2e codecvt 4 API calls 7908->7909 7909->7898 8203 4c35a5 8204 4c30fa 4 API calls 8203->8204 8205 4c35b3 8204->8205 8209 4c35ea 8205->8209 8210 4c355d 8205->8210 8207 4c35da 8208 4c355d 4 API calls 8207->8208 8207->8209 8208->8209 8211 4cf04e 4 API calls 8210->8211 8212 4c356a 8211->8212 8212->8207 8022 4c4960 8023 4c496d 8022->8023 8025 4c497d 8022->8025 8024 4cebed 8 API calls 8023->8024 8024->8025 8026 4c4861 IsBadWritePtr 8027 4c4876 8026->8027 8028 4c9961 RegisterServiceCtrlHandlerA 8029 4c997d 8028->8029 8030 4c99cb 8028->8030 8038 4c9892 8029->8038 8032 4c999a 8033 4c99ba 8032->8033 8034 4c9892 SetServiceStatus 8032->8034 8033->8030 8036 4c9892 SetServiceStatus 8033->8036 8035 4c99aa 8034->8035 8035->8033 8037 4c98f2 41 API calls 8035->8037 8036->8030 8037->8033 8039 4c98c2 SetServiceStatus 8038->8039 8039->8032 8213 4c5e21 8214 4c5e29 8213->8214 8215 4c5e36 8213->8215 8216 4c50dc 17 API calls 8214->8216 8216->8215 8217 4c5d34 IsBadWritePtr 8218 4c5d47 8217->8218 8219 4c5d4a 8217->8219 8220 4c5389 12 API calls 8219->8220 8221 4c5d80 8220->8221 8222 4cbe31 lstrcmpiA 8223 4cbe55 lstrcmpiA 8222->8223 8229 4cbe71 8222->8229 8224 4cbe61 lstrcmpiA 8223->8224 8223->8229 8224->8229 8234 4cbfc8 8224->8234 8225 4cbf62 lstrcmpiA 8226 4cbf77 lstrcmpiA 8225->8226 8227 4cbf70 8225->8227 8226->8227 8228 4cbf8c lstrcmpiA 8226->8228 8230 4cbfc2 8227->8230 8231 4cec2e codecvt 4 API calls 8227->8231 8227->8234 8228->8227 8229->8225 8232 4cebcc 4 API calls 8229->8232 8233 4cec2e codecvt 4 API calls 8230->8233 8231->8227 8237 4cbeb6 8232->8237 8233->8234 8235 4cebcc 4 API calls 8235->8237 8236 4cbf5a 8236->8225 8237->8225 8237->8234 8237->8235 8237->8236
                                                                                      APIs
                                                                                      • closesocket.WS2_32(?), ref: 004CCA4E
                                                                                      • closesocket.WS2_32(?), ref: 004CCB63
                                                                                      • GetTempPathA.KERNEL32(00000120,?), ref: 004CCC28
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004CCCB4
                                                                                      • WriteFile.KERNEL32(004CA4B3,?,-000000E8,?,00000000), ref: 004CCCDC
                                                                                      • CloseHandle.KERNEL32(004CA4B3), ref: 004CCCED
                                                                                      • wsprintfA.USER32 ref: 004CCD21
                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004CCD77
                                                                                      • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 004CCD89
                                                                                      • CloseHandle.KERNEL32(?), ref: 004CCD98
                                                                                      • CloseHandle.KERNEL32(?), ref: 004CCD9D
                                                                                      • DeleteFileA.KERNEL32(?), ref: 004CCDC4
                                                                                      • CloseHandle.KERNEL32(004CA4B3), ref: 004CCDCC
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 004CCFB1
                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 004CCFEF
                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 004CD033
                                                                                      • lstrcatA.KERNEL32(?,03B00108), ref: 004CD10C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 004CD155
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 004CD171
                                                                                      • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000), ref: 004CD195
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004CD19C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 004CD1C8
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 004CD231
                                                                                      • lstrcatA.KERNEL32(?,03B00108,?,?,?,?,?,?,?,00000100), ref: 004CD27C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 004CD2AB
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 004CD2C7
                                                                                      • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 004CD2EB
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 004CD2F2
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 004CD326
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 004CD372
                                                                                      • lstrcatA.KERNEL32(?,03B00108,?,?,?,?,?,?,?,00000100), ref: 004CD3BD
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 004CD3EC
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 004CD408
                                                                                      • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 004CD428
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 004CD42F
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 004CD45B
                                                                                      • CreateProcessA.KERNEL32(?,004D0264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004CD4DE
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 004CD4F4
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 004CD4FC
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 004CD513
                                                                                      • closesocket.WS2_32(?), ref: 004CD56C
                                                                                      • Sleep.KERNEL32(000003E8), ref: 004CD577
                                                                                      • ExitProcess.KERNEL32 ref: 004CD583
                                                                                      • wsprintfA.USER32 ref: 004CD81F
                                                                                        • Part of subcall function 004CC65C: send.WS2_32(00000000,?,00000000), ref: 004CC74B
                                                                                      • closesocket.WS2_32(?), ref: 004CDAD5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                      • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe$X M$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                      • API String ID: 562065436-4027863486
                                                                                      • Opcode ID: 8690d6a7c5bae3174519e945a35180a5e7d5f855766719948976ff36180a9717
                                                                                      • Instruction ID: a100a9ca9a9ff00bf69c011ea4bb09a6a761a45104768520831e6c248fe7f7f7
                                                                                      • Opcode Fuzzy Hash: 8690d6a7c5bae3174519e945a35180a5e7d5f855766719948976ff36180a9717
                                                                                      • Instruction Fuzzy Hash: 1DB2C175D01208BBEB609FA5DD85FEE7BA8AB04304F14007FF609A3291D7789A45CB69
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 004C9A7F
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 004C9A83
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(004C6511), ref: 004C9A8A
                                                                                        • Part of subcall function 004CEC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 004CEC5E
                                                                                        • Part of subcall function 004CEC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 004CEC72
                                                                                        • Part of subcall function 004CEC54: GetTickCount.KERNEL32 ref: 004CEC78
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 004C9AB3
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 004C9ABA
                                                                                      • GetCommandLineA.KERNEL32 ref: 004C9AFD
                                                                                      • lstrlenA.KERNEL32(?), ref: 004C9B99
                                                                                      • ExitProcess.KERNEL32 ref: 004C9C06
                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 004C9CAC
                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 004C9D7A
                                                                                      • lstrcatA.KERNEL32(?,?), ref: 004C9D8B
                                                                                      • lstrcatA.KERNEL32(?,004D070C), ref: 004C9D9D
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 004C9DED
                                                                                      • DeleteFileA.KERNEL32(00000022), ref: 004C9E38
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 004C9E6F
                                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 004C9EC8
                                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 004C9ED5
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 004C9F3B
                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 004C9F5E
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 004C9F6A
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 004C9FAD
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 004C9FB4
                                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 004C9FFE
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 004CA038
                                                                                      • lstrcatA.KERNEL32(00000022,004D0A34), ref: 004CA05E
                                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 004CA072
                                                                                      • lstrcatA.KERNEL32(00000022,004D0A34), ref: 004CA08D
                                                                                      • wsprintfA.USER32 ref: 004CA0B6
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 004CA0DE
                                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 004CA0FD
                                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004CA120
                                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 004CA131
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 004CA174
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 004CA17B
                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 004CA1B6
                                                                                      • GetCommandLineA.KERNEL32 ref: 004CA1E5
                                                                                        • Part of subcall function 004C99D2: lstrcpyA.KERNEL32(?,?,00000100,004D22F8,00000000,?,004C9E9D,?,00000022,?,?,?,?,?,?,?), ref: 004C99DF
                                                                                        • Part of subcall function 004C99D2: lstrcatA.KERNEL32(00000022,00000000,?,?,004C9E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 004C9A3C
                                                                                        • Part of subcall function 004C99D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,004C9E9D,?,00000022,?,?,?), ref: 004C9A52
                                                                                      • lstrlenA.KERNEL32(?), ref: 004CA288
                                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 004CA3B7
                                                                                      • GetLastError.KERNEL32 ref: 004CA3ED
                                                                                      • Sleep.KERNEL32(000003E8), ref: 004CA400
                                                                                      • DeleteFileA.KERNELBASE(004D33D8), ref: 004CA407
                                                                                      • CreateThread.KERNELBASE(00000000,00000000,004C405E,00000000,00000000,00000000), ref: 004CA42C
                                                                                      • WSAStartup.WS2_32(00001010,?), ref: 004CA43A
                                                                                      • CreateThread.KERNELBASE(00000000,00000000,004C877E,00000000,00000000,00000000), ref: 004CA469
                                                                                      • Sleep.KERNELBASE(00000BB8), ref: 004CA48A
                                                                                      • GetTickCount.KERNEL32 ref: 004CA49F
                                                                                      • GetTickCount.KERNEL32 ref: 004CA4B7
                                                                                      • Sleep.KERNELBASE(00001A90), ref: 004CA4C3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                      • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe$D$P$\$edgikboy
                                                                                      • API String ID: 2089075347-2434236762
                                                                                      • Opcode ID: f61c933db9cbb11270716025d22f32e7dafd38ccd34503a40a71075f6b8eb3e9
                                                                                      • Instruction ID: 5cb8095f3c29c19dd340804f90d456802daffa6a3e0b71d3e417a04415e4ed8b
                                                                                      • Opcode Fuzzy Hash: f61c933db9cbb11270716025d22f32e7dafd38ccd34503a40a71075f6b8eb3e9
                                                                                      • Instruction Fuzzy Hash: 03529FB5C01259BBDB519FA19C49FEF7BBCAB04304F1440AFF509A3241EB789E448B69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 905 4c199c-4c19cc inet_addr LoadLibraryA 906 4c19ce-4c19d0 905->906 907 4c19d5-4c19fe GetProcAddress * 3 905->907 908 4c1abf-4c1ac2 906->908 909 4c1a04-4c1a06 907->909 910 4c1ab3-4c1ab6 FreeLibrary 907->910 909->910 911 4c1a0c-4c1a0e 909->911 912 4c1abc 910->912 911->910 913 4c1a14-4c1a28 GetBestInterface GetProcessHeap 911->913 914 4c1abe 912->914 913->912 915 4c1a2e-4c1a40 HeapAlloc 913->915 914->908 915->912 916 4c1a42-4c1a50 GetAdaptersInfo 915->916 917 4c1a62-4c1a67 916->917 918 4c1a52-4c1a60 HeapReAlloc 916->918 919 4c1a69-4c1a73 GetAdaptersInfo 917->919 920 4c1aa1-4c1aad FreeLibrary 917->920 918->917 919->920 921 4c1a75 919->921 920->912 922 4c1aaf-4c1ab1 920->922 923 4c1a77-4c1a80 921->923 922->914 924 4c1a8a-4c1a91 923->924 925 4c1a82-4c1a86 923->925 927 4c1a96-4c1a9b HeapFree 924->927 928 4c1a93 924->928 925->923 926 4c1a88 925->926 926->927 927->920 928->927
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004C19B1
                                                                                      • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,004C1E9E), ref: 004C19BF
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004C19E2
                                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004C19ED
                                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004C19F9
                                                                                      • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,004C1E9E), ref: 004C1A1B
                                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,004C1E9E), ref: 004C1A1D
                                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,004C1E9E), ref: 004C1A36
                                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,004C1E9E,?,?,?,?,00000001,004C1E9E), ref: 004C1A4A
                                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,004C1E9E,?,?,?,?,00000001,004C1E9E), ref: 004C1A5A
                                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,004C1E9E,?,?,?,?,00000001,004C1E9E), ref: 004C1A6E
                                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,004C1E9E), ref: 004C1A9B
                                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,004C1E9E), ref: 004C1AA4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                      • API String ID: 293628436-270533642
                                                                                      • Opcode ID: f2676e7521df5c5164a363c07c4cf256322c3355d4d1e8b289d666a187859663
                                                                                      • Instruction ID: 9c25663d24772396025d7156c49d57cf1f69a125ffc89df425ec10cbdb0d1ff2
                                                                                      • Opcode Fuzzy Hash: f2676e7521df5c5164a363c07c4cf256322c3355d4d1e8b289d666a187859663
                                                                                      • Instruction Fuzzy Hash: C3313035902219AFCB519FE4DC88EAFBBB5EB46301F24457FE501A3221D7364E41DB98

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 696 4c7a95-4c7ac2 RegOpenKeyExA 697 4c7acb-4c7ae7 GetUserNameA 696->697 698 4c7ac4-4c7ac6 696->698 700 4c7aed-4c7b1e LookupAccountNameA 697->700 701 4c7da7-4c7db3 RegCloseKey 697->701 699 4c7db4-4c7db6 698->699 700->701 702 4c7b24-4c7b43 RegGetKeySecurity 700->702 701->699 702->701 703 4c7b49-4c7b61 GetSecurityDescriptorOwner 702->703 704 4c7bb8-4c7bd6 GetSecurityDescriptorDacl 703->704 705 4c7b63-4c7b72 EqualSid 703->705 706 4c7bdc-4c7be1 704->706 707 4c7da6 704->707 705->704 708 4c7b74-4c7b88 LocalAlloc 705->708 706->707 709 4c7be7-4c7bf2 706->709 707->701 708->704 710 4c7b8a-4c7b94 InitializeSecurityDescriptor 708->710 709->707 711 4c7bf8-4c7c08 GetAce 709->711 712 4c7b96-4c7ba4 SetSecurityDescriptorOwner 710->712 713 4c7bb1-4c7bb2 LocalFree 710->713 714 4c7c0e-4c7c1b 711->714 715 4c7cc6 711->715 712->713 716 4c7ba6-4c7bab RegSetKeySecurity 712->716 713->704 718 4c7c1d-4c7c2f EqualSid 714->718 719 4c7c4f-4c7c52 714->719 717 4c7cc9-4c7cd3 715->717 716->713 717->711 720 4c7cd9-4c7cdc 717->720 721 4c7c36-4c7c38 718->721 722 4c7c31-4c7c34 718->722 723 4c7c5f-4c7c71 EqualSid 719->723 724 4c7c54-4c7c5e 719->724 720->707 725 4c7ce2-4c7ce8 720->725 721->719 726 4c7c3a-4c7c4d DeleteAce 721->726 722->718 722->721 727 4c7c86 723->727 728 4c7c73-4c7c84 723->728 724->723 729 4c7d5a-4c7d6e LocalAlloc 725->729 730 4c7cea-4c7cf0 725->730 726->717 731 4c7c8b-4c7c8e 727->731 728->731 729->707 735 4c7d70-4c7d7a InitializeSecurityDescriptor 729->735 730->729 732 4c7cf2-4c7d0d RegOpenKeyExA 730->732 733 4c7c9d-4c7c9f 731->733 734 4c7c90-4c7c96 731->734 732->729 740 4c7d0f-4c7d16 732->740 736 4c7ca7-4c7cc3 733->736 737 4c7ca1-4c7ca5 733->737 734->733 738 4c7d7c-4c7d8a SetSecurityDescriptorDacl 735->738 739 4c7d9f-4c7da0 LocalFree 735->739 736->715 737->715 737->736 738->739 741 4c7d8c-4c7d9a RegSetKeySecurity 738->741 739->707 742 4c7d19-4c7d1e 740->742 741->739 743 4c7d9c 741->743 742->742 744 4c7d20-4c7d52 call 4c2544 RegSetValueExA 742->744 743->739 744->729 747 4c7d54 744->747 747->729
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 004C7ABA
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 004C7ADF
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,004D070C,?,?,?), ref: 004C7B16
                                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 004C7B3B
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 004C7B59
                                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 004C7B6A
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004C7B7E
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004C7B8C
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 004C7B9C
                                                                                      • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 004C7BAB
                                                                                      • LocalFree.KERNEL32(00000000), ref: 004C7BB2
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,004C7FC9,?,00000000), ref: 004C7BCE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                      • String ID: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe$D
                                                                                      • API String ID: 2976863881-1963506762
                                                                                      • Opcode ID: 1977a15707287f7ca079574bd377fd091b076032e34fd2d7ce7c9678fd5fffa0
                                                                                      • Instruction ID: 6ec50d4adfa6d1099f38c785a0dfd911d6a6cf70c51842579be261a68c969a5d
                                                                                      • Opcode Fuzzy Hash: 1977a15707287f7ca079574bd377fd091b076032e34fd2d7ce7c9678fd5fffa0
                                                                                      • Instruction Fuzzy Hash: 96A13775905219ABDF528FA1DC88FEFBBB8FB44304F14406BE506E2250E7399A45CF68

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 748 4c7809-4c7837 GetUserNameA 749 4c783d-4c786e LookupAccountNameA 748->749 750 4c7a8e-4c7a94 748->750 749->750 751 4c7874-4c78a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 4c78a8-4c78c3 GetSecurityDescriptorOwner 751->752 753 4c791d-4c793b GetSecurityDescriptorDacl 752->753 754 4c78c5-4c78da EqualSid 752->754 756 4c7a8d 753->756 757 4c7941-4c7946 753->757 754->753 755 4c78dc-4c78ed LocalAlloc 754->755 755->753 758 4c78ef-4c78f9 InitializeSecurityDescriptor 755->758 756->750 757->756 759 4c794c-4c7955 757->759 760 4c78fb-4c7909 SetSecurityDescriptorOwner 758->760 761 4c7916-4c7917 LocalFree 758->761 759->756 762 4c795b-4c796b GetAce 759->762 760->761 763 4c790b-4c7910 SetFileSecurityA 760->763 761->753 764 4c7a2a 762->764 765 4c7971-4c797e 762->765 763->761 766 4c7a2d-4c7a37 764->766 767 4c79ae-4c79b1 765->767 768 4c7980-4c7992 EqualSid 765->768 766->762 769 4c7a3d-4c7a41 766->769 770 4c79be-4c79d0 EqualSid 767->770 771 4c79b3-4c79bd 767->771 772 4c7999-4c799b 768->772 773 4c7994-4c7997 768->773 769->756 775 4c7a43-4c7a54 LocalAlloc 769->775 776 4c79e5 770->776 777 4c79d2-4c79e3 770->777 771->770 772->767 774 4c799d-4c79ac DeleteAce 772->774 773->768 773->772 774->766 775->756 778 4c7a56-4c7a60 InitializeSecurityDescriptor 775->778 779 4c79ea-4c79ed 776->779 777->779 780 4c7a86-4c7a87 LocalFree 778->780 781 4c7a62-4c7a71 SetSecurityDescriptorDacl 778->781 782 4c79ef-4c79f5 779->782 783 4c79f8-4c79fb 779->783 780->756 781->780 784 4c7a73-4c7a81 SetFileSecurityA 781->784 782->783 785 4c79fd-4c7a01 783->785 786 4c7a03-4c7a0e 783->786 784->780 787 4c7a83 784->787 785->764 785->786 788 4c7a19-4c7a24 786->788 789 4c7a10-4c7a17 786->789 787->780 790 4c7a27 788->790 789->790 790->764
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 004C782F
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 004C7866
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 004C7878
                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 004C789A
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,004C7F63,?), ref: 004C78B8
                                                                                      • EqualSid.ADVAPI32(?,004C7F63), ref: 004C78D2
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004C78E3
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004C78F1
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 004C7901
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 004C7910
                                                                                      • LocalFree.KERNEL32(00000000), ref: 004C7917
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004C7933
                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 004C7963
                                                                                      • EqualSid.ADVAPI32(?,004C7F63), ref: 004C798A
                                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004C79A3
                                                                                      • EqualSid.ADVAPI32(?,004C7F63), ref: 004C79C5
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004C7A4A
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004C7A58
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 004C7A69
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 004C7A79
                                                                                      • LocalFree.KERNEL32(00000000), ref: 004C7A87
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                      • String ID: D
                                                                                      • API String ID: 3722657555-2746444292
                                                                                      • Opcode ID: 8acbe921d2a9653fc26c1c3154f4d2a5aa53819134126722fc4745efa9ed4f46
                                                                                      • Instruction ID: bb3cdfcc5c8839d48b68877ec88b4fff277697f14a991773c910a94c12d05310
                                                                                      • Opcode Fuzzy Hash: 8acbe921d2a9653fc26c1c3154f4d2a5aa53819134126722fc4745efa9ed4f46
                                                                                      • Instruction Fuzzy Hash: 1C814AB5905219ABDF62CFA4DD44FEFBBB8EF08340F14416AE505E2250D7398A41CF68

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 791 4c8328-4c833e call 4c7dd6 794 4c8348-4c8356 call 4c6ec3 791->794 795 4c8340-4c8343 791->795 799 4c835c-4c8378 call 4c73ff 794->799 800 4c846b-4c8474 794->800 796 4c877b-4c877d 795->796 811 4c837e-4c8384 799->811 812 4c8464-4c8466 799->812 802 4c847a-4c8480 800->802 803 4c85c2-4c85ce 800->803 802->803 807 4c8486-4c84ba call 4c2544 RegOpenKeyExA 802->807 805 4c8615-4c8620 803->805 806 4c85d0-4c85da call 4c675c 803->806 809 4c8626-4c864c GetTempPathA call 4c8274 call 4ceca5 805->809 810 4c86a7-4c86b0 call 4c6ba7 805->810 819 4c85df-4c85eb 806->819 821 4c84c0-4c84db RegQueryValueExA 807->821 822 4c8543-4c8571 call 4c2544 RegOpenKeyExA 807->822 849 4c864e-4c866f call 4ceca5 809->849 850 4c8671-4c86a4 call 4c2544 call 4cef00 call 4cee2a 809->850 830 4c86b6-4c86bd call 4c7e2f 810->830 831 4c8762 810->831 811->812 817 4c838a-4c838d 811->817 818 4c8779-4c877a 812->818 817->812 825 4c8393-4c8399 817->825 818->796 819->805 820 4c85ed-4c85ef 819->820 820->805 826 4c85f1-4c85fa 820->826 828 4c84dd-4c84e1 821->828 829 4c8521-4c852d RegCloseKey 821->829 843 4c85a5-4c85b7 call 4cee2a 822->843 844 4c8573-4c857b 822->844 833 4c839c-4c83a1 825->833 826->805 834 4c85fc-4c860f call 4c24c2 826->834 828->829 836 4c84e3-4c84e6 828->836 829->822 840 4c852f-4c8541 call 4ceed1 829->840 860 4c875b-4c875c DeleteFileA 830->860 861 4c86c3-4c873b call 4cee2a * 2 lstrcpyA lstrlenA call 4c7fcf CreateProcessA 830->861 838 4c8768-4c876b 831->838 833->833 841 4c83a3-4c83af 833->841 834->805 834->838 836->829 845 4c84e8-4c84f6 call 4cebcc 836->845 847 4c876d-4c8775 call 4cec2e 838->847 848 4c8776-4c8778 838->848 840->822 840->843 852 4c83b1 841->852 853 4c83b3-4c83ba 841->853 843->803 878 4c85b9-4c85c1 call 4cec2e 843->878 857 4c857e-4c8583 844->857 845->829 877 4c84f8-4c8513 RegQueryValueExA 845->877 847->848 848->818 849->850 850->810 852->853 854 4c8450-4c845f call 4cee2a 853->854 855 4c83c0-4c83fb call 4c2544 RegOpenKeyExA 853->855 854->803 855->854 882 4c83fd-4c841c RegQueryValueExA 855->882 857->857 868 4c8585-4c859f RegSetValueExA RegCloseKey 857->868 860->831 899 4c873d-4c874d CloseHandle * 2 861->899 900 4c874f-4c875a call 4c7ee6 call 4c7ead 861->900 868->843 877->829 883 4c8515-4c851e call 4cec2e 877->883 878->803 887 4c842d-4c8441 RegSetValueExA 882->887 888 4c841e-4c8421 882->888 883->829 895 4c8447-4c844a RegCloseKey 887->895 888->887 894 4c8423-4c8426 888->894 894->887 898 4c8428-4c842b 894->898 895->854 898->887 898->895 899->838 900->860
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004C83F3
                                                                                      • RegQueryValueExA.KERNELBASE(004D0750,?,00000000,?,004C8893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004C8414
                                                                                      • RegSetValueExA.KERNELBASE(004D0750,?,00000000,00000004,004C8893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004C8441
                                                                                      • RegCloseKey.ADVAPI32(004D0750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004C844A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseOpenQuery
                                                                                      • String ID: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe$localcfg
                                                                                      • API String ID: 237177642-3670105814
                                                                                      • Opcode ID: 2194b7afdfbda0020fc7e227bc202895090f61bb7adef290ccedea8bef5bf868
                                                                                      • Instruction ID: 1f7923630974279b9b105d29152d64afbd608d5f2405c21649a262ddd3a612cd
                                                                                      • Opcode Fuzzy Hash: 2194b7afdfbda0020fc7e227bc202895090f61bb7adef290ccedea8bef5bf868
                                                                                      • Instruction Fuzzy Hash: CFC1BFB9941109BEEB51ABA1DC85FFF7BBCEB14304F14446FF500A2151EBB84E448B29

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 929 4c1d96-4c1dce call 4cee2a GetVersionExA 932 4c1de0 929->932 933 4c1dd0-4c1dde 929->933 934 4c1de3-4c1e14 GetSystemInfo GetModuleHandleA GetProcAddress 932->934 933->934 935 4c1e24-4c1e59 call 4ce819 * 2 934->935 936 4c1e16-4c1e21 GetCurrentProcess 934->936 941 4c1e7a-4c1ea0 call 4cea84 call 4ce819 call 4c199c 935->941 942 4c1e5b-4c1e77 call 4cdf70 * 2 935->942 936->935 953 4c1ea8 941->953 954 4c1ea2-4c1ea6 941->954 942->941 955 4c1eac-4c1ec1 call 4ce819 953->955 954->955 958 4c1ee0-4c1ef6 call 4ce819 955->958 959 4c1ec3-4c1ed3 call 4cf04e call 4cea84 955->959 964 4c1ef8 call 4c1b71 958->964 965 4c1f14-4c1f2b call 4ce819 958->965 969 4c1ed8-4c1ede 959->969 970 4c1efd-4c1f11 call 4cea84 964->970 973 4c1f2d call 4c1bdf 965->973 974 4c1f49-4c1f65 call 4ce819 965->974 969->958 970->965 979 4c1f32-4c1f46 call 4cea84 973->979 980 4c1f7a-4c1f8c call 4c30b5 974->980 981 4c1f67-4c1f77 call 4cea84 974->981 979->974 988 4c1f8e-4c1f91 980->988 989 4c1f93-4c1f9a 980->989 981->980 990 4c1fbb-4c1fc0 988->990 991 4c1f9c-4c1fa3 call 4c6ec3 989->991 992 4c1fb7 989->992 993 4c1fc9-4c1fea GetTickCount 990->993 994 4c1fc2 990->994 997 4c1fae-4c1fb5 991->997 998 4c1fa5-4c1fac 991->998 992->990 994->993 997->990 998->990
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 004C1DC6
                                                                                      • GetSystemInfo.KERNELBASE(?), ref: 004C1DE8
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 004C1E03
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 004C1E0A
                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 004C1E1B
                                                                                      • GetTickCount.KERNEL32 ref: 004C1FC9
                                                                                        • Part of subcall function 004C1BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 004C1C15
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                      • API String ID: 4207808166-1381319158
                                                                                      • Opcode ID: 23a3ee1c19b32b2a7bdea0fe0dc94892d0b1c56ce3f9b9d5b8f6280513bcc846
                                                                                      • Instruction ID: be44684a5d79c70be11013badcb5d67442974d2e9173c6ecd2242b35859a4909
                                                                                      • Opcode Fuzzy Hash: 23a3ee1c19b32b2a7bdea0fe0dc94892d0b1c56ce3f9b9d5b8f6280513bcc846
                                                                                      • Instruction Fuzzy Hash: 235195B49043446FE3B0AF768C85F2B7AECEB55708F04492FB94683253D77DA9048769

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 999 4c73ff-4c7419 1000 4c741d-4c7422 999->1000 1001 4c741b 999->1001 1002 4c7424 1000->1002 1003 4c7426-4c742b 1000->1003 1001->1000 1002->1003 1004 4c742d 1003->1004 1005 4c7430-4c7435 1003->1005 1004->1005 1006 4c743a-4c7481 call 4c6dc2 call 4c2544 RegOpenKeyExA 1005->1006 1007 4c7437 1005->1007 1012 4c77f9-4c77fe call 4cee2a 1006->1012 1013 4c7487-4c749d call 4cee2a 1006->1013 1007->1006 1019 4c7801 1012->1019 1018 4c7703-4c770e RegEnumKeyA 1013->1018 1020 4c7714-4c771d RegCloseKey 1018->1020 1021 4c74a2-4c74b1 call 4c6cad 1018->1021 1022 4c7804-4c7808 1019->1022 1020->1019 1025 4c76ed-4c7700 1021->1025 1026 4c74b7-4c74cc call 4cf1a5 1021->1026 1025->1018 1026->1025 1029 4c74d2-4c74f8 RegOpenKeyExA 1026->1029 1030 4c74fe-4c7530 call 4c2544 RegQueryValueExA 1029->1030 1031 4c7727-4c772a 1029->1031 1030->1031 1039 4c7536-4c753c 1030->1039 1033 4c772c-4c7740 call 4cef00 1031->1033 1034 4c7755-4c7764 call 4cee2a 1031->1034 1042 4c774b-4c774e 1033->1042 1043 4c7742-4c7745 RegCloseKey 1033->1043 1044 4c76df-4c76e2 1034->1044 1041 4c753f-4c7544 1039->1041 1041->1041 1045 4c7546-4c754b 1041->1045 1046 4c77ec-4c77f7 RegCloseKey 1042->1046 1043->1042 1044->1025 1047 4c76e4-4c76e7 RegCloseKey 1044->1047 1045->1034 1048 4c7551-4c756b call 4cee95 1045->1048 1046->1022 1047->1025 1048->1034 1051 4c7571-4c7593 call 4c2544 call 4cee95 1048->1051 1056 4c7599-4c75a0 1051->1056 1057 4c7753 1051->1057 1058 4c75c8-4c75d7 call 4ced03 1056->1058 1059 4c75a2-4c75c6 call 4cef00 call 4ced03 1056->1059 1057->1034 1064 4c75d8-4c75da 1058->1064 1059->1064 1066 4c75dc 1064->1066 1067 4c75df-4c7623 call 4cee95 call 4c2544 call 4cee95 call 4cee2a 1064->1067 1066->1067 1077 4c7626-4c762b 1067->1077 1077->1077 1078 4c762d-4c7634 1077->1078 1079 4c7637-4c763c 1078->1079 1079->1079 1080 4c763e-4c7642 1079->1080 1081 4c765c-4c7673 call 4ced23 1080->1081 1082 4c7644-4c7656 call 4ced77 1080->1082 1088 4c7675-4c767e 1081->1088 1089 4c7680 1081->1089 1082->1081 1087 4c7769-4c777c call 4cef00 1082->1087 1094 4c77e3-4c77e6 RegCloseKey 1087->1094 1091 4c7683-4c768e call 4c6cad 1088->1091 1089->1091 1096 4c7694-4c76bf call 4cf1a5 call 4c6c96 1091->1096 1097 4c7722-4c7725 1091->1097 1094->1046 1103 4c76d8 1096->1103 1104 4c76c1-4c76c7 1096->1104 1098 4c76dd 1097->1098 1098->1044 1103->1098 1104->1103 1105 4c76c9-4c76d2 1104->1105 1105->1103 1106 4c777e-4c7797 GetFileAttributesExA 1105->1106 1107 4c7799 1106->1107 1108 4c779a-4c779f 1106->1108 1107->1108 1109 4c77a1 1108->1109 1110 4c77a3-4c77a8 1108->1110 1109->1110 1111 4c77aa-4c77c0 call 4cee08 1110->1111 1112 4c77c4-4c77c8 1110->1112 1111->1112 1113 4c77ca-4c77d6 call 4cef00 1112->1113 1114 4c77d7-4c77dc 1112->1114 1113->1114 1118 4c77de 1114->1118 1119 4c77e0-4c77e2 1114->1119 1118->1119 1119->1094
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 004C7472
                                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004C74F0
                                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 004C7528
                                                                                      • ___ascii_stricmp.LIBCMT ref: 004C764D
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004C76E7
                                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 004C7706
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004C7717
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 004C7745
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004C77EF
                                                                                        • Part of subcall function 004CF1A5: lstrlenA.KERNEL32(000000C8,000000E4,004D22F8,000000C8,004C7150,?), ref: 004CF1AD
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 004C778F
                                                                                      • RegCloseKey.KERNELBASE(?), ref: 004C77E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                      • String ID: "
                                                                                      • API String ID: 3433985886-123907689
                                                                                      • Opcode ID: 79560e82c82d19570009996dd84836467f404d8bc0b51fb9d8f3344adf34f6de
                                                                                      • Instruction ID: b3fd2d6ad0afa54d0c24b1ebf8771612cf54dc2818dbf12b8392dc53a9debc23
                                                                                      • Opcode Fuzzy Hash: 79560e82c82d19570009996dd84836467f404d8bc0b51fb9d8f3344adf34f6de
                                                                                      • Instruction Fuzzy Hash: 62C1B079904209BBDB519BA5DC45FEFBBB9EF44310F1000AFF504A6291EB789A408F68

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1121 4c675c-4c6778 1122 4c677a-4c677e SetFileAttributesA 1121->1122 1123 4c6784-4c67a2 CreateFileA 1121->1123 1122->1123 1124 4c67a4-4c67b2 CreateFileA 1123->1124 1125 4c67b5-4c67b8 1123->1125 1124->1125 1126 4c67ba-4c67bf SetFileAttributesA 1125->1126 1127 4c67c5-4c67c9 1125->1127 1126->1127 1128 4c67cf-4c67df GetFileSize 1127->1128 1129 4c6977-4c6986 1127->1129 1130 4c696b 1128->1130 1131 4c67e5-4c67e7 1128->1131 1132 4c696e-4c6971 FindCloseChangeNotification 1130->1132 1131->1130 1133 4c67ed-4c680b ReadFile 1131->1133 1132->1129 1133->1130 1134 4c6811-4c6824 SetFilePointer 1133->1134 1134->1130 1135 4c682a-4c6842 ReadFile 1134->1135 1135->1130 1136 4c6848-4c6861 SetFilePointer 1135->1136 1136->1130 1137 4c6867-4c6876 1136->1137 1138 4c6878-4c688f ReadFile 1137->1138 1139 4c68d5-4c68df 1137->1139 1140 4c6891-4c689e 1138->1140 1141 4c68d2 1138->1141 1139->1132 1142 4c68e5-4c68eb 1139->1142 1143 4c68b7-4c68ba 1140->1143 1144 4c68a0-4c68b5 1140->1144 1141->1139 1145 4c68ed 1142->1145 1146 4c68f0-4c68fe call 4cebcc 1142->1146 1147 4c68bd-4c68c3 1143->1147 1144->1147 1145->1146 1146->1130 1153 4c6900-4c690b SetFilePointer 1146->1153 1149 4c68c8-4c68ce 1147->1149 1150 4c68c5 1147->1150 1149->1138 1152 4c68d0 1149->1152 1150->1149 1152->1139 1154 4c690d-4c6920 ReadFile 1153->1154 1155 4c695a-4c6969 call 4cec2e 1153->1155 1154->1155 1156 4c6922-4c6958 1154->1156 1155->1132 1156->1132
                                                                                      APIs
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 004C677E
                                                                                      • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 004C679A
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004C67B0
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004C67BF
                                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004C67D3
                                                                                      • ReadFile.KERNELBASE(000000FF,?,00000040,004C8244,00000000,?,75920F10,00000000), ref: 004C6807
                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 004C681F
                                                                                      • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 004C683E
                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 004C685C
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,004C8244,00000000,?,75920F10,00000000), ref: 004C688B
                                                                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 004C6906
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000000,004C8244,00000000,?,75920F10,00000000), ref: 004C691C
                                                                                      • FindCloseChangeNotification.KERNELBASE(000000FF,?,75920F10,00000000), ref: 004C6971
                                                                                        • Part of subcall function 004CEC2E: GetProcessHeap.KERNEL32(00000000,'L,00000000,004CEA27,00000000), ref: 004CEC41
                                                                                        • Part of subcall function 004CEC2E: RtlFreeHeap.NTDLL(00000000), ref: 004CEC48
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                      • String ID:
                                                                                      • API String ID: 1400801100-0
                                                                                      • Opcode ID: 5d3e005705b349f67ce69c0f2446ea59b372afb959a3e0fb8d32f1294bdbbb95
                                                                                      • Instruction ID: bf5922110d18c6c11a0b709b3d194403ecf5d6cf75bca7b1e40bc5a00df5f1d2
                                                                                      • Opcode Fuzzy Hash: 5d3e005705b349f67ce69c0f2446ea59b372afb959a3e0fb8d32f1294bdbbb95
                                                                                      • Instruction Fuzzy Hash: F47166B5C0121DEFDF509FA5CC80EEEBBB8FB04314F10856AE515A2290E7349E92CB64

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1159 4cf315-4cf332 1160 4cf33b-4cf372 call 4cee2a htons socket 1159->1160 1161 4cf334-4cf336 1159->1161 1165 4cf374-4cf37d closesocket 1160->1165 1166 4cf382-4cf39b ioctlsocket 1160->1166 1162 4cf424-4cf427 1161->1162 1165->1162 1167 4cf39d 1166->1167 1168 4cf3aa-4cf3f0 connect select 1166->1168 1169 4cf39f-4cf3a8 closesocket 1167->1169 1170 4cf421 1168->1170 1171 4cf3f2-4cf401 __WSAFDIsSet 1168->1171 1172 4cf423 1169->1172 1170->1172 1171->1169 1173 4cf403-4cf416 ioctlsocket call 4cf26d 1171->1173 1172->1162 1175 4cf41b-4cf41f 1173->1175 1175->1172
                                                                                      APIs
                                                                                      • htons.WS2_32(004CCA1D), ref: 004CF34D
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 004CF367
                                                                                      • closesocket.WS2_32(00000000), ref: 004CF375
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesockethtonssocket
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 311057483-2401304539
                                                                                      • Opcode ID: 83b7ab5e6058df1727f1f1487a53e0c149fc0779a24516ebd56f4b1ef58bf84e
                                                                                      • Instruction ID: c39220a23dd9690d3b521b19f658dac224943257093026e3e1051e97238cc6b1
                                                                                      • Opcode Fuzzy Hash: 83b7ab5e6058df1727f1f1487a53e0c149fc0779a24516ebd56f4b1ef58bf84e
                                                                                      • Instruction Fuzzy Hash: 74318976901118ABDB109FA5DC89EEF7BBDEF88314F10417BF904E3151E7388A458BA9

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1176 4c405e-4c407b CreateEventA 1177 4c407d-4c4081 1176->1177 1178 4c4084-4c40a8 call 4c3ecd call 4c4000 1176->1178 1183 4c40ae-4c40be call 4cee2a 1178->1183 1184 4c4130-4c413e call 4cee2a 1178->1184 1183->1184 1190 4c40c0-4c40f1 call 4ceca5 call 4c3f18 call 4c3f8c 1183->1190 1189 4c413f-4c4165 call 4c3ecd CreateNamedPipeA 1184->1189 1195 4c4188-4c4193 ConnectNamedPipe 1189->1195 1196 4c4167-4c4174 Sleep 1189->1196 1207 4c4127-4c412a CloseHandle 1190->1207 1208 4c40f3-4c40ff 1190->1208 1200 4c41ab-4c41c0 call 4c3f8c 1195->1200 1201 4c4195-4c41a5 GetLastError 1195->1201 1196->1189 1198 4c4176-4c4182 CloseHandle 1196->1198 1198->1195 1200->1195 1209 4c41c2-4c41f2 call 4c3f18 call 4c3f8c 1200->1209 1201->1200 1202 4c425e-4c4265 DisconnectNamedPipe 1201->1202 1202->1195 1207->1184 1208->1207 1210 4c4101-4c4121 call 4c3f18 ExitProcess 1208->1210 1209->1202 1217 4c41f4-4c4200 1209->1217 1217->1202 1218 4c4202-4c4215 call 4c3f8c 1217->1218 1218->1202 1221 4c4217-4c421b 1218->1221 1221->1202 1222 4c421d-4c4230 call 4c3f8c 1221->1222 1222->1202 1225 4c4232-4c4236 1222->1225 1225->1195 1226 4c423c-4c4251 call 4c3f18 1225->1226 1229 4c426a-4c4276 CloseHandle * 2 call 4ce318 1226->1229 1230 4c4253-4c4259 1226->1230 1232 4c427b 1229->1232 1230->1195 1232->1232
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 004C4070
                                                                                      • ExitProcess.KERNEL32 ref: 004C4121
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEventExitProcess
                                                                                      • String ID:
                                                                                      • API String ID: 2404124870-0
                                                                                      • Opcode ID: 8b6a2896d3d71baaa961411df4dff926d4c3680ed32d04b60a71cf3e83e3e911
                                                                                      • Instruction ID: 36d6b8290b0bc396220fa67845fc18102dd17452b85ea6109ce16c45703e0ade
                                                                                      • Opcode Fuzzy Hash: 8b6a2896d3d71baaa961411df4dff926d4c3680ed32d04b60a71cf3e83e3e911
                                                                                      • Instruction Fuzzy Hash: 9F51B379D40218BAEB61ABA19D46FFF7B7CEB51754F00406EF600A2180E7388E41C769

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1233 4c2d21-4c2d44 GetModuleHandleA 1234 4c2d5b-4c2d69 GetProcAddress 1233->1234 1235 4c2d46-4c2d52 LoadLibraryA 1233->1235 1236 4c2d54-4c2d56 1234->1236 1237 4c2d6b-4c2d7b DnsQuery_A 1234->1237 1235->1234 1235->1236 1238 4c2dee-4c2df1 1236->1238 1237->1236 1239 4c2d7d-4c2d88 1237->1239 1240 4c2d8a-4c2d8b 1239->1240 1241 4c2deb 1239->1241 1242 4c2d90-4c2d95 1240->1242 1241->1238 1243 4c2d97-4c2daa GetProcessHeap HeapAlloc 1242->1243 1244 4c2de2-4c2de8 1242->1244 1245 4c2dac-4c2dd9 call 4cee2a lstrcpynA 1243->1245 1246 4c2dea 1243->1246 1244->1242 1244->1246 1249 4c2ddb-4c2dde 1245->1249 1250 4c2de0 1245->1250 1246->1241 1249->1244 1250->1244
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,004C2F01,?,004C20FF,004D2000), ref: 004C2D3A
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 004C2D4A
                                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 004C2D61
                                                                                      • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 004C2D77
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 004C2D99
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 004C2DA0
                                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 004C2DCB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                                      • API String ID: 233223969-3847274415
                                                                                      • Opcode ID: a983b52d9c65033a1cf2640e5bab25d649244df21b7f1cf72c93b882e288ba58
                                                                                      • Instruction ID: 06294e99192087418dbae00ac9651e2b847475669d1d77a227148aa392dd9859
                                                                                      • Opcode Fuzzy Hash: a983b52d9c65033a1cf2640e5bab25d649244df21b7f1cf72c93b882e288ba58
                                                                                      • Instruction Fuzzy Hash: 61218E75901226ABCB629F54DD44FAFBBB8EF18B51F10402BF906E3210D7F4998287D8

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1251 4c80c9-4c80ed call 4c6ec3 1254 4c80ef call 4c7ee6 1251->1254 1255 4c80f9-4c8115 call 4c704c 1251->1255 1259 4c80f4 1254->1259 1260 4c8225-4c822b 1255->1260 1261 4c811b-4c8121 1255->1261 1259->1260 1262 4c826c-4c8273 1260->1262 1263 4c822d-4c8233 1260->1263 1261->1260 1264 4c8127-4c812a 1261->1264 1263->1262 1265 4c8235-4c823f call 4c675c 1263->1265 1264->1260 1266 4c8130-4c8167 call 4c2544 RegOpenKeyExA 1264->1266 1269 4c8244-4c824b 1265->1269 1272 4c816d-4c818b RegQueryValueExA 1266->1272 1273 4c8216-4c8222 call 4cee2a 1266->1273 1269->1262 1271 4c824d-4c8269 call 4c24c2 call 4cec2e 1269->1271 1271->1262 1275 4c818d-4c8191 1272->1275 1276 4c81f7-4c81fe 1272->1276 1273->1260 1275->1276 1281 4c8193-4c8196 1275->1281 1279 4c820d-4c8210 RegCloseKey 1276->1279 1280 4c8200-4c8206 call 4cec2e 1276->1280 1279->1273 1289 4c820c 1280->1289 1281->1276 1285 4c8198-4c81a8 call 4cebcc 1281->1285 1285->1279 1291 4c81aa-4c81c2 RegQueryValueExA 1285->1291 1289->1279 1291->1276 1292 4c81c4-4c81ca 1291->1292 1293 4c81cd-4c81d2 1292->1293 1293->1293 1294 4c81d4-4c81e5 call 4cebcc 1293->1294 1294->1279 1297 4c81e7-4c81f5 call 4cef00 1294->1297 1297->1289
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004C815F
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,004CA45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004C8187
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,004CA45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004C81BE
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004C8210
                                                                                        • Part of subcall function 004C675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 004C677E
                                                                                        • Part of subcall function 004C675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 004C679A
                                                                                        • Part of subcall function 004C675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004C67B0
                                                                                        • Part of subcall function 004C675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004C67BF
                                                                                        • Part of subcall function 004C675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004C67D3
                                                                                        • Part of subcall function 004C675C: ReadFile.KERNELBASE(000000FF,?,00000040,004C8244,00000000,?,75920F10,00000000), ref: 004C6807
                                                                                        • Part of subcall function 004C675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 004C681F
                                                                                        • Part of subcall function 004C675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 004C683E
                                                                                        • Part of subcall function 004C675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 004C685C
                                                                                        • Part of subcall function 004CEC2E: GetProcessHeap.KERNEL32(00000000,'L,00000000,004CEA27,00000000), ref: 004CEC41
                                                                                        • Part of subcall function 004CEC2E: RtlFreeHeap.NTDLL(00000000), ref: 004CEC48
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                      • String ID: C:\Windows\SysWOW64\edgikboy\pwdgvjcm.exe
                                                                                      • API String ID: 124786226-2804431639
                                                                                      • Opcode ID: a6ce23b9b4dad802ff40be461632070619f3a511a897373ba9fd29396c205121
                                                                                      • Instruction ID: b30c12d9c3a2a0153eba5087d79327ef05d23534c6a313614d966301ad95166d
                                                                                      • Opcode Fuzzy Hash: a6ce23b9b4dad802ff40be461632070619f3a511a897373ba9fd29396c205121
                                                                                      • Instruction Fuzzy Hash: A841A0BA801108BFEB50EBA19D85FBF77ACAB10304F1448AFF500A3101EA785E458B29

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1300 4c1ac3-4c1adc LoadLibraryA 1301 4c1b6b-4c1b70 1300->1301 1302 4c1ae2-4c1af3 GetProcAddress 1300->1302 1303 4c1b6a 1302->1303 1304 4c1af5-4c1b01 1302->1304 1303->1301 1305 4c1b1c-4c1b27 GetAdaptersAddresses 1304->1305 1306 4c1b29-4c1b2b 1305->1306 1307 4c1b03-4c1b12 call 4cebed 1305->1307 1308 4c1b2d-4c1b32 1306->1308 1309 4c1b5b-4c1b5e 1306->1309 1307->1306 1318 4c1b14-4c1b1b 1307->1318 1311 4c1b69 1308->1311 1312 4c1b34-4c1b3b 1308->1312 1309->1311 1313 4c1b60-4c1b68 call 4cec2e 1309->1313 1311->1303 1315 4c1b3d-4c1b52 1312->1315 1316 4c1b54-4c1b59 1312->1316 1313->1311 1315->1315 1315->1316 1316->1309 1316->1312 1318->1305
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 004C1AD4
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 004C1AE9
                                                                                      • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 004C1B20
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                      • API String ID: 3646706440-1087626847
                                                                                      • Opcode ID: bcfeb8351b26dd430fb932425aad04a11a0da05162be3e1ca80fc0f9546dfa68
                                                                                      • Instruction ID: e7945856197881a6cb1cfc5fa4cd2432ed7d16091f95d92a7f78ff44ed4fe2fe
                                                                                      • Opcode Fuzzy Hash: bcfeb8351b26dd430fb932425aad04a11a0da05162be3e1ca80fc0f9546dfa68
                                                                                      • Instruction Fuzzy Hash: 6711EB79E01124AFCB55D765CC84EAEFB79EB45B10B14405FE005A3222F6346D40CF88

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1320 4ce3ca-4ce3ee RegOpenKeyExA 1321 4ce528-4ce52d 1320->1321 1322 4ce3f4-4ce3fb 1320->1322 1323 4ce3fe-4ce403 1322->1323 1323->1323 1324 4ce405-4ce40f 1323->1324 1325 4ce414-4ce452 call 4cee08 call 4cf1ed RegQueryValueExA 1324->1325 1326 4ce411-4ce413 1324->1326 1331 4ce51d-4ce527 RegCloseKey 1325->1331 1332 4ce458-4ce486 call 4cf1ed RegQueryValueExA 1325->1332 1326->1325 1331->1321 1335 4ce488-4ce48a 1332->1335 1335->1331 1336 4ce490-4ce4a1 call 4cdb2e 1335->1336 1336->1331 1339 4ce4a3-4ce4a6 1336->1339 1340 4ce4a9-4ce4d3 call 4cf1ed RegQueryValueExA 1339->1340 1343 4ce4e8-4ce4ea 1340->1343 1344 4ce4d5-4ce4da 1340->1344 1343->1331 1346 4ce4ec-4ce516 call 4c2544 call 4ce332 1343->1346 1344->1343 1345 4ce4dc-4ce4e6 1344->1345 1345->1340 1345->1343 1346->1331
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000001,004CE5F2,00000000,00020119,004CE5F2,004D22F8), ref: 004CE3E6
                                                                                      • RegQueryValueExA.ADVAPI32(004CE5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 004CE44E
                                                                                      • RegQueryValueExA.ADVAPI32(004CE5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 004CE482
                                                                                      • RegQueryValueExA.ADVAPI32(004CE5F2,?,00000000,?,80000001,?), ref: 004CE4CF
                                                                                      • RegCloseKey.ADVAPI32(004CE5F2,?,?,?,?,000000C8,000000E4), ref: 004CE520
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: QueryValue$CloseOpen
                                                                                      • String ID:
                                                                                      • API String ID: 1586453840-0
                                                                                      • Opcode ID: 649f5f8e5a92648f686a7a720046e11813166255c8a428176089064178d52309
                                                                                      • Instruction ID: b8f8f3aefaf37dabc84abe4e5425037d6d19e8adfe8c8a01e34f08387a3e04f5
                                                                                      • Opcode Fuzzy Hash: 649f5f8e5a92648f686a7a720046e11813166255c8a428176089064178d52309
                                                                                      • Instruction Fuzzy Hash: 5D4116B6D00219BFEF519FD5DC85EEEBBB9EB04308F04406AE900A3250E7359E158B64

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1351 4cf26d-4cf303 setsockopt * 5
                                                                                      APIs
                                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 004CF2A0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 004CF2C0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 004CF2DD
                                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004CF2EC
                                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 004CF2FD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: setsockopt
                                                                                      • String ID:
                                                                                      • API String ID: 3981526788-0
                                                                                      • Opcode ID: 81807dddde636a90fe62178a9dc5666e0de447ff30f643ca3f14807382342287
                                                                                      • Instruction ID: 7020d5dd1ac2147338e7c1a5463582ea88f23728a87cc5fff590694fd726f095
                                                                                      • Opcode Fuzzy Hash: 81807dddde636a90fe62178a9dc5666e0de447ff30f643ca3f14807382342287
                                                                                      • Instruction Fuzzy Hash: EE11F8B2A40248BAEB11DF94CD85F9E7FBCEB44751F008066BB04EA1D0E6B19A44CB94

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1352 4c1bdf-4c1c04 call 4c1ac3 1354 4c1c09-4c1c0b 1352->1354 1355 4c1c0d-4c1c1d GetComputerNameA 1354->1355 1356 4c1c5a-4c1c5e 1354->1356 1357 4c1c1f-4c1c24 1355->1357 1358 4c1c45-4c1c57 GetVolumeInformationA 1355->1358 1357->1358 1359 4c1c26-4c1c3b 1357->1359 1358->1356 1359->1359 1360 4c1c3d-4c1c3f 1359->1360 1360->1358 1361 4c1c41-4c1c43 1360->1361 1361->1356
                                                                                      APIs
                                                                                        • Part of subcall function 004C1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 004C1AD4
                                                                                        • Part of subcall function 004C1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 004C1AE9
                                                                                        • Part of subcall function 004C1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 004C1B20
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 004C1C15
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 004C1C51
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: hi_id$localcfg
                                                                                      • API String ID: 2794401326-2393279970
                                                                                      • Opcode ID: a392e8fcad37e42b50e6c937fd3c7a9f95ec119a41c5a9110bd4f2d3238b1011
                                                                                      • Instruction ID: fc03980164d26091c2db3cd27fd538b48fdc75ed6ec25112f80e5056ac859d8f
                                                                                      • Opcode Fuzzy Hash: a392e8fcad37e42b50e6c937fd3c7a9f95ec119a41c5a9110bd4f2d3238b1011
                                                                                      • Instruction Fuzzy Hash: 20018476940118BBEB50DAE8C8C5EFFBBBCE745745F10047BE602E3211D1349D448665
                                                                                      APIs
                                                                                        • Part of subcall function 004C1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 004C1AD4
                                                                                        • Part of subcall function 004C1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 004C1AE9
                                                                                        • Part of subcall function 004C1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 004C1B20
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 004C1BA3
                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,004C1EFD,00000000,00000000,00000000,00000000), ref: 004C1BB8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2794401326-1857712256
                                                                                      • Opcode ID: fa51b747c8af020cb4c59680d727b0a96ed43b6b13f4e56d8a4b5cca5ff97612
                                                                                      • Instruction ID: 763ed7ec511304c39427c2b0a6000081a4a4114eee7059e898d76135b2beb928
                                                                                      • Opcode Fuzzy Hash: fa51b747c8af020cb4c59680d727b0a96ed43b6b13f4e56d8a4b5cca5ff97612
                                                                                      • Instruction Fuzzy Hash: 25018BB6D00108BFEB01ABE9CC81EEFFBBCEB48654F150066A601E3151E6706E084AA0
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(00000001), ref: 004C2693
                                                                                      • gethostbyname.WS2_32(00000001), ref: 004C269F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynameinet_addr
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 1594361348-2401304539
                                                                                      • Opcode ID: 6486d3924a99b119a27ff4ebf1cf9ac6b93f1092382cfccfc070afd42fecdcbc
                                                                                      • Instruction ID: ca9bee86f090582709e2f901dec703f6204462fe90764606b7f77a3b573f81d4
                                                                                      • Opcode Fuzzy Hash: 6486d3924a99b119a27ff4ebf1cf9ac6b93f1092382cfccfc070afd42fecdcbc
                                                                                      • Instruction Fuzzy Hash: 3FE08C342060218FCB909B28F848F8A37A4AF16330F01418AF480C72A0C7B4DC8097A8
                                                                                      APIs
                                                                                        • Part of subcall function 004CEBA0: GetProcessHeap.KERNEL32(00000000,00000000,004CEC0A,00000000,80000001,?,004CDB55,7FFF0001), ref: 004CEBAD
                                                                                        • Part of subcall function 004CEBA0: HeapSize.KERNEL32(00000000,?,004CDB55,7FFF0001), ref: 004CEBB4
                                                                                      • GetProcessHeap.KERNEL32(00000000,'L,00000000,004CEA27,00000000), ref: 004CEC41
                                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 004CEC48
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$FreeSize
                                                                                      • String ID: 'L
                                                                                      • API String ID: 1305341483-3688640772
                                                                                      • Opcode ID: c7ee7a45117c9cf5c8d83703ef37cd71fc30d4634c2a11b36743667587a83fe6
                                                                                      • Instruction ID: c8902f186d44ec25d74ca9e5fd1b13c928a0b77e6b237237861398353d4e962b
                                                                                      • Opcode Fuzzy Hash: c7ee7a45117c9cf5c8d83703ef37cd71fc30d4634c2a11b36743667587a83fe6
                                                                                      • Instruction Fuzzy Hash: 79C012324072306BC5912751BC0DFAF6B189F46711F0D441FF4056715487645C4086E9
                                                                                      APIs
                                                                                        • Part of subcall function 004CDD05: GetTickCount.KERNEL32 ref: 004CDD0F
                                                                                        • Part of subcall function 004CDD05: InterlockedExchange.KERNEL32(004D36B4,00000001), ref: 004CDD44
                                                                                        • Part of subcall function 004CDD05: GetCurrentThreadId.KERNEL32 ref: 004CDD53
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,004CA445), ref: 004CE558
                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,75920F10,?,00000000,?,004CA445), ref: 004CE583
                                                                                      • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,004CA445), ref: 004CE5B2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                      • String ID:
                                                                                      • API String ID: 3683885500-0
                                                                                      • Opcode ID: 84b6b8c2677051e950257a7dab722b0328a5874d57545aea913f21659fd819de
                                                                                      • Instruction ID: 6db93406f7f5bccfbfd025f98ae7b8f6c0e05b20d94455add2f8b0bcdba9ae11
                                                                                      • Opcode Fuzzy Hash: 84b6b8c2677051e950257a7dab722b0328a5874d57545aea913f21659fd819de
                                                                                      • Instruction Fuzzy Hash: 1F21EAB69402007AE2A17A635D07F6B3E5CDB54758F10052FFE09A12E3EB9DE91081BD
                                                                                      APIs
                                                                                      • Sleep.KERNELBASE(000003E8), ref: 004C88A5
                                                                                        • Part of subcall function 004CF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,004CE342,00000000,7508EA50,80000001,00000000,004CE513,?,00000000,00000000,?,000000E4), ref: 004CF089
                                                                                        • Part of subcall function 004CF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,004CE342,00000000,7508EA50,80000001,00000000,004CE513,?,00000000,00000000,?,000000E4,000000C8), ref: 004CF093
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$FileSystem$Sleep
                                                                                      • String ID: localcfg$rresolv
                                                                                      • API String ID: 1561729337-486471987
                                                                                      • Opcode ID: ff07bbe4faf36107e8122dd1c9ac3397b42f0504d185dbdeee94644fe84cc53c
                                                                                      • Instruction ID: 061eadf69b191834441f7436fe5f3f034f8bcf8a92b5501c9566cece7c16e624
                                                                                      • Opcode Fuzzy Hash: ff07bbe4faf36107e8122dd1c9ac3397b42f0504d185dbdeee94644fe84cc53c
                                                                                      • Instruction Fuzzy Hash: FB21C4391493006AF395B7676E47FAA3BE9DB10B14FA0482FF904961C3EEDD854441BD
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004D22F8,004C42B6,00000000,00000001,004D22F8,00000000,?,004C98FD), ref: 004C4021
                                                                                      • GetLastError.KERNEL32(?,004C98FD,00000001,00000100,004D22F8,004CA3C7), ref: 004C402C
                                                                                      • Sleep.KERNEL32(000001F4,?,004C98FD,00000001,00000100,004D22F8,004CA3C7), ref: 004C4046
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateErrorFileLastSleep
                                                                                      • String ID:
                                                                                      • API String ID: 408151869-0
                                                                                      • Opcode ID: 126130671b69d94768e0de383a77aed4403bf9980874d4aa2bf84be8431f7eb5
                                                                                      • Instruction ID: 7c296a97e488d6e6a93d18eb2a170f1dbe5952c0175c34ba2904f80eced29672
                                                                                      • Opcode Fuzzy Hash: 126130671b69d94768e0de383a77aed4403bf9980874d4aa2bf84be8431f7eb5
                                                                                      • Instruction Fuzzy Hash: 9BF0A7352801016AD7724B26BD59F1B37A1DBC2724F254B2EF3B5E31E0C63448819B1D
                                                                                      APIs
                                                                                      • GetEnvironmentVariableA.KERNEL32(004CDC19,?,00000104), ref: 004CDB7F
                                                                                      • lstrcpyA.KERNEL32(?,004D28F8), ref: 004CDBA4
                                                                                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 004CDBC2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                      • String ID:
                                                                                      • API String ID: 2536392590-0
                                                                                      • Opcode ID: a1721f348d829c7e0b06347378a14b8c0e5a3a5fcffe4b520ab31fc732df989a
                                                                                      • Instruction ID: 06a32206bd6f374b33328171adaa1cc9e5f6f3da8034625a2327b5708c2087cf
                                                                                      • Opcode Fuzzy Hash: a1721f348d829c7e0b06347378a14b8c0e5a3a5fcffe4b520ab31fc732df989a
                                                                                      • Instruction Fuzzy Hash: D8F09070500209BBEF119F64EC89FD93B69AB10308F1041A5BB55A50D0D7F2E945CB28
                                                                                      APIs
                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 004CEC5E
                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 004CEC72
                                                                                      • GetTickCount.KERNEL32 ref: 004CEC78
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                                      • String ID:
                                                                                      • API String ID: 1209300637-0
                                                                                      • Opcode ID: 8ff3c7fc207da01957c465a6b1dc029bcf877f76f121244bbac8a9dab925e4a4
                                                                                      • Instruction ID: 51d59fdee966cb44e6c165f5d13a9b9d09c9ef9c175f831c056677bc20e2d91f
                                                                                      • Opcode Fuzzy Hash: 8ff3c7fc207da01957c465a6b1dc029bcf877f76f121244bbac8a9dab925e4a4
                                                                                      • Instruction Fuzzy Hash: A9E09AF5811104BFE711ABB0EC4AE6F77BCEB08215F500661B911D6090DA709A058B64
                                                                                      APIs
                                                                                      • gethostname.WS2_32(?,00000080), ref: 004C30D8
                                                                                      • gethostbyname.WS2_32(?), ref: 004C30E2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynamegethostname
                                                                                      • String ID:
                                                                                      • API String ID: 3961807697-0
                                                                                      • Opcode ID: c028fc20f5799f5491a3b7f9712b1c4edd6a1a68f0e5b715d797cae008ce898a
                                                                                      • Instruction ID: 008f96053f4b2361c10cb5ada43a85a606c77b089e0523e4a8842f905637bd90
                                                                                      • Opcode Fuzzy Hash: c028fc20f5799f5491a3b7f9712b1c4edd6a1a68f0e5b715d797cae008ce898a
                                                                                      • Instruction Fuzzy Hash: DCE09B769011199BCF00DBA8EC89F9B77ECFF04308F084066F905E3255EA34E9048794
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,004CDB55,7FFF0001), ref: 004CEC13
                                                                                      • RtlReAllocateHeap.NTDLL(00000000,?,004CDB55,7FFF0001), ref: 004CEC1A
                                                                                        • Part of subcall function 004CEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,004CEBFE,7FFF0001,?,004CDB55,7FFF0001), ref: 004CEBD3
                                                                                        • Part of subcall function 004CEBCC: RtlAllocateHeap.NTDLL(00000000,?,004CDB55,7FFF0001), ref: 004CEBDA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocateProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1357844191-0
                                                                                      • Opcode ID: 767421176c7de718add4fc5283e6cc8c4559ae24c97f950ade2b871c768b4001
                                                                                      • Instruction ID: a6d7f48fcd2e299f916045722a1a5bff2f8bdfe8b35d74ceb0d998316be63305
                                                                                      • Opcode Fuzzy Hash: 767421176c7de718add4fc5283e6cc8c4559ae24c97f950ade2b871c768b4001
                                                                                      • Instruction Fuzzy Hash: 56E012361052187ADF412B96EC09FAD7B59DB04365F14802AF90D49161DB369990D698
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,80000001,004CEBFE,7FFF0001,?,004CDB55,7FFF0001), ref: 004CEBD3
                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,004CDB55,7FFF0001), ref: 004CEBDA
                                                                                        • Part of subcall function 004CEB74: GetProcessHeap.KERNEL32(00000000,00000000,004CEC28,00000000,?,004CDB55,7FFF0001), ref: 004CEB81
                                                                                        • Part of subcall function 004CEB74: HeapSize.KERNEL32(00000000,?,004CDB55,7FFF0001), ref: 004CEB88
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AllocateSize
                                                                                      • String ID:
                                                                                      • API String ID: 2559512979-0
                                                                                      • Opcode ID: f5545c5ec4272c84696421c470d2b0958f2b75df3b4b21eafbd0d624c0a17144
                                                                                      • Instruction ID: 0101197cdf3902b652cba7fd1fb05ae5e1ab00a5343cbb020bfd8a9837907b4f
                                                                                      • Opcode Fuzzy Hash: f5545c5ec4272c84696421c470d2b0958f2b75df3b4b21eafbd0d624c0a17144
                                                                                      • Instruction Fuzzy Hash: 83C0803610523067C64127A57C0CF9E7F54DF05352F08001AF505C3160C7354C4087A9
                                                                                      APIs
                                                                                      • recv.WS2_32(000000C8,?,00000000,004CCA44), ref: 004CF476
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: recv
                                                                                      • String ID:
                                                                                      • API String ID: 1507349165-0
                                                                                      • Opcode ID: d20e055c3b3a77b6b43181ba240d60e8070aa15aee6ad586c7d80f15b65a5359
                                                                                      • Instruction ID: 370582eb186bdd336a1e2efebd7fcb75617cf3b7639b992488765f5d94044c71
                                                                                      • Opcode Fuzzy Hash: d20e055c3b3a77b6b43181ba240d60e8070aa15aee6ad586c7d80f15b65a5359
                                                                                      • Instruction Fuzzy Hash: AFF08C3620154AAB9B419E9ADC84DAB3BAEFB99310B050137FA04D3110D639E825CBA8
                                                                                      APIs
                                                                                      • closesocket.WS2_32(00000000), ref: 004C1992
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesocket
                                                                                      • String ID:
                                                                                      • API String ID: 2781271927-0
                                                                                      • Opcode ID: 4cb469fcc944aa9858e614e28a890652cbbb4d370db0628398c54c03e8584945
                                                                                      • Instruction ID: 1932f31a2154ba366c4d7cea5e076c16a83120925415a3d87734f0688273bce8
                                                                                      • Opcode Fuzzy Hash: 4cb469fcc944aa9858e614e28a890652cbbb4d370db0628398c54c03e8584945
                                                                                      • Instruction Fuzzy Hash: 91D0222A1092312A42402359BC04A7FAB8CCF05262B00802FFC48C0120C638CC41839D
                                                                                      APIs
                                                                                      • lstrcmpiA.KERNEL32(80000011,00000000), ref: 004CDDB5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmpi
                                                                                      • String ID:
                                                                                      • API String ID: 1586166983-0
                                                                                      • Opcode ID: 9a6a5fac6c1e8b6e35a4547a9f168245bdbb8650cb7a4bf06cd0a95b113d7800
                                                                                      • Instruction ID: 574e18dcee573c768c38ef747d77807550a201aa4462f4736a0d8ee488d79d75
                                                                                      • Opcode Fuzzy Hash: 9a6a5fac6c1e8b6e35a4547a9f168245bdbb8650cb7a4bf06cd0a95b113d7800
                                                                                      • Instruction Fuzzy Hash: 0EF05839E003029BCBA18E249984B67B7E8AB85325F14483FE25A92250DB38DC45CB1A
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,004C9816,EntryPoint), ref: 004C638F
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,004C9816,EntryPoint), ref: 004C63A9
                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004C63CA
                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004C63EB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1965334864-0
                                                                                      • Opcode ID: a94449a7bf0ac5f898afbabb7d68dcc3216b5d717c842f47f77af8b1009c06b5
                                                                                      • Instruction ID: 4c66a08ce49fd29e37a8ddcc9ae786a82abf9ad6c992e1763ebecde160e60748
                                                                                      • Opcode Fuzzy Hash: a94449a7bf0ac5f898afbabb7d68dcc3216b5d717c842f47f77af8b1009c06b5
                                                                                      • Instruction Fuzzy Hash: 3211E3B5600219BFDB518F65DC09F9B3BA8EB047A4F01806AFD08E7290D671DC008AB8
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,004C1839,004C9646), ref: 004C1012
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004C10C2
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004C10E1
                                                                                      • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 004C1101
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 004C1121
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 004C1140
                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 004C1160
                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 004C1180
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 004C119F
                                                                                      • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004C11BF
                                                                                      • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004C11DF
                                                                                      • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004C11FE
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 004C121A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                      • API String ID: 2238633743-3228201535
                                                                                      • Opcode ID: e4d9be6713f9d57c2ef0e63569ad49677bb98de508f22834fc43d2d31264048e
                                                                                      • Instruction ID: c668310532dc64a97f5cf1bd553e62826475e492c55dbbed7dbb65cfcc53cadb
                                                                                      • Opcode Fuzzy Hash: e4d9be6713f9d57c2ef0e63569ad49677bb98de508f22834fc43d2d31264048e
                                                                                      • Instruction Fuzzy Hash: 11513EB9643601A6D7518F69EC64B5637E86749322F1403BB9420D23F1D7F8CA82CB9E
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 004CB2B3
                                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 004CB2C2
                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 004CB2D0
                                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 004CB2E1
                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 004CB31A
                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 004CB329
                                                                                      • wsprintfA.USER32 ref: 004CB3B7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                      • API String ID: 766114626-2976066047
                                                                                      • Opcode ID: 5f8c4e5a4c32ba0287c5a65017c4b7934668f8aec6c7dceb8c964a738ba1c594
                                                                                      • Instruction ID: 2de09d58191dca095938e22a9ae72a69589d7d14fe07a32c22f762dde70d8526
                                                                                      • Opcode Fuzzy Hash: 5f8c4e5a4c32ba0287c5a65017c4b7934668f8aec6c7dceb8c964a738ba1c594
                                                                                      • Instruction Fuzzy Hash: C4519475D1021CAACF58CFD5D859AEEBBB9FF49704F10812BE501B7250D3784A89CB98
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                      • API String ID: 2400214276-165278494
                                                                                      • Opcode ID: 81ee6a296748b113edc01b91e8df94f0497196f280d2c8ddea31eb2a2736e0cb
                                                                                      • Instruction ID: 08466d0a77727deacca4fce7701f43a19679ceaeb12d9ce4c95e4fcca328044d
                                                                                      • Opcode Fuzzy Hash: 81ee6a296748b113edc01b91e8df94f0497196f280d2c8ddea31eb2a2736e0cb
                                                                                      • Instruction Fuzzy Hash: B1615E72A50208AFDB609FB4DC45FEA77E9FF08300F24806AF959D3261DA75A9508F54
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 004CA7FB
                                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 004CA87E
                                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 004CA893
                                                                                      • wsprintfA.USER32 ref: 004CA8AF
                                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 004CA8D2
                                                                                      • wsprintfA.USER32 ref: 004CA8E2
                                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 004CA97C
                                                                                      • wsprintfA.USER32 ref: 004CA9B9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                      • API String ID: 3650048968-2394369944
                                                                                      • Opcode ID: b0678bdda8376edec3c28d472ff81923876d6eecc44096ff873ad45b8b10a4bc
                                                                                      • Instruction ID: eabfe6d9a3aac16ce7d84e4b66b7844cd59ef61059db42f635da00b5a18d0494
                                                                                      • Opcode Fuzzy Hash: b0678bdda8376edec3c28d472ff81923876d6eecc44096ff873ad45b8b10a4bc
                                                                                      • Instruction Fuzzy Hash: D9A1067994420DABDFA09A54DC85FAE3769AB0030CF24042FFA01A7290EA3D9D65875F
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(?), ref: 004C139A
                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 004C1571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShelllstrlen
                                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                      • API String ID: 1628651668-3716895483
                                                                                      • Opcode ID: 75eb81d155013a44510108f1c96a40290daa185f97b8ee31f65580d9439f0e6e
                                                                                      • Instruction ID: dd103374a7a69ceaf279e97ca421394ce0be0e8e196f123d699d5ff99724a3ea
                                                                                      • Opcode Fuzzy Hash: 75eb81d155013a44510108f1c96a40290daa185f97b8ee31f65580d9439f0e6e
                                                                                      • Instruction Fuzzy Hash: D1F19AB92093419FD320DF64C888F6BB7E4FB8A304F10492EF586973A1D7789945CB5A
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 004C2A83
                                                                                      • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 004C2A86
                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 004C2AA0
                                                                                      • htons.WS2_32(00000000), ref: 004C2ADB
                                                                                      • select.WS2_32 ref: 004C2B28
                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 004C2B4A
                                                                                      • htons.WS2_32(?), ref: 004C2B71
                                                                                      • htons.WS2_32(?), ref: 004C2B8C
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 004C2BFB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                      • String ID:
                                                                                      • API String ID: 1639031587-0
                                                                                      • Opcode ID: f51a4e5e2d09b5c9ef50e4bcf79cdc3fba603980c3cf15c51f56a7059582b510
                                                                                      • Instruction ID: cafd4fdd25b6662c9d656fa5875774a6e59ef40afaa90cd2ae709f58ff88c70d
                                                                                      • Opcode Fuzzy Hash: f51a4e5e2d09b5c9ef50e4bcf79cdc3fba603980c3cf15c51f56a7059582b510
                                                                                      • Instruction Fuzzy Hash: CB61ED759053159BC760AF65DE08F2FBBE8FB89744F04081FF84597250D7F998408BAA
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004C70C2
                                                                                      • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 004C719E
                                                                                      • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 004C71B2
                                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004C7208
                                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004C7291
                                                                                      • ___ascii_stricmp.LIBCMT ref: 004C72C2
                                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004C72D0
                                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004C7314
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 004C738D
                                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004C73D8
                                                                                        • Part of subcall function 004CF1A5: lstrlenA.KERNEL32(000000C8,000000E4,004D22F8,000000C8,004C7150,?), ref: 004CF1AD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                      • String ID: $"
                                                                                      • API String ID: 4293430545-3817095088
                                                                                      • Opcode ID: 6f7eda01279dd9b268d9736154a1aa3d5bdecbf5af0c1483a9bc9c5a2dc0616c
                                                                                      • Instruction ID: 94181ce953895b0dc587094da0ad521b5cfeef655ea2ddbf7cfe63569fb6bfe6
                                                                                      • Opcode Fuzzy Hash: 6f7eda01279dd9b268d9736154a1aa3d5bdecbf5af0c1483a9bc9c5a2dc0616c
                                                                                      • Instruction Fuzzy Hash: 83B18C76908209BBDB559FA1DC45FEF77B8EB04304F10046FF901E2291EB799A84CB68
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 004CAD98
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 004CADA6
                                                                                        • Part of subcall function 004CAD08: gethostname.WS2_32(?,00000080), ref: 004CAD1C
                                                                                        • Part of subcall function 004CAD08: lstrlenA.KERNEL32(00000000), ref: 004CAD60
                                                                                        • Part of subcall function 004CAD08: lstrlenA.KERNEL32(00000000), ref: 004CAD69
                                                                                        • Part of subcall function 004CAD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 004CAD7F
                                                                                        • Part of subcall function 004C30B5: gethostname.WS2_32(?,00000080), ref: 004C30D8
                                                                                        • Part of subcall function 004C30B5: gethostbyname.WS2_32(?), ref: 004C30E2
                                                                                      • wsprintfA.USER32 ref: 004CAEA5
                                                                                        • Part of subcall function 004CA7A3: inet_ntoa.WS2_32(?), ref: 004CA7A9
                                                                                      • wsprintfA.USER32 ref: 004CAE4F
                                                                                      • wsprintfA.USER32 ref: 004CAE5E
                                                                                        • Part of subcall function 004CEF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 004CEF92
                                                                                        • Part of subcall function 004CEF7C: lstrlenA.KERNEL32(?), ref: 004CEF99
                                                                                        • Part of subcall function 004CEF7C: lstrlenA.KERNEL32(00000000), ref: 004CEFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                      • API String ID: 3631595830-1816598006
                                                                                      • Opcode ID: 11534b5893d6152d82265e1b6ce003e3d5b569ecf2bead75ea63c533b48218cf
                                                                                      • Instruction ID: d234995a2367e4c74b20424874586e35c73d65fa3da11884c17419cef30dd055
                                                                                      • Opcode Fuzzy Hash: 11534b5893d6152d82265e1b6ce003e3d5b569ecf2bead75ea63c533b48218cf
                                                                                      • Instruction Fuzzy Hash: 644150B690020C6BDB25AFA1DC45FEE3BADFB08304F14442FB91592151EB79E5148B55
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,004C2F0F,?,004C20FF,004D2000), ref: 004C2E01
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,004C2F0F,?,004C20FF,004D2000), ref: 004C2E11
                                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 004C2E2E
                                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,004C2F0F,?,004C20FF,004D2000), ref: 004C2E4C
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,004C2F0F,?,004C20FF,004D2000), ref: 004C2E4F
                                                                                      • htons.WS2_32(00000035), ref: 004C2E88
                                                                                      • inet_addr.WS2_32(?), ref: 004C2E93
                                                                                      • gethostbyname.WS2_32(?), ref: 004C2EA6
                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,004C2F0F,?,004C20FF,004D2000), ref: 004C2EE3
                                                                                      • HeapFree.KERNEL32(00000000,?,00000000,004C2F0F,?,004C20FF,004D2000), ref: 004C2EE6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                                      • API String ID: 929413710-2099955842
                                                                                      • Opcode ID: 53a25f57b9eaada15a50bfcd634d2532699ef92a6b04ef59fc640d39ffb23ba2
                                                                                      • Instruction ID: 72f98568f992aba39c0864957b8b1a5a318112836e5b7174996e812825a85be6
                                                                                      • Opcode Fuzzy Hash: 53a25f57b9eaada15a50bfcd634d2532699ef92a6b04ef59fc640d39ffb23ba2
                                                                                      • Instruction Fuzzy Hash: 4931B139A0120AABDB519BB89D48F6F77B8AF05360F14012BE914F7390DBF8D9418B5C
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?,?,004C9DD7,?,00000022,?,?,00000000,00000001), ref: 004C9340
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,004C9DD7,?,00000022,?,?,00000000,00000001), ref: 004C936E
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,004C9DD7,?,00000022,?,?,00000000,00000001), ref: 004C9375
                                                                                      • wsprintfA.USER32 ref: 004C93CE
                                                                                      • wsprintfA.USER32 ref: 004C940C
                                                                                      • wsprintfA.USER32 ref: 004C948D
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004C94F1
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 004C9526
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 004C9571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                      • String ID: runas
                                                                                      • API String ID: 3696105349-4000483414
                                                                                      • Opcode ID: e1a3b1b4c7f3ec3bcfae25919146c658c74a8f5c16e5939fcfb971e43de7c4dc
                                                                                      • Instruction ID: 7311013488d10516a1c5206dd7b59cb69d430209e4de0418194247aacd54144e
                                                                                      • Opcode Fuzzy Hash: e1a3b1b4c7f3ec3bcfae25919146c658c74a8f5c16e5939fcfb971e43de7c4dc
                                                                                      • Instruction Fuzzy Hash: 6BA172B6540248FBEB659FA1CC49FDF37ACEB04744F10402BFA0592291D7B9D944CBA9
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004C2078
                                                                                      • GetTickCount.KERNEL32 ref: 004C20D4
                                                                                      • GetTickCount.KERNEL32 ref: 004C20DB
                                                                                      • GetTickCount.KERNEL32 ref: 004C212B
                                                                                      • GetTickCount.KERNEL32 ref: 004C2132
                                                                                      • GetTickCount.KERNEL32 ref: 004C2142
                                                                                        • Part of subcall function 004CF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,004CE342,00000000,7508EA50,80000001,00000000,004CE513,?,00000000,00000000,?,000000E4), ref: 004CF089
                                                                                        • Part of subcall function 004CF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,004CE342,00000000,7508EA50,80000001,00000000,004CE513,?,00000000,00000000,?,000000E4,000000C8), ref: 004CF093
                                                                                        • Part of subcall function 004CE854: lstrcpyA.KERNEL32(00000001,?,?,004CD8DF,00000001,localcfg,except_info,00100000,004D0264), ref: 004CE88B
                                                                                        • Part of subcall function 004CE854: lstrlenA.KERNEL32(00000001,?,004CD8DF,00000001,localcfg,except_info,00100000,004D0264), ref: 004CE899
                                                                                        • Part of subcall function 004C1C5F: wsprintfA.USER32 ref: 004C1CE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                      • String ID: hl>$localcfg$net_type$rbl_bl$rbl_ip
                                                                                      • API String ID: 3976553417-459385573
                                                                                      • Opcode ID: 1ac6e3ca3ef90700c1a63d797bcd86d3a2ecedb32e722ebbf51f8e06e9b44cab
                                                                                      • Instruction ID: ba164521fbb39e679b403e1a679c7fedc73515b9c502e3ac353945dc1393c4ef
                                                                                      • Opcode Fuzzy Hash: 1ac6e3ca3ef90700c1a63d797bcd86d3a2ecedb32e722ebbf51f8e06e9b44cab
                                                                                      • Instruction Fuzzy Hash: B05103386023465EE7A8EF26EF45F563BD4AB10318F14007FF641862A2DBFC9944CA2D
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 004CB467
                                                                                        • Part of subcall function 004CEF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 004CEF92
                                                                                        • Part of subcall function 004CEF7C: lstrlenA.KERNEL32(?), ref: 004CEF99
                                                                                        • Part of subcall function 004CEF7C: lstrlenA.KERNEL32(00000000), ref: 004CEFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$wsprintf
                                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                      • API String ID: 1220175532-2340906255
                                                                                      • Opcode ID: 59d6dae464c533b0920b3faba5b1d4f2b4759ca39b3a802ff08a51f78f94d47f
                                                                                      • Instruction ID: 66b3cf7a07a879b751b1d45317002a443ff44938c1de6ac487ae60b17979cc66
                                                                                      • Opcode Fuzzy Hash: 59d6dae464c533b0920b3faba5b1d4f2b4759ca39b3a802ff08a51f78f94d47f
                                                                                      • Instruction Fuzzy Hash: 46416DB65401187EDF00AAA6CCD2FBF7A6CEE0974CF14011FF904A2142DB78AA1487A9
                                                                                      APIs
                                                                                        • Part of subcall function 004CA4C7: GetTickCount.KERNEL32 ref: 004CA4D1
                                                                                        • Part of subcall function 004CA4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 004CA4FA
                                                                                      • GetTickCount.KERNEL32 ref: 004CC31F
                                                                                      • GetTickCount.KERNEL32 ref: 004CC32B
                                                                                      • GetTickCount.KERNEL32 ref: 004CC363
                                                                                      • GetTickCount.KERNEL32 ref: 004CC378
                                                                                      • GetTickCount.KERNEL32 ref: 004CC44D
                                                                                      • InterlockedIncrement.KERNEL32(004CC4E4), ref: 004CC4AE
                                                                                      • CreateThread.KERNEL32(00000000,00000000,004CB535,00000000,?,004CC4E0), ref: 004CC4C1
                                                                                      • CloseHandle.KERNEL32(00000000,?,004CC4E0,004D3588,004C8810), ref: 004CC4CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1553760989-1857712256
                                                                                      • Opcode ID: 24673712623286acfcbdf6ca0c5794be2d09371546d204ffa745a9d5bd90bd3f
                                                                                      • Instruction ID: 0307270221df78aa65a2c8fa22fb47d3810731992ae33e9c9830369a8c6df973
                                                                                      • Opcode Fuzzy Hash: 24673712623286acfcbdf6ca0c5794be2d09371546d204ffa745a9d5bd90bd3f
                                                                                      • Instruction Fuzzy Hash: 15517FB5600B418FC7648F69D5D4A2ABBE9FB48304B50993FD58BC7AA0D778F840CB18
                                                                                      APIs
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 004CBE4F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 004CBE5B
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 004CBE67
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 004CBF6A
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 004CBF7F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 004CBF94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmpi
                                                                                      • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                      • API String ID: 1586166983-1625972887
                                                                                      • Opcode ID: 5498af8048b6eeadd8e75fdbaea87334f49fa17848f6a3d483eccb3ab3e64249
                                                                                      • Instruction ID: 375ae461effc23fe0266d8897300e21e5e063f1cc95cfdb0309cc60124e10e2c
                                                                                      • Opcode Fuzzy Hash: 5498af8048b6eeadd8e75fdbaea87334f49fa17848f6a3d483eccb3ab3e64249
                                                                                      • Instruction Fuzzy Hash: 7D51AF39A0021AAFDB518B65CC92FAA7BA9EF14344F14406FE841EB351D738ED418FD8
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6A7D
                                                                                      • GetDiskFreeSpaceA.KERNEL32(004C9E9D,004C9A60,?,?,?,004D22F8,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6ABB
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6B40
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6B4E
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6B5F
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6B6F
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6B7D
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6B80
                                                                                      • GetLastError.KERNEL32(?,?,?,004C9A60,?,?,004C9E9D,?,?,?,?,?,004C9E9D,?,00000022,?), ref: 004C6B96
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                      • String ID:
                                                                                      • API String ID: 3188212458-0
                                                                                      • Opcode ID: a98b6ea87bc3c3d02a7a4096429a71d2d1d581941afd43a70c15bc6a92f9e690
                                                                                      • Instruction ID: e785920719f576dfc817abc061515c7d7ebdd4431af0d9cc741c8f851401110c
                                                                                      • Opcode Fuzzy Hash: a98b6ea87bc3c3d02a7a4096429a71d2d1d581941afd43a70c15bc6a92f9e690
                                                                                      • Instruction Fuzzy Hash: AF31CCBA902149BFCB419FA09D44F9FBBB9EB48300F15807BE211E3211E734A9458F69
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,004CD7C3), ref: 004C6F7A
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,004CD7C3), ref: 004C6FC1
                                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 004C6FE8
                                                                                      • LocalFree.KERNEL32(00000120), ref: 004C701F
                                                                                      • wsprintfA.USER32 ref: 004C7036
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                      • String ID: /%d$|
                                                                                      • API String ID: 676856371-4124749705
                                                                                      • Opcode ID: 5a62fd4339008a46d58338b8b3f069d9a79bfb2481d357156310e134b7a7af95
                                                                                      • Instruction ID: d01f510a59c8f45e097c839cb921dcd85adc8b2650f002ccb7acdd7ee33cbdf2
                                                                                      • Opcode Fuzzy Hash: 5a62fd4339008a46d58338b8b3f069d9a79bfb2481d357156310e134b7a7af95
                                                                                      • Instruction Fuzzy Hash: BE312B76500108BBDB41DFA5D845FDF7BA8AF04314F04806BF909DB201DA39DA088B98
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004D22F8,000000E4,004C6DDC,000000C8), ref: 004C6CE7
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 004C6CEE
                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 004C6D14
                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 004C6D2B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                      • API String ID: 1082366364-3395550214
                                                                                      • Opcode ID: f34a5e8cd58c80fc604d1d63b3fb1e925c67e6b4f3df8dd071588d31f63b270a
                                                                                      • Instruction ID: 3c1e64b19c1349cd0c32d010e5e3644bd47baa15138df500ae4be634476dab03
                                                                                      • Opcode Fuzzy Hash: f34a5e8cd58c80fc604d1d63b3fb1e925c67e6b4f3df8dd071588d31f63b270a
                                                                                      • Instruction Fuzzy Hash: 4C21355974224039F7A257325E89F7B2F4C8B62744F0D809FF805A72D2CBDD884682AD
                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,004C9947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004D22F8), ref: 004C97B1
                                                                                      • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004D22F8), ref: 004C97EB
                                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004D22F8), ref: 004C97F9
                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004D22F8), ref: 004C9831
                                                                                      • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004D22F8), ref: 004C984E
                                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,004D22F8), ref: 004C985B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                      • String ID: D
                                                                                      • API String ID: 2981417381-2746444292
                                                                                      • Opcode ID: f9dd04d3d9bba895192258002e4ea206a85955bff8225d0d483fcfea03a1b6b5
                                                                                      • Instruction ID: 868e3742da55ae1e2ce7244975336ec824f35d3d402753958b4023b2093b80be
                                                                                      • Opcode Fuzzy Hash: f9dd04d3d9bba895192258002e4ea206a85955bff8225d0d483fcfea03a1b6b5
                                                                                      • Instruction Fuzzy Hash: FD216D75902129BBDB519FA1DC49FEF7BBCEF05750F400066B909E2150EB359A44CAA8
                                                                                      APIs
                                                                                        • Part of subcall function 004CDD05: GetTickCount.KERNEL32 ref: 004CDD0F
                                                                                        • Part of subcall function 004CDD05: InterlockedExchange.KERNEL32(004D36B4,00000001), ref: 004CDD44
                                                                                        • Part of subcall function 004CDD05: GetCurrentThreadId.KERNEL32 ref: 004CDD53
                                                                                        • Part of subcall function 004CDD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 004CDDB5
                                                                                      • lstrcpynA.KERNEL32(?,004C1E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,004CEAAA,?,?), ref: 004CE8DE
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,004CEAAA,?,?,00000001,?,004C1E84,?), ref: 004CE935
                                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,004CEAAA,?,?,00000001,?,004C1E84,?,0000000A), ref: 004CE93D
                                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,004CEAAA,?,?,00000001,?,004C1E84,?), ref: 004CE94F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                      • String ID: flags_upd$localcfg
                                                                                      • API String ID: 204374128-3505511081
                                                                                      • Opcode ID: 0908d74fd094aae1d177ca834c77e48acc8e79906dfef2abc39900dec8f7a2d6
                                                                                      • Instruction ID: bb547afcfde0830d9b25f30e6d4cb05e5d00098b0b24688b7fa71bdba7b654c8
                                                                                      • Opcode Fuzzy Hash: 0908d74fd094aae1d177ca834c77e48acc8e79906dfef2abc39900dec8f7a2d6
                                                                                      • Instruction Fuzzy Hash: DC515076D00209AFCB41EFA9C984EAEB7F9FF44308F14052EE405A3211DB79EA149B54
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Code
                                                                                      • String ID:
                                                                                      • API String ID: 3609698214-0
                                                                                      • Opcode ID: 2fd00c2e03f3e75cd24c459dc7e542139a5314c5681fa91e36d8f5d7a1c43d8f
                                                                                      • Instruction ID: 1a8869f5b927290ae55461d461d765f726292612f262ae8e2f6dfb17d58003ab
                                                                                      • Opcode Fuzzy Hash: 2fd00c2e03f3e75cd24c459dc7e542139a5314c5681fa91e36d8f5d7a1c43d8f
                                                                                      • Instruction Fuzzy Hash: 7C21A17A101115FFDB525B61FD49FAF3BACDB04364B21842BF502E2051EB38DA00967C
                                                                                      APIs
                                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,004D22F8), ref: 004C907B
                                                                                      • wsprintfA.USER32 ref: 004C90E9
                                                                                      • CreateFileA.KERNEL32(004D22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004C910E
                                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 004C9122
                                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 004C912D
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004C9134
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 2439722600-0
                                                                                      • Opcode ID: 64c8c5a500366e8dc7622b98f4d76957bbfbf1ca69a40a5be735d5a62ab6586c
                                                                                      • Instruction ID: 9e3e3016c07ae1bce3abf8e7130bfff429177fd496e2378394487b6620b8ccc7
                                                                                      • Opcode Fuzzy Hash: 64c8c5a500366e8dc7622b98f4d76957bbfbf1ca69a40a5be735d5a62ab6586c
                                                                                      • Instruction Fuzzy Hash: EF1184B66411147BF7656B23EC0EFAF366DDBC5B04F00807FBB0AA6191EA744E019668
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004CDD0F
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 004CDD20
                                                                                      • GetTickCount.KERNEL32 ref: 004CDD2E
                                                                                      • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,004CE538,?,75920F10,?,00000000,?,004CA445), ref: 004CDD3B
                                                                                      • InterlockedExchange.KERNEL32(004D36B4,00000001), ref: 004CDD44
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 004CDD53
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 3819781495-0
                                                                                      • Opcode ID: bc05a9d8b0d5ef1a396ad13fbaacd0a08f61bc1b80268cee19e9782d779e078d
                                                                                      • Instruction ID: fafcfb2850569b7640972b914535e4d0e25ebde81a3780c7489f584e70542231
                                                                                      • Opcode Fuzzy Hash: bc05a9d8b0d5ef1a396ad13fbaacd0a08f61bc1b80268cee19e9782d779e078d
                                                                                      • Instruction Fuzzy Hash: 97F0BE76906204BBD7915F65BC84F293BA4E744312F00007BE20AC3260C7289545CE2F
                                                                                      APIs
                                                                                      • gethostname.WS2_32(?,00000080), ref: 004CAD1C
                                                                                      • lstrlenA.KERNEL32(00000000), ref: 004CAD60
                                                                                      • lstrlenA.KERNEL32(00000000), ref: 004CAD69
                                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 004CAD7F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                                      • String ID: LocalHost
                                                                                      • API String ID: 3695455745-3154191806
                                                                                      • Opcode ID: 1b3f385fa85f30b4f5aaecae4eb5b84f49e297ac8b8deed8ceaf5b290ec28de6
                                                                                      • Instruction ID: 719388dcd45ccf5874f294a38e04469f923d9ecf067f55b3889910d0af465ac9
                                                                                      • Opcode Fuzzy Hash: 1b3f385fa85f30b4f5aaecae4eb5b84f49e297ac8b8deed8ceaf5b290ec28de6
                                                                                      • Instruction Fuzzy Hash: BF01492C84418D5DDFB206289844FA63F779B9770EF10005FE4C2C7616D61C8853835F
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004C98FD,00000001,00000100,004D22F8,004CA3C7), ref: 004C4290
                                                                                      • CloseHandle.KERNEL32(004CA3C7), ref: 004C43AB
                                                                                      • CloseHandle.KERNEL32(00000001), ref: 004C43AE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$CreateEvent
                                                                                      • String ID:
                                                                                      • API String ID: 1371578007-0
                                                                                      • Opcode ID: f0e4d0c38b3c2bdfffdbba55ef22ce55060f70a4e0bb16f71e74e709b1391079
                                                                                      • Instruction ID: ff6964a2d6be4fa81cb16f4f8f8f257047f809d2014470a055174496efe34d94
                                                                                      • Opcode Fuzzy Hash: f0e4d0c38b3c2bdfffdbba55ef22ce55060f70a4e0bb16f71e74e709b1391079
                                                                                      • Instruction Fuzzy Hash: 02418375D00109BADB10AFA2CD46FEF7FB8EF80325F10455EF514A2191D7389A41DB64
                                                                                      APIs
                                                                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004C64CF,00000000), ref: 004C609C
                                                                                      • LoadLibraryA.KERNEL32(?,?,004C64CF,00000000), ref: 004C60C3
                                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 004C614A
                                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 004C619E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 2438460464-0
                                                                                      • Opcode ID: a128973405898bae28d53bc5d0b19d2051d9e7f9025a27c2e81c5989a9474e4f
                                                                                      • Instruction ID: e1d06ea70e973f5749cfa4e4386d6f8f31e1d9a6905ae892c542539093dc67fe
                                                                                      • Opcode Fuzzy Hash: a128973405898bae28d53bc5d0b19d2051d9e7f9025a27c2e81c5989a9474e4f
                                                                                      • Instruction Fuzzy Hash: D0418979A00106ABDB50CF59C880F6AB7B8EF04355F2AC06EE815D7391EB38ED41CB84
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 915389caf191f4b927dbb499c0a1a4a58cbdbcad14b903b848c3218b190806cb
                                                                                      • Instruction ID: b7b9f3a2ddcaad29d53cf7e0cf2c803e65e96e41b2114025743b39d289a67857
                                                                                      • Opcode Fuzzy Hash: 915389caf191f4b927dbb499c0a1a4a58cbdbcad14b903b848c3218b190806cb
                                                                                      • Instruction Fuzzy Hash: FB31BF79A00619ABCB509FA6CD81BBEB7F4FF48705F10446FE504E7241E3B8DA418B68
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004C272E
                                                                                      • htons.WS2_32(00000001), ref: 004C2752
                                                                                      • htons.WS2_32(0000000F), ref: 004C27D5
                                                                                      • htons.WS2_32(00000001), ref: 004C27E3
                                                                                      • sendto.WS2_32(?,004D2BF8,00000009,00000000,00000010,00000010), ref: 004C2802
                                                                                        • Part of subcall function 004CEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,004CEBFE,7FFF0001,?,004CDB55,7FFF0001), ref: 004CEBD3
                                                                                        • Part of subcall function 004CEBCC: RtlAllocateHeap.NTDLL(00000000,?,004CDB55,7FFF0001), ref: 004CEBDA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                      • String ID:
                                                                                      • API String ID: 1128258776-0
                                                                                      • Opcode ID: 4815b5e8a4fc83553270df3f8c82d4be42b37ce66466dd1b51c4f8b62bc2ad43
                                                                                      • Instruction ID: 47f37b8ba99dd51fb327272efef48c8fbce319c463e1ee92302f727ed2eae893
                                                                                      • Opcode Fuzzy Hash: 4815b5e8a4fc83553270df3f8c82d4be42b37ce66466dd1b51c4f8b62bc2ad43
                                                                                      • Instruction Fuzzy Hash: FB3104382823829FD7108F74D990E667760BF29318B19806FE8558B322D6F7E842D718
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004D22F8), ref: 004C915F
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 004C9166
                                                                                      • CharToOemA.USER32(?,?), ref: 004C9174
                                                                                      • wsprintfA.USER32 ref: 004C91A9
                                                                                        • Part of subcall function 004C9064: GetTempPathA.KERNEL32(00000400,?,00000000,004D22F8), ref: 004C907B
                                                                                        • Part of subcall function 004C9064: wsprintfA.USER32 ref: 004C90E9
                                                                                        • Part of subcall function 004C9064: CreateFileA.KERNEL32(004D22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004C910E
                                                                                        • Part of subcall function 004C9064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 004C9122
                                                                                        • Part of subcall function 004C9064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 004C912D
                                                                                        • Part of subcall function 004C9064: CloseHandle.KERNEL32(00000000), ref: 004C9134
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004C91E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 3857584221-0
                                                                                      • Opcode ID: 61dd2dfb0d27c6cf5bfdcc0e8ed2b52b9fc8d5f41dec7d9f3c194100cf53e6a0
                                                                                      • Instruction ID: bbda71737a33205aba49252010a3e06eceab56714e82e6d61c84ba5d34d4fd65
                                                                                      • Opcode Fuzzy Hash: 61dd2dfb0d27c6cf5bfdcc0e8ed2b52b9fc8d5f41dec7d9f3c194100cf53e6a0
                                                                                      • Instruction Fuzzy Hash: 890152FA9401187BD760A7629D4DFDF777CDB95B05F0000A7B749E2040DAB49A858F74
                                                                                      APIs
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,004C2491,?,?,?,004CE844,-00000030,?,?,?,00000001), ref: 004C2429
                                                                                      • lstrlenA.KERNEL32(?,?,004C2491,?,?,?,004CE844,-00000030,?,?,?,00000001,004C1E3D,00000001,localcfg,lid_file_upd), ref: 004C243E
                                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 004C2452
                                                                                      • lstrlenA.KERNEL32(?,?,004C2491,?,?,?,004CE844,-00000030,?,?,?,00000001,004C1E3D,00000001,localcfg,lid_file_upd), ref: 004C2467
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$lstrcmpi
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1808961391-1857712256
                                                                                      • Opcode ID: fdb7e888ffc0f2c163271c89e52a2f6db6ffeb1d1b4a651a09c81b7c5b2e48d9
                                                                                      • Instruction ID: 02d82fdf9c30a396887b112e9b028dc421f46b1408ab3955e29f86bff0103575
                                                                                      • Opcode Fuzzy Hash: fdb7e888ffc0f2c163271c89e52a2f6db6ffeb1d1b4a651a09c81b7c5b2e48d9
                                                                                      • Instruction Fuzzy Hash: F3011A35600218BFCF55EF69DD80ADE7BA9EF44354B01C42AE85997210E3B4EA40CA98
                                                                                      APIs
                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 004C6F0F
                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*pL), ref: 004C6F24
                                                                                      • FreeSid.ADVAPI32(?), ref: 004C6F3E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                      • String ID: *pL
                                                                                      • API String ID: 3429775523-2597219945
                                                                                      • Opcode ID: a8eb5ac75762d3d4ee7ec6705a97b516a73bd85534136a7b194bc7f13267106c
                                                                                      • Instruction ID: 2d6165f0756935f7d3e00eaf91cb47c33ddc6e682fbd10dc80b053c5d5a7d696
                                                                                      • Opcode Fuzzy Hash: a8eb5ac75762d3d4ee7ec6705a97b516a73bd85534136a7b194bc7f13267106c
                                                                                      • Instruction Fuzzy Hash: C8011E75901208BFDB11DFE4ED85FAE77B8EB04304F10887FE605E2151E7749944CA18
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                      • API String ID: 2111968516-120809033
                                                                                      • Opcode ID: 7aa2cff6518119168288f3ed4639d535f9ed52aff59db381a5b01edf89d19578
                                                                                      • Instruction ID: 84b5394328a2147331d24bc0815d11a2c9abd36bad3f2e07c29c5e4be4830962
                                                                                      • Opcode Fuzzy Hash: 7aa2cff6518119168288f3ed4639d535f9ed52aff59db381a5b01edf89d19578
                                                                                      • Instruction Fuzzy Hash: D241DF369002989FDB61CF798C44FEE3BE89F0A310F24005AFD60D3252D638EA04CBA4
                                                                                      APIs
                                                                                        • Part of subcall function 004CDD05: GetTickCount.KERNEL32 ref: 004CDD0F
                                                                                        • Part of subcall function 004CDD05: InterlockedExchange.KERNEL32(004D36B4,00000001), ref: 004CDD44
                                                                                        • Part of subcall function 004CDD05: GetCurrentThreadId.KERNEL32 ref: 004CDD53
                                                                                      • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,004C5EC1), ref: 004CE693
                                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,004C5EC1), ref: 004CE6E9
                                                                                      • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,75920F10,00000000,?,004C5EC1), ref: 004CE722
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                      • String ID: 89ABCDEF
                                                                                      • API String ID: 3343386518-71641322
                                                                                      • Opcode ID: d3efcb5e32f33bcc5e0866d339d7c1cc3695e8c6d36f8e5d60e310e4b992dd45
                                                                                      • Instruction ID: 7371dad12bb96de9a93684eb0878a53b2e465794217836d885e7b4e340719145
                                                                                      • Opcode Fuzzy Hash: d3efcb5e32f33bcc5e0866d339d7c1cc3695e8c6d36f8e5d60e310e4b992dd45
                                                                                      • Instruction Fuzzy Hash: 1A31EF39A11302DBCBB18F66D884F6B37E4AB20324F10843FE55687650E778EC80CB89
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,004CE2A3,00000000,00000000,00000000,00020106,00000000,004CE2A3,00000000,000000E4), ref: 004CE0B2
                                                                                      • RegSetValueExA.ADVAPI32(004CE2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004D22F8), ref: 004CE127
                                                                                      • RegDeleteValueA.ADVAPI32(004CE2A3,?,?,?,?,?,000000C8,004D22F8), ref: 004CE158
                                                                                      • RegCloseKey.ADVAPI32(004CE2A3,?,?,?,?,000000C8,004D22F8,?,?,?,?,?,?,?,?,004CE2A3), ref: 004CE161
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseCreateDelete
                                                                                      • String ID:
                                                                                      • API String ID: 2667537340-0
                                                                                      • Opcode ID: 646352c0c9f16613d89c48ceb7a7231b42a5116f7d3a4a47f93f18a21d0bcaa9
                                                                                      • Instruction ID: c8971767fb2ac80ca570c2cc04d4c6e26a28a397b76bbd8867e9f4c2389cfb9f
                                                                                      • Opcode Fuzzy Hash: 646352c0c9f16613d89c48ceb7a7231b42a5116f7d3a4a47f93f18a21d0bcaa9
                                                                                      • Instruction Fuzzy Hash: B7219C31A00229BBDF619EA6DC89F9F7FB9EF08754F044066F904A2150EB718A14CB94
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000000,00000000,004CA3C7,00000000,00000000,000007D0,00000001), ref: 004C3F44
                                                                                      • GetLastError.KERNEL32 ref: 004C3F4E
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 004C3F5F
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 004C3F72
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3373104450-0
                                                                                      • Opcode ID: 7a7d4cb4c2b78da3e2cad14a4442e24face8452b64840a07d6d72b2a5d288852
                                                                                      • Instruction ID: fdc26bc39bfaa050d4059eb576baa465bec8c8854f790b0a682aa93603373568
                                                                                      • Opcode Fuzzy Hash: 7a7d4cb4c2b78da3e2cad14a4442e24face8452b64840a07d6d72b2a5d288852
                                                                                      • Instruction Fuzzy Hash: 4901E972912109ABDF01DF90ED44BEF7B7CEB04356F10842AFA01E2150D734DA158BBA
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(00000000,00000000,004CA3C7,00000000,00000000,000007D0,00000001), ref: 004C3FB8
                                                                                      • GetLastError.KERNEL32 ref: 004C3FC2
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 004C3FD3
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 004C3FE6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 888215731-0
                                                                                      • Opcode ID: 37c45f92fd704ab3fc4a43c7547d35be97bada8aaa74c108725e66dc2211e3a5
                                                                                      • Instruction ID: afd497f02c37896304344ead73dce5717c4bf5cbf805c1f54f41b6d096187b43
                                                                                      • Opcode Fuzzy Hash: 37c45f92fd704ab3fc4a43c7547d35be97bada8aaa74c108725e66dc2211e3a5
                                                                                      • Instruction Fuzzy Hash: 2901297291110AABDF01DF94ED45BEF3BBCEB08356F00842AF902E2050D734DA148BBA
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004CA4D1
                                                                                      • GetTickCount.KERNEL32 ref: 004CA4E4
                                                                                      • Sleep.KERNEL32(00000000,?,004CC2E9,004CC4E0,00000000,localcfg,?,004CC4E0,004D3588,004C8810), ref: 004CA4F1
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 004CA4FA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 0db20d39e1b77d56c2e2d9d4613632640ee4744cdf128cca5b8473f7a4df5c53
                                                                                      • Instruction ID: cf3f0bd912c0a20699f70d5dedefc067b740095c997432aeccba6528d9992e7c
                                                                                      • Opcode Fuzzy Hash: 0db20d39e1b77d56c2e2d9d4613632640ee4744cdf128cca5b8473f7a4df5c53
                                                                                      • Instruction Fuzzy Hash: FBE0263B20220877C7001BA5BD84F6A7388AB4A761F054037FB04D3240C65AA85141BF
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004C4E9E
                                                                                      • GetTickCount.KERNEL32 ref: 004C4EAD
                                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 004C4EBA
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 004C4EC3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 359984679506c8b9bd00185a2f69d818ca4672a8c03de0e52069ed0232604487
                                                                                      • Instruction ID: fe899e51c986c14b6a337e72d8100cd25e863c1add3c6f776be22d26ee618213
                                                                                      • Opcode Fuzzy Hash: 359984679506c8b9bd00185a2f69d818ca4672a8c03de0e52069ed0232604487
                                                                                      • Instruction Fuzzy Hash: 1AE0863A20221467D61027B9BE84F5A6799AB96361F060537E709D3180C65A984245B9
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004C4BDD
                                                                                      • GetTickCount.KERNEL32 ref: 004C4BEC
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,02A1B114,004C50F2), ref: 004C4BF9
                                                                                      • InterlockedExchange.KERNEL32(02A1B108,00000001), ref: 004C4C02
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 24c3059b018bc6c89f0506260fcf988047c5eced751e5673ee5a22bdbe4ddcd8
                                                                                      • Instruction ID: 74c0b1106b67a8a95e34c2d611ca30b86a70f0da469873470ab45fb8748f94df
                                                                                      • Opcode Fuzzy Hash: 24c3059b018bc6c89f0506260fcf988047c5eced751e5673ee5a22bdbe4ddcd8
                                                                                      • Instruction Fuzzy Hash: 08E0863A24221467D75017A57E80F5A77989B96361F060077F708D3150D95AE84141B9
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004C3103
                                                                                      • GetTickCount.KERNEL32 ref: 004C310F
                                                                                      • Sleep.KERNEL32(00000000), ref: 004C311C
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 004C3128
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: e7d2dca63d41372aaf467d57ca0b581995c49d734370837b42f90053a575c2e0
                                                                                      • Instruction ID: d4df164f5b3d0751408e536eb6e67bf0107015de6418ce1592e3efe539ac51f6
                                                                                      • Opcode Fuzzy Hash: e7d2dca63d41372aaf467d57ca0b581995c49d734370837b42f90053a575c2e0
                                                                                      • Instruction Fuzzy Hash: 9FE0C239201215BFDB406F75BE44F5A6B9ADF84762F05403BF201D31A0C9554D01897A
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(004C9A60,?,?,00000000,00000000,004C9A60,?,00000000), ref: 004C69F9
                                                                                      • WriteFile.KERNEL32(004C9A60,?,004C9A60,00000000,00000000), ref: 004C6A27
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID: ,kL
                                                                                      • API String ID: 3934441357-930470209
                                                                                      • Opcode ID: 4a67c524b8be7eda31fe68ce1e04b5a9f9dc7b886f165af050711f4b67bd9f18
                                                                                      • Instruction ID: 1eaab636ce026711230c417406459cd0320d98ec8d0446c1d56b1ebb42c85878
                                                                                      • Opcode Fuzzy Hash: 4a67c524b8be7eda31fe68ce1e04b5a9f9dc7b886f165af050711f4b67bd9f18
                                                                                      • Instruction Fuzzy Hash: 6F313676A00209EFDB64CF69D984FAAB7F4EB04315F12846EE801E7200D375EE54CBA5
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 536389180-1857712256
                                                                                      • Opcode ID: 9a62ea1a0e63c7b18cc9a37d65d196c193d1fd21ef490ad41bc16e943ef0a8b5
                                                                                      • Instruction ID: ebff12fdd3d3671089170fba5c940ccc2c349161b095f7f037a0f1aef549ea77
                                                                                      • Opcode Fuzzy Hash: 9a62ea1a0e63c7b18cc9a37d65d196c193d1fd21ef490ad41bc16e943ef0a8b5
                                                                                      • Instruction Fuzzy Hash: 4721C03A611215AFCB908F64DD85F9ABBB9EB21315B29006FD802D7291CF38E940C75A
                                                                                      APIs
                                                                                      Strings
                                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 004CC057
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTickwsprintf
                                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                      • API String ID: 2424974917-1012700906
                                                                                      • Opcode ID: 6d4175e935614c6513606c3b1149b6062c895b6f419c232884d724964a263483
                                                                                      • Instruction ID: e1e08c355069369b10b68beb97e05226ce8fecbe86ca5c9c1a6733d483204003
                                                                                      • Opcode Fuzzy Hash: 6d4175e935614c6513606c3b1149b6062c895b6f419c232884d724964a263483
                                                                                      • Instruction Fuzzy Hash: B5119772100100FFDB429BA9DD44E567FA6FF88318B3481ADF6188E166D633D863EB50
                                                                                      APIs
                                                                                        • Part of subcall function 004C30FA: GetTickCount.KERNEL32 ref: 004C3103
                                                                                        • Part of subcall function 004C30FA: InterlockedExchange.KERNEL32(?,00000001), ref: 004C3128
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 004C3929
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 004C3939
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 3716169038-2903620461
                                                                                      • Opcode ID: 6c6bc35a13817fedbc31e50f2360238e96e0ff1dc8d8b2c62a22c91371489de9
                                                                                      • Instruction ID: fec4b45eeb4c2abd2d77d790885c7b1682ae6160d866a753373832113c761bf4
                                                                                      • Opcode Fuzzy Hash: 6c6bc35a13817fedbc31e50f2360238e96e0ff1dc8d8b2c62a22c91371489de9
                                                                                      • Instruction Fuzzy Hash: AF1104B9900214EBD760DF1AD581B69F3F4FB09716F10856FE84497291C7B8AA80CFA9
                                                                                      APIs
                                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,004CBD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 004CABB9
                                                                                      • InterlockedIncrement.KERNEL32(004D3640), ref: 004CABE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 224340156-2903620461
                                                                                      • Opcode ID: 8537b946b450c9db1de0ccd7afe2f1f6fd9eb928b6ee09c107edcc650c484ae3
                                                                                      • Instruction ID: 51245cf27a3111cb429c8a0c49fa3e8c2bd7059e7d14b82d54964c0e9711931e
                                                                                      • Opcode Fuzzy Hash: 8537b946b450c9db1de0ccd7afe2f1f6fd9eb928b6ee09c107edcc650c484ae3
                                                                                      • Instruction Fuzzy Hash: 4D019E35508288AFDB21CF18D881F967BA6AF15318F14449AE6808B353C379EA55CB96
                                                                                      APIs
                                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004C26C3
                                                                                      • inet_ntoa.WS2_32(?), ref: 004C26E4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2112563974-1857712256
                                                                                      • Opcode ID: 0d2e0d28fb9510006f9952e94c7ec37c3dff983b682081276bd165da9e02934f
                                                                                      • Instruction ID: 5e791386e0305f630fd5c8f216f1528c3f33e126128692a2cd480b98aa458bb2
                                                                                      • Opcode Fuzzy Hash: 0d2e0d28fb9510006f9952e94c7ec37c3dff983b682081276bd165da9e02934f
                                                                                      • Instruction Fuzzy Hash: 3BF082362492097BEF406FA5ED09F9A379CEB04350F10446FFA08CA090DBB5D94097AC
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,004CEB54,_alldiv,004CF0B7,80000001,00000000,00989680,00000000,?,?,?,004CE342,00000000,7508EA50,80000001,00000000), ref: 004CEAF2
                                                                                      • GetProcAddress.KERNEL32(76E80000,00000000), ref: 004CEB07
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: ntdll.dll
                                                                                      • API String ID: 2574300362-2227199552
                                                                                      • Opcode ID: 89b299af721506dc1f0d78a70672c4250cd5715899f5e76e98a22ec05fe61714
                                                                                      • Instruction ID: 87e2e503f6f3d79facb94c37c6303aa03000d7657880c4d13eeea2ef5d8c6a2a
                                                                                      • Opcode Fuzzy Hash: 89b299af721506dc1f0d78a70672c4250cd5715899f5e76e98a22ec05fe61714
                                                                                      • Instruction Fuzzy Hash: 2BD0C978602702BB8F62DF65AD1AF1A77A8EB50702F40803BB416C2620E738E844DA0D
                                                                                      APIs
                                                                                        • Part of subcall function 004C2D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,004C2F01,?,004C20FF,004D2000), ref: 004C2D3A
                                                                                        • Part of subcall function 004C2D21: LoadLibraryA.KERNEL32(?), ref: 004C2D4A
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004C2F73
                                                                                      • HeapFree.KERNEL32(00000000), ref: 004C2F7A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.3293035872.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1017166417-0
                                                                                      • Opcode ID: db36e5989226fe336c3157799c4d9089149d03af0495fa0a30321beea1d59dd9
                                                                                      • Instruction ID: 90d3cf73005c3ba09812ea3a25123deed985ed59325a2a6925c4eaed2b346203
                                                                                      • Opcode Fuzzy Hash: db36e5989226fe336c3157799c4d9089149d03af0495fa0a30321beea1d59dd9
                                                                                      • Instruction Fuzzy Hash: BA51C27A90020A9FCF01DF64D884AFAB775FF16304F14416EEC96C7210E7769A19CB88