Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UUJycuNA6D.exe

Overview

General Information

Sample name:UUJycuNA6D.exe
Analysis ID:1503651
MD5:b2e864c2f8f6e243822a5c133bb41061
SHA1:5571df4cdc5b65cdc315c95ee52344dda7f12b20
SHA256:2cccbfbe95b716e6f8b5ed1634b9ae4e6ab87e1355804ca5aea8d353673ff6a2
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • UUJycuNA6D.exe (PID: 2568 cmdline: "C:\Users\user\Desktop\UUJycuNA6D.exe" MD5: B2E864C2F8F6E243822A5C133BB41061)
    • cmd.exe (PID: 5284 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tizvpcy\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4372 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\oxdombt.exe" C:\Windows\SysWOW64\tizvpcy\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2704 cmdline: "C:\Windows\System32\sc.exe" create tizvpcy binPath= "C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d\"C:\Users\user\Desktop\UUJycuNA6D.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4612 cmdline: "C:\Windows\System32\sc.exe" description tizvpcy "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2924 cmdline: "C:\Windows\System32\sc.exe" start tizvpcy MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 5788 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • oxdombt.exe (PID: 4124 cmdline: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d"C:\Users\user\Desktop\UUJycuNA6D.exe" MD5: 89183525E055B4B7B91D225D5CE6066A)
    • svchost.exe (PID: 4448 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
0000000C.00000002.2090151383.00000000007A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000C.00000002.2090151383.00000000007A0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000C.00000002.2090151383.00000000007A0000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      12.3.oxdombt.exe.7a0000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        12.3.oxdombt.exe.7a0000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        12.3.oxdombt.exe.7a0000.0.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
        • 0xed10:$s2: loader_id
        • 0xed40:$s3: start_srv
        • 0xed70:$s4: lid_file_upd
        • 0xed64:$s5: localcfg
        • 0xf494:$s6: Incorrect respons
        • 0xf574:$s7: mx connect error
        • 0xf4f0:$s8: Error sending command (sent = %d/%d)
        • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        12.3.oxdombt.exe.7a0000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        12.3.oxdombt.exe.7a0000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xe110:$s2: loader_id
        • 0xe140:$s3: start_srv
        • 0xe170:$s4: lid_file_upd
        • 0xe164:$s5: localcfg
        • 0xe894:$s6: Incorrect respons
        Click to see the 39 entries

        System Summary

        barindex
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d"C:\Users\user\Desktop\UUJycuNA6D.exe", ParentImage: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe, ParentProcessId: 4124, ParentProcessName: oxdombt.exe, ProcessCommandLine: svchost.exe, ProcessId: 4448, ProcessName: svchost.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create tizvpcy binPath= "C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d\"C:\Users\user\Desktop\UUJycuNA6D.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create tizvpcy binPath= "C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d\"C:\Users\user\Desktop\UUJycuNA6D.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\UUJycuNA6D.exe", ParentImage: C:\Users\user\Desktop\UUJycuNA6D.exe, ParentProcessId: 2568, ParentProcessName: UUJycuNA6D.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create tizvpcy binPath= "C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d\"C:\Users\user\Desktop\UUJycuNA6D.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 2704, ProcessName: sc.exe
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.40.26, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 4448, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d"C:\Users\user\Desktop\UUJycuNA6D.exe", ParentImage: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe, ParentProcessId: 4124, ParentProcessName: oxdombt.exe, ProcessCommandLine: svchost.exe, ProcessId: 4448, ProcessName: svchost.exe
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 4448, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\tizvpcy
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create tizvpcy binPath= "C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d\"C:\Users\user\Desktop\UUJycuNA6D.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create tizvpcy binPath= "C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d\"C:\Users\user\Desktop\UUJycuNA6D.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\UUJycuNA6D.exe", ParentImage: C:\Users\user\Desktop\UUJycuNA6D.exe, ParentProcessId: 2568, ParentProcessName: UUJycuNA6D.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create tizvpcy binPath= "C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d\"C:\Users\user\Desktop\UUJycuNA6D.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 2704, ProcessName: sc.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Source: jotunheim.name:443Avira URL Cloud: Label: malware
        Source: 12.2.oxdombt.exe.400000.0.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Source: C:\Users\user\AppData\Local\Temp\oxdombt.exeJoe Sandbox ML: detected
        Source: UUJycuNA6D.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeUnpacked PE file: 0.2.UUJycuNA6D.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeUnpacked PE file: 12.2.oxdombt.exe.400000.0.unpack
        Source: UUJycuNA6D.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\tizvpcyJump to behavior

        Networking

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.40.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.167.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.77 25Jump to behavior
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 52.101.40.26 52.101.40.26
        Source: Joe Sandbox ViewIP Address: 67.195.204.77 67.195.204.77
        Source: Joe Sandbox ViewIP Address: 94.100.180.31 94.100.180.31
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: YAHOO-3US YAHOO-3US
        Source: Joe Sandbox ViewASN Name: EUT-ASEUTIPNetworkRU EUT-ASEUTIPNetworkRU
        Source: global trafficTCP traffic: 192.168.2.5:49705 -> 52.101.40.26:25
        Source: global trafficTCP traffic: 192.168.2.5:54430 -> 67.195.204.77:25
        Source: global trafficTCP traffic: 192.168.2.5:54431 -> 64.233.167.26:25
        Source: global trafficTCP traffic: 192.168.2.5:54434 -> 94.100.180.31:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta6.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54432
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54435
        Source: unknownNetwork traffic detected: HTTP traffic on port 54435 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 54432 -> 443

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 12.3.oxdombt.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UUJycuNA6D.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.oxdombt.exe.780e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.oxdombt.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.oxdombt.exe.7a0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.2a10000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.oxdombt.exe.7a0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.2a10000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UUJycuNA6D.exe.7a0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UUJycuNA6D.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.UUJycuNA6D.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.oxdombt.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2090151383.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2053025952.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2089251040.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: UUJycuNA6D.exe PID: 2568, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: oxdombt.exe PID: 4124, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4448, type: MEMORYSTR

        System Summary

        barindex
        Source: 12.3.oxdombt.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.oxdombt.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.oxdombt.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.oxdombt.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.UUJycuNA6D.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.UUJycuNA6D.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.oxdombt.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.oxdombt.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.UUJycuNA6D.exe.7a0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.UUJycuNA6D.exe.7a0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.oxdombt.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.oxdombt.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.UUJycuNA6D.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.UUJycuNA6D.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.oxdombt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.oxdombt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.oxdombt.exe.7a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.oxdombt.exe.7a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 15.2.svchost.exe.2a10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 15.2.svchost.exe.2a10000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.oxdombt.exe.7a0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.oxdombt.exe.7a0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 15.2.svchost.exe.2a10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 15.2.svchost.exe.2a10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.UUJycuNA6D.exe.7a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.UUJycuNA6D.exe.7a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.UUJycuNA6D.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.UUJycuNA6D.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.UUJycuNA6D.exe.7c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.UUJycuNA6D.exe.7c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.oxdombt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.oxdombt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2090151383.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2090151383.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2089364508.000000000066A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2090230631.0000000000833000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000003.2053025952.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.2053025952.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000003.2089251040.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2089251040.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\tizvpcy\Jump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeCode function: 12_2_0040C91312_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_02A1C91315_2_02A1C913
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: String function: 007A27AB appears 35 times
        Source: UUJycuNA6D.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 12.3.oxdombt.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.oxdombt.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.oxdombt.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.oxdombt.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.UUJycuNA6D.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.UUJycuNA6D.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.oxdombt.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.oxdombt.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.UUJycuNA6D.exe.7a0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.UUJycuNA6D.exe.7a0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.oxdombt.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.oxdombt.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.UUJycuNA6D.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.UUJycuNA6D.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.oxdombt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.oxdombt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.oxdombt.exe.7a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.oxdombt.exe.7a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 15.2.svchost.exe.2a10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 15.2.svchost.exe.2a10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.oxdombt.exe.7a0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.oxdombt.exe.7a0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 15.2.svchost.exe.2a10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 15.2.svchost.exe.2a10000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.UUJycuNA6D.exe.7a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.UUJycuNA6D.exe.7a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.UUJycuNA6D.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.UUJycuNA6D.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.UUJycuNA6D.exe.7c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.UUJycuNA6D.exe.7c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.oxdombt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.oxdombt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2090151383.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2090151383.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2089364508.000000000066A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2090230631.0000000000833000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000003.2053025952.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.2053025952.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000003.2089251040.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2089251040.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: UUJycuNA6D.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@22/3@10/5
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_0067A078 CreateToolhelp32Snapshot,Module32First,0_2_0067A078
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_02A19A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,15_2_02A19A6B
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeFile created: C:\Users\user\AppData\Local\Temp\oxdombt.exeJump to behavior
        Source: UUJycuNA6D.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeFile read: C:\Users\user\Desktop\UUJycuNA6D.exeJump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-15085
        Source: unknownProcess created: C:\Users\user\Desktop\UUJycuNA6D.exe "C:\Users\user\Desktop\UUJycuNA6D.exe"
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tizvpcy\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\oxdombt.exe" C:\Windows\SysWOW64\tizvpcy\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create tizvpcy binPath= "C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d\"C:\Users\user\Desktop\UUJycuNA6D.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description tizvpcy "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start tizvpcy
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d"C:\Users\user\Desktop\UUJycuNA6D.exe"
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tizvpcy\Jump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\oxdombt.exe" C:\Windows\SysWOW64\tizvpcy\Jump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create tizvpcy binPath= "C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d\"C:\Users\user\Desktop\UUJycuNA6D.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description tizvpcy "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start tizvpcyJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
        Source: UUJycuNA6D.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeUnpacked PE file: 0.2.UUJycuNA6D.exe.400000.0.unpack .text:ER;.data:W;.tuhorak:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeUnpacked PE file: 12.2.oxdombt.exe.400000.0.unpack .text:ER;.data:W;.tuhorak:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeUnpacked PE file: 0.2.UUJycuNA6D.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeUnpacked PE file: 12.2.oxdombt.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: UUJycuNA6D.exeStatic PE information: section name: .tuhorak
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_0067D360 push 0000002Bh; iretd 0_2_0067D366
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeCode function: 12_2_008466D0 push 0000002Bh; iretd 12_2_008466D6
        Source: UUJycuNA6D.exeStatic PE information: section name: .text entropy: 7.606974793826717

        Persistence and Installation Behavior

        barindex
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeFile created: C:\Users\user\AppData\Local\Temp\oxdombt.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tizvpcyJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create tizvpcy binPath= "C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d\"C:\Users\user\Desktop\UUJycuNA6D.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\uujycuna6d.exeJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,15_2_02A1199C
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_15-7597
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15408
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-15510
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_15-6133
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15397
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-15467
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_15-7350
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-15192
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-15140
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-15101
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14969
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeAPI coverage: 5.9 %
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeAPI coverage: 4.4 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 4180Thread sleep count: 35 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 4180Thread sleep time: -35000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 0000000F.00000002.3296495633.0000000002E00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeAPI call chain: ExitProcess graph end nodegraph_0-15399
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeAPI call chain: ExitProcess graph end nodegraph_12-15469

        Anti Debugging

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_15-7484
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00679955 push dword ptr fs:[00000030h]0_2_00679955
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_007A092B mov eax, dword ptr fs:[00000030h]0_2_007A092B
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_007A0D90 mov eax, dword ptr fs:[00000030h]0_2_007A0D90
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeCode function: 12_2_0078092B mov eax, dword ptr fs:[00000030h]12_2_0078092B
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeCode function: 12_2_00780D90 mov eax, dword ptr fs:[00000030h]12_2_00780D90
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeCode function: 12_2_00842CC5 push dword ptr fs:[00000030h]12_2_00842CC5
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_02A19A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,15_2_02A19A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.40.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.167.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.77 25Jump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2A10000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2A10000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2A10000Jump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 28E2008Jump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tizvpcy\Jump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\oxdombt.exe" C:\Windows\SysWOW64\tizvpcy\Jump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create tizvpcy binPath= "C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d\"C:\Users\user\Desktop\UUJycuNA6D.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description tizvpcy "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start tizvpcyJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00407A95 RegOpenKeyExA,CreateThread,GetUserNameA,LookupAccountNameA,RegGetKeySecurity,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,RegSetKeySecurity,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,RegOpenKeyExA,RegSetValueExA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegSetKeySecurity,LocalFree,RegCloseKey,0_2_00407A95
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00407A95 RegOpenKeyExA,CreateThread,GetUserNameA,LookupAccountNameA,RegGetKeySecurity,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,RegSetKeySecurity,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,RegOpenKeyExA,RegSetValueExA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegSetKeySecurity,LocalFree,RegCloseKey,0_2_00407A95
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 12.3.oxdombt.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UUJycuNA6D.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.oxdombt.exe.780e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.oxdombt.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.oxdombt.exe.7a0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.2a10000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.oxdombt.exe.7a0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.2a10000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UUJycuNA6D.exe.7a0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UUJycuNA6D.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.UUJycuNA6D.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.oxdombt.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2090151383.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2053025952.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2089251040.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: UUJycuNA6D.exe PID: 2568, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: oxdombt.exe PID: 4124, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4448, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 12.3.oxdombt.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UUJycuNA6D.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.oxdombt.exe.780e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.oxdombt.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.oxdombt.exe.7a0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.2a10000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.oxdombt.exe.7a0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.2a10000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UUJycuNA6D.exe.7a0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.UUJycuNA6D.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.UUJycuNA6D.exe.7c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.oxdombt.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2090151383.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2053025952.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2089251040.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: UUJycuNA6D.exe PID: 2568, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: oxdombt.exe PID: 4124, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4448, type: MEMORYSTR
        Source: C:\Users\user\Desktop\UUJycuNA6D.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\tizvpcy\oxdombt.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_02A188B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,15_2_02A188B0
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts
        41
        Native API
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        3
        Disable or Modify Tools
        OS Credential Dumping2
        System Time Discovery
        Remote Services1
        Archive Collected Data
        1
        Ingress Tool Transfer
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter
        1
        Valid Accounts
        1
        Valid Accounts
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory1
        Account Discovery
        Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution
        14
        Windows Service
        1
        Access Token Manipulation
        3
        Obfuscated Files or Information
        Security Account Manager1
        File and Directory Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service
        22
        Software Packing
        NTDS15
        System Information Discovery
        Distributed Component Object ModelInput Capture112
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection
        1
        DLL Side-Loading
        LSA Secrets111
        Security Software Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion
        Cached Domain Credentials11
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading
        DCSync1
        Process Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts
        Proc Filesystem1
        System Owner/User Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
        Virtualization/Sandbox Evasion
        /etc/passwd and /etc/shadow1
        System Network Configuration Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1503651 Sample: UUJycuNA6D.exe Startdate: 03/09/2024 Architecture: WINDOWS Score: 100 43 yahoo.com 2->43 45 vanaheim.cn 2->45 47 6 other IPs or domains 2->47 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 8 other signatures 2->61 8 oxdombt.exe 2->8         started        11 UUJycuNA6D.exe 2 2->11         started        signatures3 process4 file5 63 Detected unpacking (changes PE section rights) 8->63 65 Detected unpacking (overwrites its own PE header) 8->65 67 Writes to foreign memory regions 8->67 73 2 other signatures 8->73 14 svchost.exe 1 8->14         started        41 C:\Users\user\AppData\Local\...\oxdombt.exe, PE32 11->41 dropped 69 Uses netsh to modify the Windows network and firewall settings 11->69 71 Modifies the windows firewall 11->71 18 cmd.exe 1 11->18         started        21 netsh.exe 2 11->21         started        23 cmd.exe 2 11->23         started        25 3 other processes 11->25 signatures6 process7 dnsIp8 49 mta6.am0.yahoodns.net 67.195.204.77, 25 YAHOO-3US United States 14->49 51 microsoft-com.mail.protection.outlook.com 52.101.40.26, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->51 53 3 other IPs or domains 14->53 75 System process connects to network (likely due to code injection or exploit) 14->75 77 Found API chain indicative of debugger detection 14->77 79 Deletes itself after installation 14->79 81 Adds extensions / path to Windows Defender exclusion list (Registry) 14->81 39 C:\Windows\SysWOW64\...\oxdombt.exe (copy), PE32 18->39 dropped 27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        UUJycuNA6D.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\oxdombt.exe100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        vanaheim.cn:443100%Avira URL Cloudphishing
        jotunheim.name:443100%Avira URL Cloudmalware
        NameIPActiveMaliciousAntivirus DetectionReputation
        mta6.am0.yahoodns.net
        67.195.204.77
        truetrue
          unknown
          mxs.mail.ru
          94.100.180.31
          truetrue
            unknown
            microsoft-com.mail.protection.outlook.com
            52.101.40.26
            truetrue
              unknown
              vanaheim.cn
              77.232.41.29
              truetrue
                unknown
                smtp.google.com
                64.233.167.26
                truefalse
                  unknown
                  google.com
                  unknown
                  unknowntrue
                    unknown
                    yahoo.com
                    unknown
                    unknowntrue
                      unknown
                      mail.ru
                      unknown
                      unknowntrue
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        vanaheim.cn:443true
                        • Avira URL Cloud: phishing
                        unknown
                        jotunheim.name:443true
                        • Avira URL Cloud: malware
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        52.101.40.26
                        microsoft-com.mail.protection.outlook.comUnited States
                        8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                        64.233.167.26
                        smtp.google.comUnited States
                        15169GOOGLEUSfalse
                        67.195.204.77
                        mta6.am0.yahoodns.netUnited States
                        26101YAHOO-3UStrue
                        77.232.41.29
                        vanaheim.cnRussian Federation
                        28968EUT-ASEUTIPNetworkRUtrue
                        94.100.180.31
                        mxs.mail.ruRussian Federation
                        47764MAILRU-ASMailRuRUtrue
                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1503651
                        Start date and time:2024-09-03 18:51:06 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 10s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:18
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:UUJycuNA6D.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@22/3@10/5
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 68
                        • Number of non-executed functions: 254
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 20.231.239.246, 20.70.246.20, 20.76.201.171, 20.236.44.162, 20.112.250.133
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtEnumerateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: UUJycuNA6D.exe
                        TimeTypeDescription
                        12:52:46API Interceptor8x Sleep call for process: svchost.exe modified
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        52.101.40.26igvdwmhd.exeGet hashmaliciousTofseeBrowse
                          .exeGet hashmaliciousUnknownBrowse
                            setup.exeGet hashmaliciousTofseeBrowse
                              lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                  Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                    L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                      file.exeGet hashmaliciousTofseeBrowse
                                        U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                          t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                                            67.195.204.77bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                              m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                  file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                    l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                      data.log.exeGet hashmaliciousUnknownBrowse
                                                        message.elm.exeGet hashmaliciousUnknownBrowse
                                                          message.txt.exeGet hashmaliciousUnknownBrowse
                                                            test.dat.exeGet hashmaliciousUnknownBrowse
                                                              Update-KB78-x86.exeGet hashmaliciousUnknownBrowse
                                                                77.232.41.29bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                  94.100.180.31igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                    fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                      rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                        setup.exeGet hashmaliciousTofseeBrowse
                                                                          m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                            SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                              vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                  file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                    .exeGet hashmaliciousUnknownBrowse
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      mxs.mail.rubEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                      • 217.69.139.150
                                                                                      rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      setup.exeGet hashmaliciousTofseeBrowse
                                                                                      • 94.100.180.31
                                                                                      5CxmQXL0LD.exeGet hashmaliciousSystemBCBrowse
                                                                                      • 94.100.180.31
                                                                                      microsoft-com.mail.protection.outlook.combEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.11.0
                                                                                      Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.8.49
                                                                                      igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.40.26
                                                                                      fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.42.0
                                                                                      SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.11.0
                                                                                      .exeGet hashmaliciousUnknownBrowse
                                                                                      • 52.101.40.26
                                                                                      Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.42.0
                                                                                      ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.8.49
                                                                                      rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.42.0
                                                                                      setup.exeGet hashmaliciousTofseeBrowse
                                                                                      • 52.101.40.26
                                                                                      vanaheim.cnbEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                      • 213.226.112.95
                                                                                      igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                      • 213.226.112.95
                                                                                      fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                      • 213.226.112.95
                                                                                      SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                      • 213.226.112.95
                                                                                      Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                      • 213.226.112.95
                                                                                      ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                      • 213.226.112.95
                                                                                      rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 213.226.112.95
                                                                                      setup.exeGet hashmaliciousTofseeBrowse
                                                                                      • 185.218.0.41
                                                                                      m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                      • 195.133.13.231
                                                                                      mta6.am0.yahoodns.netSGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.106
                                                                                      .exeGet hashmaliciousUnknownBrowse
                                                                                      • 98.136.96.76
                                                                                      Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.73
                                                                                      ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.74
                                                                                      rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.74
                                                                                      AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                      • 98.136.96.75
                                                                                      I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.110
                                                                                      OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.228.110
                                                                                      file.exeGet hashmaliciousPhorpiexBrowse
                                                                                      • 67.195.228.94
                                                                                      file.exeGet hashmaliciousPhorpiexBrowse
                                                                                      • 67.195.204.72
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      YAHOO-3USbEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.77
                                                                                      firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                                                                      • 74.6.99.126
                                                                                      Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.73
                                                                                      ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.74
                                                                                      arm7.elfGet hashmaliciousMiraiBrowse
                                                                                      • 98.139.166.43
                                                                                      https://www.ima-india.com/index.phpGet hashmaliciousUnknownBrowse
                                                                                      • 74.6.138.67
                                                                                      https://www.ima-india.com/index.phpGet hashmaliciousUnknownBrowse
                                                                                      • 74.6.138.67
                                                                                      https://www.ima-india.com/index.php?option=com_content&view=article&id=1092&Itemid=483Get hashmaliciousUnknownBrowse
                                                                                      • 74.6.138.65
                                                                                      D8OieODwpn.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                      • 72.30.110.165
                                                                                      m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                      • 67.195.204.77
                                                                                      MICROSOFT-CORP-MSN-AS-BLOCKUSPensacola Country Club.pdfGet hashmaliciousUnknownBrowse
                                                                                      • 52.108.66.1
                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.67
                                                                                      http://bestbuy.beautybyjoulexa.com.au/citrix/fxc/bWljaGFlbHNjb2ZpZWxkQGRpc25leS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 20.190.160.20
                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.60
                                                                                      http://www.harmonyhomesestateagency.comGet hashmaliciousUnknownBrowse
                                                                                      • 168.61.99.102
                                                                                      PossiblePhishing.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 13.107.246.60
                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.60
                                                                                      https://bergtool-my.sharepoint.com/:f:/p/officemgr/EkAEY_TxWUpGjuhgV5jRSO8BD2acB1HjNb72Far_j2tXBg?e=T7fVyKGet hashmaliciousEvilProxyBrowse
                                                                                      • 20.42.73.31
                                                                                      https://1drv.ms/o/s!Anj1aub9f0oSf85OHsWb-1KGYts?e=cSo5yQGet hashmaliciousUnknownBrowse
                                                                                      • 40.126.32.68
                                                                                      https://www.cognitoforms.com/PG12/PrincipleGlobalGet hashmaliciousUnknownBrowse
                                                                                      • 13.107.246.67
                                                                                      EUT-ASEUTIPNetworkRUbEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                      • 77.232.41.29
                                                                                      Set-up.exeGet hashmaliciousCryptbotBrowse
                                                                                      • 77.232.42.234
                                                                                      Set-up.exeGet hashmaliciousCryptbotBrowse
                                                                                      • 77.232.42.234
                                                                                      file.exeGet hashmaliciousCryptbotBrowse
                                                                                      • 77.232.42.234
                                                                                      file.exeGet hashmaliciousCryptbotBrowse
                                                                                      • 77.232.42.234
                                                                                      file.exeGet hashmaliciousCryptbotBrowse
                                                                                      • 77.232.42.234
                                                                                      file.exeGet hashmaliciousCryptbotBrowse
                                                                                      • 77.232.42.234
                                                                                      file.exeGet hashmaliciousCryptbot, NeoreklamiBrowse
                                                                                      • 77.232.42.234
                                                                                      fullsetup.exeGet hashmaliciousCryptbotBrowse
                                                                                      • 77.232.42.234
                                                                                      fullsetup.exeGet hashmaliciousCryptbotBrowse
                                                                                      • 77.232.42.234
                                                                                      No context
                                                                                      No context
                                                                                      Process:C:\Users\user\Desktop\UUJycuNA6D.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):14528000
                                                                                      Entropy (8bit):4.588892804596487
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:nc6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:n1OZDisvwdaxO0PuG1R4CWs
                                                                                      MD5:89183525E055B4B7B91D225D5CE6066A
                                                                                      SHA1:26CB23C3FB3124D0ECFF5472B4798AC6C24EA648
                                                                                      SHA-256:A00C6A8DD238A4692B6EE65F9D34DDA5DF7D7B2C9D3A32BE95AF245D88E66186
                                                                                      SHA-512:A4BFB1A8216F32E000EC5DE329132CBA4AFB2E0E534B29D9C687FDC96D926AA440DE4FA987DFD25990958CB61A2214C5035AF0986F8BCD2EC43806D11D5210BD
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e.............................l............@..................................p..........................................P........&...........................................................N..@............................................text............................... ..`.data............|..................@....tuhorak.............r..............@..@.rsrc....&.......8...v..............@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):14528000
                                                                                      Entropy (8bit):4.588892804596487
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:nc6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:n1OZDisvwdaxO0PuG1R4CWs
                                                                                      MD5:89183525E055B4B7B91D225D5CE6066A
                                                                                      SHA1:26CB23C3FB3124D0ECFF5472B4798AC6C24EA648
                                                                                      SHA-256:A00C6A8DD238A4692B6EE65F9D34DDA5DF7D7B2C9D3A32BE95AF245D88E66186
                                                                                      SHA-512:A4BFB1A8216F32E000EC5DE329132CBA4AFB2E0E534B29D9C687FDC96D926AA440DE4FA987DFD25990958CB61A2214C5035AF0986F8BCD2EC43806D11D5210BD
                                                                                      Malicious:true
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e.............................l............@..................................p..........................................P........&...........................................................N..@............................................text............................... ..`.data............|..................@....tuhorak.............r..............@..@.rsrc....&.......8...v..............@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Windows\SysWOW64\netsh.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):3773
                                                                                      Entropy (8bit):4.7109073551842435
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                      MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                      SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                      SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                      SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                      Malicious:false
                                                                                      Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):5.981427230304483
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:UUJycuNA6D.exe
                                                                                      File size:433'664 bytes
                                                                                      MD5:b2e864c2f8f6e243822a5c133bb41061
                                                                                      SHA1:5571df4cdc5b65cdc315c95ee52344dda7f12b20
                                                                                      SHA256:2cccbfbe95b716e6f8b5ed1634b9ae4e6ab87e1355804ca5aea8d353673ff6a2
                                                                                      SHA512:32a6087702abe92daab3e2c194b07006f5b9d3cdf48c692d23775f0d75e2941882920767148564ac7fedc417beadb1ae75734f240d07bec30eb262ae4f534e73
                                                                                      SSDEEP:6144:qc6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:q1OZDisvwdaxO0PuG1R4CWs
                                                                                      TLSH:B194C033A2D1FC60F96266319D2BC6FC362FB961CD28679B22187F1F19B0191D67A311
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e...................
                                                                                      Icon Hash:cd4d3d2e4e054d03
                                                                                      Entrypoint:0x406c18
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x65C24DBB [Tue Feb 6 15:18:19 2024 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:5
                                                                                      OS Version Minor:1
                                                                                      File Version Major:5
                                                                                      File Version Minor:1
                                                                                      Subsystem Version Major:5
                                                                                      Subsystem Version Minor:1
                                                                                      Import Hash:526678b0f88b7214e779e54df5f3d8dd
                                                                                      Instruction
                                                                                      call 00007F6230CA5328h
                                                                                      jmp 00007F6230CA130Eh
                                                                                      mov edi, edi
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      mov eax, dword ptr [ebp+08h]
                                                                                      mov dword ptr [00458AE0h], eax
                                                                                      pop ebp
                                                                                      ret
                                                                                      mov edi, edi
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      sub esp, 00000328h
                                                                                      mov eax, dword ptr [00441E68h]
                                                                                      xor eax, ebp
                                                                                      mov dword ptr [ebp-04h], eax
                                                                                      push ebx
                                                                                      mov ebx, dword ptr [ebp+08h]
                                                                                      push edi
                                                                                      cmp ebx, FFFFFFFFh
                                                                                      je 00007F6230CA1489h
                                                                                      push ebx
                                                                                      call 00007F6230CA538Ah
                                                                                      pop ecx
                                                                                      and dword ptr [ebp-00000320h], 00000000h
                                                                                      push 0000004Ch
                                                                                      lea eax, dword ptr [ebp-0000031Ch]
                                                                                      push 00000000h
                                                                                      push eax
                                                                                      call 00007F6230CA3837h
                                                                                      lea eax, dword ptr [ebp-00000320h]
                                                                                      mov dword ptr [ebp-00000328h], eax
                                                                                      lea eax, dword ptr [ebp-000002D0h]
                                                                                      add esp, 0Ch
                                                                                      mov dword ptr [ebp-00000324h], eax
                                                                                      mov dword ptr [ebp-00000220h], eax
                                                                                      mov dword ptr [ebp-00000224h], ecx
                                                                                      mov dword ptr [ebp-00000228h], edx
                                                                                      mov dword ptr [ebp-0000022Ch], ebx
                                                                                      mov dword ptr [ebp-00000230h], esi
                                                                                      mov dword ptr [ebp-00000234h], edi
                                                                                      mov word ptr [ebp-00000208h], ss
                                                                                      mov word ptr [ebp-00000214h], cs
                                                                                      mov word ptr [ebp-00000238h], ds
                                                                                      mov word ptr [ebp-0000023Ch], es
                                                                                      mov word ptr [ebp-00000240h], fs
                                                                                      mov word ptr [ebp-00000244h], gs
                                                                                      pushfd
                                                                                      pop dword ptr [ebp-00000210h]
                                                                                      mov eax, dword ptr [ebp+00h]
                                                                                      Programming Language:
                                                                                      • [C++] VS2010 build 30319
                                                                                      • [ASM] VS2010 build 30319
                                                                                      • [ C ] VS2010 build 30319
                                                                                      • [IMP] VS2008 SP1 build 30729
                                                                                      • [RES] VS2010 build 30319
                                                                                      • [LNK] VS2010 build 30319
                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3f5840x50.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1eb0000x126a8.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x3f5d40x1c.text
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4e100x40.text
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x1f0.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x3f0e60x3f200884d76322df7a8608a2646ab4fae4309False0.837554146039604OpenPGP Secret Key7.606974793826717IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .data0x410000x1a86080x17c00fbf711e919a24bc95c4e0acf7689b887False0.019921875data0.26441594786707856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .tuhorak0x1ea0000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x1eb0000x126a80x1280051fc340c790972774d37e20a995b97b0False0.3540302998310811data4.52749976613024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      AFX_DIALOG_LAYOUT0x1f7ed80xedata1.5714285714285714
                                                                                      RT_CURSOR0x1f7ee80x330Device independent bitmap graphic, 48 x 96 x 1, image size 00.1948529411764706
                                                                                      RT_CURSOR0x1f82180x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.33223684210526316
                                                                                      RT_CURSOR0x1f83700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.26439232409381663
                                                                                      RT_CURSOR0x1f92180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.3686823104693141
                                                                                      RT_CURSOR0x1f9ac00x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.49060693641618497
                                                                                      RT_CURSOR0x1fa0580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.27238805970149255
                                                                                      RT_CURSOR0x1faf000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.375
                                                                                      RT_CURSOR0x1fb7a80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5057803468208093
                                                                                      RT_ICON0x1eb7c00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.4653518123667377
                                                                                      RT_ICON0x1eb7c00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.4653518123667377
                                                                                      RT_ICON0x1ec6680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5762635379061372
                                                                                      RT_ICON0x1ec6680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5762635379061372
                                                                                      RT_ICON0x1ecf100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.6370967741935484
                                                                                      RT_ICON0x1ecf100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.6370967741935484
                                                                                      RT_ICON0x1ed5d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6958092485549133
                                                                                      RT_ICON0x1ed5d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6958092485549133
                                                                                      RT_ICON0x1edb400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.3561203319502075
                                                                                      RT_ICON0x1edb400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.3561203319502075
                                                                                      RT_ICON0x1f00e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilIndia0.44394934333958724
                                                                                      RT_ICON0x1f00e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilSri Lanka0.44394934333958724
                                                                                      RT_ICON0x1f11900x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilIndia0.5163934426229508
                                                                                      RT_ICON0x1f11900x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilSri Lanka0.5163934426229508
                                                                                      RT_ICON0x1f1b180x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.6072695035460993
                                                                                      RT_ICON0x1f1b180x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.6072695035460993
                                                                                      RT_ICON0x1f1ff80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.36807036247334757
                                                                                      RT_ICON0x1f1ff80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.36807036247334757
                                                                                      RT_ICON0x1f2ea00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.45126353790613716
                                                                                      RT_ICON0x1f2ea00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.45126353790613716
                                                                                      RT_ICON0x1f37480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.4596774193548387
                                                                                      RT_ICON0x1f37480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.4596774193548387
                                                                                      RT_ICON0x1f3e100x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.4588150289017341
                                                                                      RT_ICON0x1f3e100x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.4588150289017341
                                                                                      RT_ICON0x1f43780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.26981327800829874
                                                                                      RT_ICON0x1f43780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.26981327800829874
                                                                                      RT_ICON0x1f69200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.30605065666041276
                                                                                      RT_ICON0x1f69200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.30605065666041276
                                                                                      RT_ICON0x1f79c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.3599290780141844
                                                                                      RT_ICON0x1f79c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.3599290780141844
                                                                                      RT_STRING0x1fbfa80x4a8dataTamilIndia0.4513422818791946
                                                                                      RT_STRING0x1fbfa80x4a8dataTamilSri Lanka0.4513422818791946
                                                                                      RT_STRING0x1fc4500x70cdataTamilIndia0.4262749445676275
                                                                                      RT_STRING0x1fc4500x70cdataTamilSri Lanka0.4262749445676275
                                                                                      RT_STRING0x1fcb600x2eadataTamilIndia0.4745308310991957
                                                                                      RT_STRING0x1fcb600x2eadataTamilSri Lanka0.4745308310991957
                                                                                      RT_STRING0x1fce500x5a0dataTamilIndia0.44305555555555554
                                                                                      RT_STRING0x1fce500x5a0dataTamilSri Lanka0.44305555555555554
                                                                                      RT_STRING0x1fd3f00x2b4dataTamilIndia0.4884393063583815
                                                                                      RT_STRING0x1fd3f00x2b4dataTamilSri Lanka0.4884393063583815
                                                                                      RT_ACCELERATOR0x1f7e980x40dataTamilIndia0.875
                                                                                      RT_ACCELERATOR0x1f7e980x40dataTamilSri Lanka0.875
                                                                                      RT_GROUP_CURSOR0x1f83480x22data1.0294117647058822
                                                                                      RT_GROUP_CURSOR0x1fa0280x30data0.9375
                                                                                      RT_GROUP_CURSOR0x1fbd100x30data0.9375
                                                                                      RT_GROUP_ICON0x1f1f800x76dataTamilIndia0.6610169491525424
                                                                                      RT_GROUP_ICON0x1f1f800x76dataTamilSri Lanka0.6610169491525424
                                                                                      RT_GROUP_ICON0x1f7e300x68dataTamilIndia0.7115384615384616
                                                                                      RT_GROUP_ICON0x1f7e300x68dataTamilSri Lanka0.7115384615384616
                                                                                      RT_VERSION0x1fbd400x268MS Windows COFF Motorola 68000 object file0.5454545454545454
                                                                                      DLLImport
                                                                                      KERNEL32.dllSetEnvironmentVariableW, CreateJobObjectW, InterlockedCompareExchange, UnlockFile, CreateHardLinkA, GetTickCount, CreateNamedPipeW, FindNextVolumeMountPointA, SetCommState, GlobalAlloc, LoadLibraryW, GetCalendarInfoA, SetVolumeMountPointA, GetSystemWindowsDirectoryA, GetConsoleAliasExesLengthW, GetFileAttributesW, GetModuleFileNameW, CreateActCtxA, GetThreadPriorityBoost, VerifyVersionInfoW, GetLogicalDriveStringsA, SetLastError, GetProcAddress, GetConsoleDisplayMode, GetProcessVersion, InterlockedExchangeAdd, CreateFileMappingW, SetDefaultCommConfigW, CreateEventW, OpenEventA, GlobalWire, EnumDateFormatsA, EnumResourceNamesA, VirtualProtect, GetCurrentDirectoryA, WaitForDebugEvent, PeekConsoleInputA, GetShortPathNameW, SetProcessShutdownParameters, SetFileShortNameA, GetDiskFreeSpaceExA, ReadConsoleInputW, GetTempPathA, EnumCalendarInfoExA, LocalFree, TlsFree, LCMapStringW, CommConfigDialogW, WriteConsoleW, CloseHandle, FlushFileBuffers, GetConsoleMode, GetConsoleCP, GetCurrentProcess, SetEndOfFile, GetConsoleAliasExesA, GetNumberFormatW, GetLocaleInfoA, MultiByteToWideChar, GetLastError, HeapFree, HeapReAlloc, GetModuleHandleW, ExitProcess, DecodePointer, GetCommandLineA, HeapSetInformation, GetStartupInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, TerminateProcess, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, GetCurrentThreadId, HeapAlloc, IsProcessorFeaturePresent, HeapCreate, ReadFile, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, Sleep, GetStringTypeW, RaiseException, SetFilePointer, SetStdHandle, RtlUnwind, HeapSize, CreateFileW
                                                                                      USER32.dllDrawStateA, LoadMenuW, CharUpperW, GetSysColor, GetMenuStringA, GetCaretPos, SetMenu
                                                                                      GDI32.dllGetCharWidthFloatA, CreateDCW, GetCharWidth32A, GetBitmapBits
                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      TamilIndia
                                                                                      TamilSri Lanka
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Sep 3, 2024 18:52:05.005170107 CEST4970525192.168.2.552.101.40.26
                                                                                      Sep 3, 2024 18:52:06.005635977 CEST4970525192.168.2.552.101.40.26
                                                                                      Sep 3, 2024 18:52:06.884999990 CEST49706443192.168.2.577.232.41.29
                                                                                      Sep 3, 2024 18:52:06.885031939 CEST4434970677.232.41.29192.168.2.5
                                                                                      Sep 3, 2024 18:52:06.885104895 CEST49706443192.168.2.577.232.41.29
                                                                                      Sep 3, 2024 18:52:08.005526066 CEST4970525192.168.2.552.101.40.26
                                                                                      Sep 3, 2024 18:52:12.005637884 CEST4970525192.168.2.552.101.40.26
                                                                                      Sep 3, 2024 18:52:20.005532980 CEST4970525192.168.2.552.101.40.26
                                                                                      Sep 3, 2024 18:52:25.358297110 CEST5443025192.168.2.567.195.204.77
                                                                                      Sep 3, 2024 18:52:26.364895105 CEST5443025192.168.2.567.195.204.77
                                                                                      Sep 3, 2024 18:52:28.364998102 CEST5443025192.168.2.567.195.204.77
                                                                                      Sep 3, 2024 18:52:32.380510092 CEST5443025192.168.2.567.195.204.77
                                                                                      Sep 3, 2024 18:52:40.380614996 CEST5443025192.168.2.567.195.204.77
                                                                                      Sep 3, 2024 18:52:45.388535023 CEST5443125192.168.2.564.233.167.26
                                                                                      Sep 3, 2024 18:52:46.396164894 CEST5443125192.168.2.564.233.167.26
                                                                                      Sep 3, 2024 18:52:46.896322966 CEST49706443192.168.2.577.232.41.29
                                                                                      Sep 3, 2024 18:52:46.896404982 CEST4434970677.232.41.29192.168.2.5
                                                                                      Sep 3, 2024 18:52:46.896533012 CEST49706443192.168.2.577.232.41.29
                                                                                      Sep 3, 2024 18:52:47.007710934 CEST54432443192.168.2.577.232.41.29
                                                                                      Sep 3, 2024 18:52:47.007750034 CEST4435443277.232.41.29192.168.2.5
                                                                                      Sep 3, 2024 18:52:47.007858038 CEST54432443192.168.2.577.232.41.29
                                                                                      Sep 3, 2024 18:52:48.411807060 CEST5443125192.168.2.564.233.167.26
                                                                                      Sep 3, 2024 18:52:52.427433968 CEST5443125192.168.2.564.233.167.26
                                                                                      Sep 3, 2024 18:53:00.443043947 CEST5443125192.168.2.564.233.167.26
                                                                                      Sep 3, 2024 18:53:05.399254084 CEST5443425192.168.2.594.100.180.31
                                                                                      Sep 3, 2024 18:53:06.411772966 CEST5443425192.168.2.594.100.180.31
                                                                                      Sep 3, 2024 18:53:08.413609028 CEST5443425192.168.2.594.100.180.31
                                                                                      Sep 3, 2024 18:53:12.427406073 CEST5443425192.168.2.594.100.180.31
                                                                                      Sep 3, 2024 18:53:20.427520037 CEST5443425192.168.2.594.100.180.31
                                                                                      Sep 3, 2024 18:53:27.005618095 CEST54432443192.168.2.577.232.41.29
                                                                                      Sep 3, 2024 18:53:27.005691051 CEST4435443277.232.41.29192.168.2.5
                                                                                      Sep 3, 2024 18:53:27.005762100 CEST54432443192.168.2.577.232.41.29
                                                                                      Sep 3, 2024 18:53:27.115583897 CEST54435443192.168.2.577.232.41.29
                                                                                      Sep 3, 2024 18:53:27.115607977 CEST4435443577.232.41.29192.168.2.5
                                                                                      Sep 3, 2024 18:53:27.115694046 CEST54435443192.168.2.577.232.41.29
                                                                                      Sep 3, 2024 18:54:03.664120913 CEST5443725192.168.2.552.101.40.26
                                                                                      Sep 3, 2024 18:54:04.677401066 CEST5443725192.168.2.552.101.40.26
                                                                                      Sep 3, 2024 18:54:06.677406073 CEST5443725192.168.2.552.101.40.26
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Sep 3, 2024 18:52:03.807069063 CEST5991053192.168.2.51.1.1.1
                                                                                      Sep 3, 2024 18:52:04.818192959 CEST5991053192.168.2.51.1.1.1
                                                                                      Sep 3, 2024 18:52:05.004380941 CEST53599101.1.1.1192.168.2.5
                                                                                      Sep 3, 2024 18:52:06.787606955 CEST5371953192.168.2.51.1.1.1
                                                                                      Sep 3, 2024 18:52:06.884063005 CEST53537191.1.1.1192.168.2.5
                                                                                      Sep 3, 2024 18:52:19.951642036 CEST53535871.1.1.1192.168.2.5
                                                                                      Sep 3, 2024 18:52:24.990673065 CEST6171553192.168.2.51.1.1.1
                                                                                      Sep 3, 2024 18:52:25.348705053 CEST53617151.1.1.1192.168.2.5
                                                                                      Sep 3, 2024 18:52:25.349956036 CEST4965553192.168.2.51.1.1.1
                                                                                      Sep 3, 2024 18:52:25.357667923 CEST53496551.1.1.1192.168.2.5
                                                                                      Sep 3, 2024 18:52:45.365642071 CEST6088753192.168.2.51.1.1.1
                                                                                      Sep 3, 2024 18:52:45.376255035 CEST53608871.1.1.1192.168.2.5
                                                                                      Sep 3, 2024 18:52:45.376977921 CEST5041153192.168.2.51.1.1.1
                                                                                      Sep 3, 2024 18:52:45.388046026 CEST53504111.1.1.1192.168.2.5
                                                                                      Sep 3, 2024 18:53:05.381123066 CEST6517753192.168.2.51.1.1.1
                                                                                      Sep 3, 2024 18:53:05.389504910 CEST53651771.1.1.1192.168.2.5
                                                                                      Sep 3, 2024 18:53:05.390167952 CEST5146553192.168.2.51.1.1.1
                                                                                      Sep 3, 2024 18:53:05.398809910 CEST53514651.1.1.1192.168.2.5
                                                                                      Sep 3, 2024 18:54:03.637475967 CEST6115653192.168.2.51.1.1.1
                                                                                      Sep 3, 2024 18:54:03.663471937 CEST53611561.1.1.1192.168.2.5
                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Sep 3, 2024 18:52:03.807069063 CEST192.168.2.51.1.1.10x90b7Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:04.818192959 CEST192.168.2.51.1.1.10x90b7Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:06.787606955 CEST192.168.2.51.1.1.10x1182Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:24.990673065 CEST192.168.2.51.1.1.10x287cStandard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:25.349956036 CEST192.168.2.51.1.1.10x19d4Standard query (0)mta6.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:45.365642071 CEST192.168.2.51.1.1.10x969eStandard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:45.376977921 CEST192.168.2.51.1.1.10x65f8Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:53:05.381123066 CEST192.168.2.51.1.1.10x6c94Standard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 3, 2024 18:53:05.390167952 CEST192.168.2.51.1.1.10x9201Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:54:03.637475967 CEST192.168.2.51.1.1.10xa2afStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Sep 3, 2024 18:52:05.004380941 CEST1.1.1.1192.168.2.50x90b7No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:05.004380941 CEST1.1.1.1192.168.2.50x90b7No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:05.004380941 CEST1.1.1.1192.168.2.50x90b7No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:05.004380941 CEST1.1.1.1192.168.2.50x90b7No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:06.884063005 CEST1.1.1.1192.168.2.50x1182No error (0)vanaheim.cn77.232.41.29A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:25.348705053 CEST1.1.1.1192.168.2.50x287cNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:25.348705053 CEST1.1.1.1192.168.2.50x287cNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:25.348705053 CEST1.1.1.1192.168.2.50x287cNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:25.357667923 CEST1.1.1.1192.168.2.50x19d4No error (0)mta6.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:25.357667923 CEST1.1.1.1192.168.2.50x19d4No error (0)mta6.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:25.357667923 CEST1.1.1.1192.168.2.50x19d4No error (0)mta6.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:25.357667923 CEST1.1.1.1192.168.2.50x19d4No error (0)mta6.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:25.357667923 CEST1.1.1.1192.168.2.50x19d4No error (0)mta6.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:25.357667923 CEST1.1.1.1192.168.2.50x19d4No error (0)mta6.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:25.357667923 CEST1.1.1.1192.168.2.50x19d4No error (0)mta6.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:25.357667923 CEST1.1.1.1192.168.2.50x19d4No error (0)mta6.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:45.376255035 CEST1.1.1.1192.168.2.50x969eNo error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:45.388046026 CEST1.1.1.1192.168.2.50x65f8No error (0)smtp.google.com64.233.167.26A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:45.388046026 CEST1.1.1.1192.168.2.50x65f8No error (0)smtp.google.com64.233.166.27A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:45.388046026 CEST1.1.1.1192.168.2.50x65f8No error (0)smtp.google.com64.233.166.26A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:45.388046026 CEST1.1.1.1192.168.2.50x65f8No error (0)smtp.google.com74.125.71.26A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:52:45.388046026 CEST1.1.1.1192.168.2.50x65f8No error (0)smtp.google.com74.125.71.27A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:53:05.389504910 CEST1.1.1.1192.168.2.50x6c94No error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                      Sep 3, 2024 18:53:05.398809910 CEST1.1.1.1192.168.2.50x9201No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:53:05.398809910 CEST1.1.1.1192.168.2.50x9201No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:54:03.663471937 CEST1.1.1.1192.168.2.50xa2afNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:54:03.663471937 CEST1.1.1.1192.168.2.50xa2afNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:54:03.663471937 CEST1.1.1.1192.168.2.50xa2afNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                      Sep 3, 2024 18:54:03.663471937 CEST1.1.1.1192.168.2.50xa2afNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false

                                                                                      Click to jump to process

                                                                                      Click to jump to process

                                                                                      Click to dive into process behavior distribution

                                                                                      Click to jump to process

                                                                                      Target ID:0
                                                                                      Start time:12:51:57
                                                                                      Start date:03/09/2024
                                                                                      Path:C:\Users\user\Desktop\UUJycuNA6D.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\UUJycuNA6D.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:433'664 bytes
                                                                                      MD5 hash:B2E864C2F8F6E243822A5C133BB41061
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2089364508.000000000066A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.2053025952.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.2053025952.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.2053025952.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Target ID:2
                                                                                      Start time:12:51:58
                                                                                      Start date:03/09/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tizvpcy\
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:3
                                                                                      Start time:12:51:59
                                                                                      Start date:03/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:4
                                                                                      Start time:12:51:59
                                                                                      Start date:03/09/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\oxdombt.exe" C:\Windows\SysWOW64\tizvpcy\
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:5
                                                                                      Start time:12:51:59
                                                                                      Start date:03/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:6
                                                                                      Start time:12:52:00
                                                                                      Start date:03/09/2024
                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\sc.exe" create tizvpcy binPath= "C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d\"C:\Users\user\Desktop\UUJycuNA6D.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                      Imagebase:0xa50000
                                                                                      File size:61'440 bytes
                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      Target ID:7
                                                                                      Start time:12:52:00
                                                                                      Start date:03/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:8
                                                                                      Start time:12:52:00
                                                                                      Start date:03/09/2024
                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\sc.exe" description tizvpcy "wifi internet conection"
                                                                                      Imagebase:0xa50000
                                                                                      File size:61'440 bytes
                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      Target ID:9
                                                                                      Start time:12:52:00
                                                                                      Start date:03/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:10
                                                                                      Start time:12:52:01
                                                                                      Start date:03/09/2024
                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\sc.exe" start tizvpcy
                                                                                      Imagebase:0xa50000
                                                                                      File size:61'440 bytes
                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      Target ID:11
                                                                                      Start time:12:52:01
                                                                                      Start date:03/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:12
                                                                                      Start time:12:52:01
                                                                                      Start date:03/09/2024
                                                                                      Path:C:\Windows\SysWOW64\tizvpcy\oxdombt.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\tizvpcy\oxdombt.exe /d"C:\Users\user\Desktop\UUJycuNA6D.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:14'528'000 bytes
                                                                                      MD5 hash:89183525E055B4B7B91D225D5CE6066A
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2090151383.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2090151383.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2090151383.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2090230631.0000000000833000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.2089251040.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.2089251040.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.2089251040.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Target ID:13
                                                                                      Start time:12:52:01
                                                                                      Start date:03/09/2024
                                                                                      Path:C:\Windows\SysWOW64\netsh.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                      Imagebase:0x1080000
                                                                                      File size:82'432 bytes
                                                                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:14
                                                                                      Start time:12:52:01
                                                                                      Start date:03/09/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:15
                                                                                      Start time:12:52:02
                                                                                      Start date:03/09/2024
                                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:svchost.exe
                                                                                      Imagebase:0x70000
                                                                                      File size:46'504 bytes
                                                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      Has exited:false

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:3.7%
                                                                                        Dynamic/Decrypted Code Coverage:30.2%
                                                                                        Signature Coverage:27.3%
                                                                                        Total number of Nodes:1592
                                                                                        Total number of Limit Nodes:19
                                                                                        execution_graph 14937 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15055 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14937->15055 14939 409a95 14940 409aa3 GetModuleHandleA GetModuleFileNameA 14939->14940 14945 40a3c7 14939->14945 14952 409ac4 14940->14952 14941 40a41c CreateThread WSAStartup 15224 40e52e 14941->15224 16102 40405e CreateEventA 14941->16102 14942 40a406 DeleteFileA 14942->14945 14946 40a40d 14942->14946 14944 409afd GetCommandLineA 14953 409b22 14944->14953 14945->14941 14945->14942 14945->14946 14948 40a3ed GetLastError 14945->14948 14946->14941 14947 40a445 15243 40eaaf 14947->15243 14948->14946 14950 40a3f8 Sleep 14948->14950 14950->14942 14951 40a44d 15247 401d96 14951->15247 14952->14944 14958 409c0c 14953->14958 14964 409b47 14953->14964 14955 40a457 15295 4080c9 14955->15295 15056 4096aa 14958->15056 14968 409b96 lstrlenA 14964->14968 14970 409b58 14964->14970 14965 40a1d2 14971 40a1e3 GetCommandLineA 14965->14971 14966 409c39 14969 40a167 GetModuleHandleA GetModuleFileNameA 14966->14969 15062 404280 CreateEventA 14966->15062 14968->14970 14973 409c05 ExitProcess 14969->14973 14974 40a189 14969->14974 14970->14973 14979 40675c 21 API calls 14970->14979 14998 40a205 14971->14998 14974->14973 14981 40a1b2 GetDriveTypeA 14974->14981 14982 409be3 14979->14982 14981->14973 14983 40a1c5 14981->14983 14982->14973 15161 406a60 CreateFileA 14982->15161 15205 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14983->15205 14990 40a491 14991 40a49f GetTickCount 14990->14991 14994 40a4be Sleep 14990->14994 14997 40a4b7 GetTickCount 14990->14997 15341 40c913 14990->15341 14991->14990 14991->14994 14992 409ca0 GetTempPathA 14993 409e3e 14992->14993 14996 409cba 14992->14996 15004 409e6b GetEnvironmentVariableA 14993->15004 15005 409e04 14993->15005 14994->14990 15117 4099d2 lstrcpyA 14996->15117 14997->14994 15001 40a285 lstrlenA 14998->15001 15014 40a239 14998->15014 15001->15014 15004->15005 15006 409e7d 15004->15006 15200 40ec2e 15005->15200 15007 4099d2 16 API calls 15006->15007 15008 409e9d 15007->15008 15008->15005 15013 409eb0 lstrcpyA lstrlenA 15008->15013 15010 409d5f 15180 406cc9 15010->15180 15012 40a3c2 15217 4098f2 15012->15217 15015 409ef4 15013->15015 15213 406ec3 15014->15213 15019 406dc2 6 API calls 15015->15019 15022 409f03 15015->15022 15018 40a35f 15018->15012 15018->15018 15024 40a37b 15018->15024 15019->15022 15020 40a39d StartServiceCtrlDispatcherA 15020->15012 15023 409f32 RegOpenKeyExA 15022->15023 15025 409f48 RegSetValueExA RegCloseKey 15023->15025 15031 409f70 15023->15031 15024->15020 15025->15031 15026 409cf6 15124 409326 15026->15124 15029 409e0c DeleteFileA 15029->14993 15030 409dde GetFileAttributesExA 15030->15029 15032 409df7 15030->15032 15035 409f9d GetModuleHandleA GetModuleFileNameA 15031->15035 15032->15005 15034 409dff 15032->15034 15190 4096ff 15034->15190 15037 409fc2 15035->15037 15038 40a093 15035->15038 15037->15038 15044 409ff1 GetDriveTypeA 15037->15044 15039 40a103 CreateProcessA 15038->15039 15040 40a0a4 wsprintfA 15038->15040 15041 40a13a 15039->15041 15042 40a12a DeleteFileA 15039->15042 15196 402544 15040->15196 15041->15005 15048 4096ff 3 API calls 15041->15048 15042->15041 15044->15038 15046 40a00d 15044->15046 15050 40a02d lstrcatA 15046->15050 15048->15005 15051 40a046 15050->15051 15052 40a052 lstrcatA 15051->15052 15053 40a064 lstrcatA 15051->15053 15052->15053 15053->15038 15054 40a081 lstrcatA 15053->15054 15054->15038 15055->14939 15057 4096b9 15056->15057 15444 4073ff 15057->15444 15059 4096e2 15060 4096f7 15059->15060 15464 40704c 15059->15464 15060->14965 15060->14966 15063 4042a5 15062->15063 15064 40429d 15062->15064 15489 403ecd 15063->15489 15064->14969 15089 40675c 15064->15089 15066 4042b0 15493 404000 15066->15493 15069 4043c1 CloseHandle 15069->15064 15070 4042ce 15499 403f18 WriteFile 15070->15499 15075 4043ba CloseHandle 15075->15069 15076 404318 15077 403f18 4 API calls 15076->15077 15078 404331 15077->15078 15079 403f18 4 API calls 15078->15079 15080 40434a 15079->15080 15507 40ebcc GetProcessHeap RtlAllocateHeap 15080->15507 15083 403f18 4 API calls 15084 404389 15083->15084 15085 40ec2e codecvt 4 API calls 15084->15085 15086 40438f 15085->15086 15087 403f8c 4 API calls 15086->15087 15088 40439f CloseHandle CloseHandle 15087->15088 15088->15064 15090 406784 CreateFileA 15089->15090 15091 40677a SetFileAttributesA 15089->15091 15092 4067a4 CreateFileA 15090->15092 15093 4067b5 15090->15093 15091->15090 15092->15093 15094 4067c5 15093->15094 15095 4067ba SetFileAttributesA 15093->15095 15096 406977 15094->15096 15097 4067cf GetFileSize 15094->15097 15095->15094 15096->14969 15096->14992 15096->14993 15098 4067e5 15097->15098 15099 406965 15097->15099 15098->15099 15100 4067ed ReadFile 15098->15100 15101 40696e FindCloseChangeNotification 15099->15101 15100->15099 15102 406811 SetFilePointer 15100->15102 15101->15096 15102->15099 15103 40682a ReadFile 15102->15103 15103->15099 15104 406848 SetFilePointer 15103->15104 15104->15099 15105 406867 15104->15105 15106 4068d5 15105->15106 15107 406878 ReadFile 15105->15107 15106->15101 15109 40ebcc 4 API calls 15106->15109 15108 4068d0 15107->15108 15111 406891 15107->15111 15108->15106 15110 4068f8 15109->15110 15110->15099 15112 406900 SetFilePointer 15110->15112 15111->15107 15111->15108 15113 40695a 15112->15113 15114 40690d ReadFile 15112->15114 15116 40ec2e codecvt 4 API calls 15113->15116 15114->15113 15115 406922 15114->15115 15115->15101 15116->15099 15118 4099eb 15117->15118 15119 409a2f lstrcatA 15118->15119 15120 40ee2a 15119->15120 15121 409a4b lstrcatA 15120->15121 15122 406a60 13 API calls 15121->15122 15123 409a60 15122->15123 15123->14993 15123->15026 15174 406dc2 15123->15174 15513 401910 15124->15513 15127 40934a GetModuleHandleA GetModuleFileNameA 15129 40937f 15127->15129 15130 4093a4 15129->15130 15131 4093d9 15129->15131 15133 4093c3 wsprintfA 15130->15133 15132 409401 wsprintfA 15131->15132 15135 409415 15132->15135 15133->15135 15134 4094a0 15515 406edd 15134->15515 15135->15134 15138 406cc9 5 API calls 15135->15138 15137 4094ac 15139 40962f 15137->15139 15140 4094e8 RegOpenKeyExA 15137->15140 15144 409439 15138->15144 15145 409646 15139->15145 15543 401820 15139->15543 15142 409502 15140->15142 15143 4094fb 15140->15143 15148 40951f RegQueryValueExA 15142->15148 15143->15139 15147 40958a 15143->15147 15528 40ef1e lstrlenA 15144->15528 15154 4095d6 15145->15154 15523 4091eb 15145->15523 15147->15145 15150 409593 15147->15150 15151 409530 15148->15151 15152 409539 15148->15152 15150->15154 15530 40f0e4 15150->15530 15155 40956e RegCloseKey 15151->15155 15156 409556 RegQueryValueExA 15152->15156 15153 409462 15157 40947e wsprintfA 15153->15157 15154->15029 15154->15030 15155->15143 15156->15151 15156->15155 15157->15134 15159 4095bb 15159->15154 15537 4018e0 15159->15537 15162 406b8c GetLastError 15161->15162 15163 406a8f GetDiskFreeSpaceA 15161->15163 15165 406b86 15162->15165 15164 406ac5 15163->15164 15173 406ad7 15163->15173 15591 40eb0e 15164->15591 15165->14973 15169 406b56 FindCloseChangeNotification 15169->15165 15172 406b65 GetLastError CloseHandle 15169->15172 15170 406b36 GetLastError CloseHandle 15171 406b7f DeleteFileA 15170->15171 15171->15165 15172->15171 15585 406987 15173->15585 15175 406e24 15174->15175 15176 406dd7 15174->15176 15175->15010 15177 406cc9 5 API calls 15176->15177 15178 406ddc 15177->15178 15178->15175 15178->15178 15179 406e02 GetVolumeInformationA 15178->15179 15179->15175 15181 406cdc GetModuleHandleA GetProcAddress 15180->15181 15182 406dbe lstrcpyA lstrcatA lstrcatA 15180->15182 15183 406d12 GetSystemDirectoryA 15181->15183 15186 406cfd 15181->15186 15182->15026 15184 406d27 GetWindowsDirectoryA 15183->15184 15185 406d1e 15183->15185 15187 406d42 15184->15187 15185->15184 15188 406d8b 15185->15188 15186->15183 15186->15188 15189 40ef1e lstrlenA 15187->15189 15188->15182 15189->15188 15191 402544 15190->15191 15192 40972d RegOpenKeyExA 15191->15192 15193 409740 15192->15193 15194 409765 15192->15194 15195 40974f RegDeleteValueA RegCloseKey 15193->15195 15194->15005 15195->15194 15197 402554 lstrcatA 15196->15197 15198 40ee2a 15197->15198 15199 40a0ec lstrcatA 15198->15199 15199->15039 15201 40ec37 15200->15201 15202 40a15d 15200->15202 15599 40eba0 15201->15599 15202->14969 15202->14973 15206 402544 15205->15206 15207 40919e wsprintfA 15206->15207 15208 4091bb 15207->15208 15602 409064 GetTempPathA 15208->15602 15211 4091d5 ShellExecuteA 15212 4091e7 15211->15212 15212->14973 15214 406ed5 15213->15214 15215 406ecc 15213->15215 15214->15018 15216 406e36 2 API calls 15215->15216 15216->15214 15218 4098f6 15217->15218 15219 404280 30 API calls 15218->15219 15220 409904 Sleep 15218->15220 15221 409915 15218->15221 15219->15218 15220->15218 15220->15221 15223 409947 15221->15223 15609 40977c 15221->15609 15223->14945 15631 40dd05 GetTickCount 15224->15631 15226 40e538 15638 40dbcf 15226->15638 15228 40e544 15229 40e555 GetFileSize 15228->15229 15233 40e5b8 15228->15233 15230 40e5b1 CloseHandle 15229->15230 15231 40e566 15229->15231 15230->15233 15648 40db2e 15231->15648 15657 40e3ca RegOpenKeyExA 15233->15657 15235 40e576 ReadFile 15235->15230 15237 40e58d 15235->15237 15652 40e332 15237->15652 15239 40e5f2 15241 40e3ca 19 API calls 15239->15241 15242 40e629 15239->15242 15241->15242 15242->14947 15244 40eabe 15243->15244 15246 40eaba 15243->15246 15245 40dd05 6 API calls 15244->15245 15244->15246 15245->15246 15246->14951 15248 40ee2a 15247->15248 15249 401db4 GetVersionExA 15248->15249 15250 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15249->15250 15252 401e24 15250->15252 15253 401e16 GetCurrentProcess 15250->15253 15710 40e819 15252->15710 15253->15252 15255 401e3d 15256 40e819 11 API calls 15255->15256 15257 401e4e 15256->15257 15258 401e77 15257->15258 15717 40df70 15257->15717 15726 40ea84 15258->15726 15261 401e6c 15263 40df70 12 API calls 15261->15263 15263->15258 15264 40e819 11 API calls 15265 401e93 15264->15265 15730 40199c inet_addr LoadLibraryA 15265->15730 15268 40e819 11 API calls 15269 401eb9 15268->15269 15270 401ed8 15269->15270 15271 40f04e 4 API calls 15269->15271 15272 40e819 11 API calls 15270->15272 15273 401ec9 15271->15273 15274 401eee 15272->15274 15275 40ea84 30 API calls 15273->15275 15276 401f0a 15274->15276 15743 401b71 15274->15743 15275->15270 15278 40e819 11 API calls 15276->15278 15280 401f23 15278->15280 15279 401efd 15281 40ea84 30 API calls 15279->15281 15282 401f3f 15280->15282 15747 401bdf 15280->15747 15281->15276 15284 40e819 11 API calls 15282->15284 15286 401f5e 15284->15286 15288 401f77 15286->15288 15289 40ea84 30 API calls 15286->15289 15287 40ea84 30 API calls 15287->15282 15754 4030b5 15288->15754 15289->15288 15292 406ec3 2 API calls 15294 401f8e GetTickCount 15292->15294 15294->14955 15296 406ec3 2 API calls 15295->15296 15297 4080eb 15296->15297 15298 4080f9 15297->15298 15299 4080ef 15297->15299 15300 40704c 16 API calls 15298->15300 15802 407ee6 15299->15802 15302 408110 15300->15302 15304 408156 RegOpenKeyExA 15302->15304 15305 4080f4 15302->15305 15303 40675c 21 API calls 15309 408244 15303->15309 15304->15305 15306 40816d RegQueryValueExA 15304->15306 15305->15303 15313 408269 CreateThread 15305->15313 15307 4081f7 15306->15307 15308 40818d 15306->15308 15310 40820d RegCloseKey 15307->15310 15312 40ec2e codecvt 4 API calls 15307->15312 15308->15307 15314 40ebcc 4 API calls 15308->15314 15311 40ec2e codecvt 4 API calls 15309->15311 15309->15313 15310->15305 15311->15313 15319 4081dd 15312->15319 15320 405e6c 15313->15320 16131 40877e 15313->16131 15315 4081a0 15314->15315 15315->15310 15316 4081aa RegQueryValueExA 15315->15316 15316->15307 15317 4081c4 15316->15317 15318 40ebcc 4 API calls 15317->15318 15318->15319 15319->15310 15870 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15320->15870 15322 405e71 15871 40e654 15322->15871 15324 405ec1 15325 403132 15324->15325 15326 40df70 12 API calls 15325->15326 15327 40313b 15326->15327 15328 40c125 15327->15328 15882 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15328->15882 15330 40c12d 15331 40e654 13 API calls 15330->15331 15332 40c2bd 15331->15332 15333 40e654 13 API calls 15332->15333 15334 40c2c9 15333->15334 15335 40e654 13 API calls 15334->15335 15336 40a47a 15335->15336 15337 408db1 15336->15337 15338 408dbc 15337->15338 15339 40e654 13 API calls 15338->15339 15340 408dec Sleep 15339->15340 15340->14990 15342 40c92f 15341->15342 15343 40c93c 15342->15343 15883 40c517 15342->15883 15345 40ca2b 15343->15345 15346 40e819 11 API calls 15343->15346 15345->14990 15347 40c96a 15346->15347 15348 40e819 11 API calls 15347->15348 15349 40c97d 15348->15349 15350 40e819 11 API calls 15349->15350 15351 40c990 15350->15351 15352 40c9aa 15351->15352 15353 40ebcc 4 API calls 15351->15353 15352->15345 15900 402684 15352->15900 15353->15352 15358 40ca26 15907 40c8aa 15358->15907 15361 40ca44 15362 40ca4b closesocket 15361->15362 15363 40ca83 15361->15363 15362->15358 15364 40ea84 30 API calls 15363->15364 15365 40caac 15364->15365 15366 40f04e 4 API calls 15365->15366 15367 40cab2 15366->15367 15368 40ea84 30 API calls 15367->15368 15369 40caca 15368->15369 15370 40ea84 30 API calls 15369->15370 15371 40cad9 15370->15371 15915 40c65c 15371->15915 15374 40cb60 closesocket 15374->15345 15376 40dad2 closesocket 15377 40e318 23 API calls 15376->15377 15377->15345 15378 40df4c 20 API calls 15439 40cb70 15378->15439 15383 40e654 13 API calls 15383->15439 15389 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15389->15439 15390 40ea84 30 API calls 15390->15439 15391 40cc1c GetTempPathA 15391->15439 15392 40d569 closesocket Sleep 15962 40e318 15392->15962 15393 40d815 wsprintfA 15393->15439 15394 407ead 6 API calls 15394->15439 15395 40c517 23 API calls 15395->15439 15397 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15397->15439 15398 40e8a1 30 API calls 15398->15439 15399 40d582 ExitProcess 15400 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15400->15439 15401 40cfe3 GetSystemDirectoryA 15401->15439 15402 40675c 21 API calls 15402->15439 15403 40d027 GetSystemDirectoryA 15403->15439 15404 40cfad GetEnvironmentVariableA 15404->15439 15405 40d105 lstrcatA 15405->15439 15406 40ef1e lstrlenA 15406->15439 15407 40cc9f CreateFileA 15409 40ccc6 WriteFile 15407->15409 15407->15439 15408 40d15b CreateFileA 15410 40d182 WriteFile CloseHandle 15408->15410 15408->15439 15411 40cdcc CloseHandle 15409->15411 15412 40cced CloseHandle 15409->15412 15410->15439 15411->15439 15418 40cd2f 15412->15418 15413 40d149 SetFileAttributesA 15413->15408 15414 40cd16 wsprintfA 15414->15418 15415 40d36e GetEnvironmentVariableA 15415->15439 15416 40d1bf SetFileAttributesA 15416->15439 15417 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15417->15439 15418->15414 15944 407fcf 15418->15944 15419 40d22d GetEnvironmentVariableA 15419->15439 15420 40d3af lstrcatA 15424 40d3f2 CreateFileA 15420->15424 15420->15439 15423 407fcf 64 API calls 15423->15439 15427 40d415 WriteFile CloseHandle 15424->15427 15424->15439 15425 40cd81 WaitForSingleObject CloseHandle CloseHandle 15428 40f04e 4 API calls 15425->15428 15426 40cda5 15429 407ee6 64 API calls 15426->15429 15427->15439 15428->15426 15430 40cdbd DeleteFileA 15429->15430 15430->15439 15431 40d4b1 CreateProcessA 15434 40d4e8 CloseHandle CloseHandle 15431->15434 15431->15439 15432 40d3e0 SetFileAttributesA 15432->15424 15433 40d26e lstrcatA 15435 40d2b1 CreateFileA 15433->15435 15433->15439 15434->15439 15436 40d2d8 WriteFile CloseHandle 15435->15436 15435->15439 15436->15439 15437 407ee6 64 API calls 15437->15439 15438 40d452 SetFileAttributesA 15438->15439 15439->15376 15439->15378 15439->15383 15439->15389 15439->15390 15439->15391 15439->15392 15439->15393 15439->15394 15439->15395 15439->15397 15439->15398 15439->15400 15439->15401 15439->15402 15439->15403 15439->15404 15439->15405 15439->15406 15439->15407 15439->15408 15439->15413 15439->15415 15439->15416 15439->15417 15439->15419 15439->15420 15439->15423 15439->15424 15439->15431 15439->15432 15439->15433 15439->15435 15439->15437 15439->15438 15441 40d29f SetFileAttributesA 15439->15441 15443 40d31d SetFileAttributesA 15439->15443 15923 40c75d 15439->15923 15935 407e2f 15439->15935 15957 407ead 15439->15957 15967 4031d0 15439->15967 15984 403c09 15439->15984 15994 403a00 15439->15994 15998 40e7b4 15439->15998 16001 40c06c 15439->16001 16007 406f5f GetUserNameA 15439->16007 16018 40e854 15439->16018 16028 407dd6 15439->16028 15441->15435 15443->15439 15445 40741b 15444->15445 15446 406dc2 6 API calls 15445->15446 15447 40743f 15446->15447 15448 407469 RegOpenKeyExA 15447->15448 15449 4077f9 15448->15449 15460 407487 ___ascii_stricmp 15448->15460 15449->15059 15450 407703 RegEnumKeyA 15451 407714 RegCloseKey 15450->15451 15450->15460 15451->15449 15452 40f1a5 lstrlenA 15452->15460 15453 4074d2 RegOpenKeyExA 15453->15460 15454 40772c 15456 407742 RegCloseKey 15454->15456 15457 40774b 15454->15457 15455 407521 RegQueryValueExA 15455->15460 15456->15457 15458 4077ec RegCloseKey 15457->15458 15458->15449 15459 4076e4 RegCloseKey 15459->15460 15460->15450 15460->15452 15460->15453 15460->15454 15460->15455 15460->15459 15462 40777e GetFileAttributesExA 15460->15462 15463 407769 15460->15463 15461 4077e3 RegCloseKey 15461->15458 15462->15463 15463->15461 15465 407073 15464->15465 15466 4070b9 RegOpenKeyExA 15465->15466 15467 4070d0 15466->15467 15481 4071b8 15466->15481 15468 406dc2 6 API calls 15467->15468 15471 4070d5 15468->15471 15469 40719b RegEnumValueA 15470 4071af RegCloseKey 15469->15470 15469->15471 15470->15481 15471->15469 15473 4071d0 15471->15473 15487 40f1a5 lstrlenA 15471->15487 15474 407205 RegCloseKey 15473->15474 15475 407227 15473->15475 15474->15481 15476 4072b8 ___ascii_stricmp 15475->15476 15477 40728e RegCloseKey 15475->15477 15478 4072cd RegCloseKey 15476->15478 15479 4072dd 15476->15479 15477->15481 15478->15481 15480 407311 RegCloseKey 15479->15480 15483 407335 15479->15483 15480->15481 15481->15060 15482 4073d5 RegCloseKey 15484 4073e4 15482->15484 15483->15482 15485 40737e GetFileAttributesExA 15483->15485 15486 407397 15483->15486 15485->15486 15486->15482 15488 40f1c3 15487->15488 15488->15471 15490 403edc 15489->15490 15492 403ee2 15489->15492 15491 406dc2 6 API calls 15490->15491 15491->15492 15492->15066 15494 40400b CreateFileA 15493->15494 15495 40402c GetLastError 15494->15495 15496 404052 15494->15496 15495->15496 15497 404037 15495->15497 15496->15064 15496->15069 15496->15070 15497->15496 15498 404041 Sleep 15497->15498 15498->15494 15498->15496 15500 403f7c 15499->15500 15501 403f4e GetLastError 15499->15501 15503 403f8c ReadFile 15500->15503 15501->15500 15502 403f5b WaitForSingleObject GetOverlappedResult 15501->15502 15502->15500 15504 403ff0 15503->15504 15505 403fc2 GetLastError 15503->15505 15504->15075 15504->15076 15505->15504 15506 403fcf WaitForSingleObject GetOverlappedResult 15505->15506 15506->15504 15510 40eb74 15507->15510 15511 40eb7b GetProcessHeap HeapSize 15510->15511 15512 404350 15510->15512 15511->15512 15512->15083 15514 401924 GetVersionExA 15513->15514 15514->15127 15516 406eef AllocateAndInitializeSid 15515->15516 15522 406f55 15515->15522 15517 406f1c CheckTokenMembership 15516->15517 15520 406f44 15516->15520 15518 406f3b FreeSid 15517->15518 15519 406f2e 15517->15519 15518->15520 15519->15518 15520->15522 15549 406e36 GetUserNameW 15520->15549 15522->15137 15524 409308 15523->15524 15526 40920e 15523->15526 15524->15154 15525 4092f1 Sleep 15525->15526 15526->15524 15526->15525 15526->15526 15527 4092bf ShellExecuteA 15526->15527 15527->15524 15527->15526 15529 40ef32 15528->15529 15529->15153 15531 40f0f1 15530->15531 15532 40f0ed 15530->15532 15533 40f119 15531->15533 15534 40f0fa lstrlenA SysAllocStringByteLen 15531->15534 15532->15159 15536 40f11c MultiByteToWideChar 15533->15536 15535 40f117 15534->15535 15534->15536 15535->15159 15536->15535 15538 401820 17 API calls 15537->15538 15540 4018f2 15538->15540 15539 4018f9 15539->15154 15540->15539 15552 401280 15540->15552 15542 401908 15542->15154 15564 401000 15543->15564 15545 401839 15546 401851 GetCurrentProcess 15545->15546 15547 40183d 15545->15547 15548 401864 15546->15548 15547->15145 15548->15145 15550 406e5f LookupAccountNameW 15549->15550 15551 406e97 15549->15551 15550->15551 15551->15522 15553 4012e1 15552->15553 15554 4016f9 GetLastError 15553->15554 15561 4013a8 15553->15561 15555 401699 15554->15555 15555->15542 15556 401570 lstrlenW 15556->15561 15557 4015be GetStartupInfoW 15557->15561 15558 4015ff CreateProcessWithLogonW 15559 4016bf GetLastError 15558->15559 15560 40163f WaitForSingleObject 15558->15560 15559->15555 15560->15561 15562 401659 CloseHandle 15560->15562 15561->15555 15561->15556 15561->15557 15561->15558 15563 401668 CloseHandle 15561->15563 15562->15561 15563->15561 15565 40100d LoadLibraryA 15564->15565 15572 401023 15564->15572 15566 401021 15565->15566 15565->15572 15566->15545 15567 4010b5 GetProcAddress 15568 4010d1 GetProcAddress 15567->15568 15569 40127b 15567->15569 15568->15569 15570 4010f0 GetProcAddress 15568->15570 15569->15545 15570->15569 15571 401110 GetProcAddress 15570->15571 15571->15569 15573 401130 GetProcAddress 15571->15573 15572->15567 15584 4010ae 15572->15584 15573->15569 15574 40114f GetProcAddress 15573->15574 15574->15569 15575 40116f GetProcAddress 15574->15575 15575->15569 15576 40118f GetProcAddress 15575->15576 15576->15569 15577 4011ae GetProcAddress 15576->15577 15577->15569 15578 4011ce GetProcAddress 15577->15578 15578->15569 15579 4011ee GetProcAddress 15578->15579 15579->15569 15580 401209 GetProcAddress 15579->15580 15580->15569 15581 401225 GetProcAddress 15580->15581 15581->15569 15582 401241 GetProcAddress 15581->15582 15582->15569 15583 40125c GetProcAddress 15582->15583 15583->15569 15584->15545 15587 4069b9 WriteFile 15585->15587 15588 406a3c 15587->15588 15590 4069ff 15587->15590 15588->15169 15588->15170 15589 406a10 WriteFile 15589->15588 15589->15590 15590->15588 15590->15589 15592 40eb17 15591->15592 15593 40eb21 15591->15593 15595 40eae4 15592->15595 15593->15173 15596 40eb02 GetProcAddress 15595->15596 15597 40eaed LoadLibraryA 15595->15597 15596->15593 15597->15596 15598 40eb01 15597->15598 15598->15593 15600 40eba7 GetProcessHeap HeapSize 15599->15600 15601 40ebbf GetProcessHeap HeapFree 15599->15601 15600->15601 15601->15202 15603 40908d 15602->15603 15604 4090e2 wsprintfA 15603->15604 15605 40ee2a 15604->15605 15606 4090fd CreateFileA 15605->15606 15607 40911a lstrlenA WriteFile CloseHandle 15606->15607 15608 40913f 15606->15608 15607->15608 15608->15211 15608->15212 15610 40ee2a 15609->15610 15611 409794 CreateProcessA 15610->15611 15612 4097c2 15611->15612 15613 4097bb 15611->15613 15614 4097d4 GetThreadContext 15612->15614 15613->15223 15615 409801 15614->15615 15616 4097f5 15614->15616 15623 40637c 15615->15623 15617 4097f6 TerminateProcess 15616->15617 15617->15613 15619 409816 15619->15617 15620 40981e WriteProcessMemory 15619->15620 15620->15616 15621 40983b SetThreadContext 15620->15621 15621->15616 15622 409858 ResumeThread 15621->15622 15622->15613 15624 406386 15623->15624 15625 40638a GetModuleHandleA VirtualAlloc 15623->15625 15624->15619 15626 4063b6 15625->15626 15630 4063f5 15625->15630 15627 4063be VirtualAllocEx 15626->15627 15628 4063d6 15627->15628 15627->15630 15629 4063df WriteProcessMemory 15628->15629 15629->15630 15630->15619 15632 40dd41 InterlockedExchange 15631->15632 15633 40dd20 GetCurrentThreadId 15632->15633 15634 40dd4a 15632->15634 15635 40dd53 GetCurrentThreadId 15633->15635 15636 40dd2e GetTickCount 15633->15636 15634->15635 15635->15226 15636->15634 15637 40dd39 Sleep 15636->15637 15637->15632 15639 40dbf0 15638->15639 15671 40db67 GetEnvironmentVariableA 15639->15671 15641 40dc19 15642 40dcda 15641->15642 15643 40db67 3 API calls 15641->15643 15642->15228 15644 40dc5c 15643->15644 15644->15642 15645 40db67 3 API calls 15644->15645 15646 40dc9b 15645->15646 15646->15642 15647 40db67 3 API calls 15646->15647 15647->15642 15649 40db3a 15648->15649 15651 40db55 15648->15651 15675 40ebed 15649->15675 15651->15230 15651->15235 15684 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15652->15684 15654 40e3be 15654->15230 15655 40e342 15655->15654 15687 40de24 15655->15687 15658 40e528 15657->15658 15659 40e3f4 15657->15659 15658->15239 15660 40e434 RegQueryValueExA 15659->15660 15661 40e458 15660->15661 15662 40e51d RegCloseKey 15660->15662 15663 40e46e RegQueryValueExA 15661->15663 15662->15658 15663->15661 15664 40e488 15663->15664 15664->15662 15665 40db2e 8 API calls 15664->15665 15666 40e499 15665->15666 15666->15662 15667 40e4b9 RegQueryValueExA 15666->15667 15668 40e4e8 15666->15668 15667->15666 15667->15668 15668->15662 15669 40e332 14 API calls 15668->15669 15670 40e513 15669->15670 15670->15662 15672 40db89 lstrcpyA CreateFileA 15671->15672 15673 40dbca 15671->15673 15672->15641 15673->15641 15676 40ec01 15675->15676 15677 40ebf6 15675->15677 15679 40eba0 codecvt 2 API calls 15676->15679 15678 40ebcc 4 API calls 15677->15678 15680 40ebfe 15678->15680 15681 40ec0a GetProcessHeap HeapReAlloc 15679->15681 15680->15651 15682 40eb74 2 API calls 15681->15682 15683 40ec28 15682->15683 15683->15651 15698 40eb41 15684->15698 15688 40de3a 15687->15688 15693 40de4e 15688->15693 15702 40dd84 15688->15702 15691 40de9e 15692 40ebed 8 API calls 15691->15692 15691->15693 15696 40def6 15692->15696 15693->15655 15694 40de76 15706 40ddcf 15694->15706 15696->15693 15697 40ddcf lstrcmpA 15696->15697 15697->15693 15699 40eb54 15698->15699 15700 40eb4a 15698->15700 15699->15655 15701 40eae4 2 API calls 15700->15701 15701->15699 15703 40dd96 15702->15703 15704 40ddc5 15702->15704 15703->15704 15705 40ddad lstrcmpiA 15703->15705 15704->15691 15704->15694 15705->15703 15705->15704 15707 40dddd 15706->15707 15709 40de20 15706->15709 15708 40ddfa lstrcmpA 15707->15708 15707->15709 15708->15707 15709->15693 15711 40dd05 6 API calls 15710->15711 15712 40e821 15711->15712 15713 40dd84 lstrcmpiA 15712->15713 15714 40e82c 15713->15714 15715 40e844 15714->15715 15758 402480 15714->15758 15715->15255 15718 40dd05 6 API calls 15717->15718 15719 40df7c 15718->15719 15720 40dd84 lstrcmpiA 15719->15720 15724 40df89 15720->15724 15721 40dfc4 15721->15261 15722 40ddcf lstrcmpA 15722->15724 15723 40ec2e codecvt 4 API calls 15723->15724 15724->15721 15724->15722 15724->15723 15725 40dd84 lstrcmpiA 15724->15725 15725->15724 15727 40ea98 15726->15727 15767 40e8a1 15727->15767 15729 401e84 15729->15264 15731 4019d5 GetProcAddress GetProcAddress GetProcAddress 15730->15731 15735 4019ce 15730->15735 15732 401ab3 FreeLibrary 15731->15732 15733 401a04 15731->15733 15732->15735 15733->15732 15734 401a14 GetProcessHeap 15733->15734 15734->15735 15737 401a2e HeapAlloc 15734->15737 15735->15268 15737->15735 15738 401a42 15737->15738 15739 401a52 HeapReAlloc 15738->15739 15741 401a62 15738->15741 15739->15741 15740 401aa1 FreeLibrary 15740->15735 15741->15740 15742 401a96 HeapFree 15741->15742 15742->15740 15795 401ac3 LoadLibraryA 15743->15795 15746 401bcf 15746->15279 15748 401ac3 12 API calls 15747->15748 15749 401c09 15748->15749 15750 401c0d GetComputerNameA 15749->15750 15753 401c41 15749->15753 15751 401c45 GetVolumeInformationA 15750->15751 15752 401c1f 15750->15752 15751->15753 15752->15751 15752->15753 15753->15287 15755 40ee2a 15754->15755 15756 4030d0 gethostname gethostbyname 15755->15756 15757 401f82 15756->15757 15757->15292 15757->15294 15761 402419 lstrlenA 15758->15761 15760 402491 15760->15715 15762 40243d lstrlenA 15761->15762 15765 402474 15761->15765 15763 402464 lstrlenA 15762->15763 15764 40244e lstrcmpiA 15762->15764 15763->15762 15763->15765 15764->15763 15766 40245c 15764->15766 15765->15760 15766->15763 15766->15765 15768 40dd05 6 API calls 15767->15768 15769 40e8b4 15768->15769 15770 40dd84 lstrcmpiA 15769->15770 15771 40e8c0 15770->15771 15772 40e90a 15771->15772 15773 40e8c8 lstrcpynA 15771->15773 15775 402419 4 API calls 15772->15775 15783 40ea27 15772->15783 15774 40e8f5 15773->15774 15788 40df4c 15774->15788 15776 40e926 lstrlenA lstrlenA 15775->15776 15777 40e96a 15776->15777 15778 40e94c lstrlenA 15776->15778 15782 40ebcc 4 API calls 15777->15782 15777->15783 15778->15777 15780 40e901 15781 40dd84 lstrcmpiA 15780->15781 15781->15772 15784 40e98f 15782->15784 15783->15729 15784->15783 15785 40df4c 20 API calls 15784->15785 15786 40ea1e 15785->15786 15787 40ec2e codecvt 4 API calls 15786->15787 15787->15783 15789 40dd05 6 API calls 15788->15789 15790 40df51 15789->15790 15791 40f04e 4 API calls 15790->15791 15792 40df58 15791->15792 15793 40de24 10 API calls 15792->15793 15794 40df63 15793->15794 15794->15780 15796 401ae2 GetProcAddress 15795->15796 15798 401b68 GetComputerNameA GetVolumeInformationA 15795->15798 15796->15798 15801 401af5 15796->15801 15797 40ebed 8 API calls 15797->15801 15798->15746 15799 401b29 15799->15798 15799->15799 15800 40ec2e codecvt 4 API calls 15799->15800 15800->15798 15801->15797 15801->15799 15803 406ec3 2 API calls 15802->15803 15804 407ef4 15803->15804 15805 407fc9 15804->15805 15806 4073ff 17 API calls 15804->15806 15805->15305 15807 407f16 15806->15807 15807->15805 15815 407809 GetUserNameA 15807->15815 15809 407f63 15809->15805 15810 40ef1e lstrlenA 15809->15810 15811 407fa6 15810->15811 15812 40ef1e lstrlenA 15811->15812 15813 407fb7 15812->15813 15839 407a95 RegOpenKeyExA 15813->15839 15816 40783d LookupAccountNameA 15815->15816 15817 407a8d 15815->15817 15816->15817 15818 407874 GetLengthSid GetFileSecurityA 15816->15818 15817->15809 15818->15817 15819 4078a8 GetSecurityDescriptorOwner 15818->15819 15820 4078c5 EqualSid 15819->15820 15821 40791d GetSecurityDescriptorDacl 15819->15821 15820->15821 15822 4078dc LocalAlloc 15820->15822 15821->15817 15837 407941 15821->15837 15822->15821 15823 4078ef InitializeSecurityDescriptor 15822->15823 15824 407916 LocalFree 15823->15824 15825 4078fb SetSecurityDescriptorOwner 15823->15825 15824->15821 15825->15824 15827 40790b SetFileSecurityA 15825->15827 15826 40795b GetAce 15826->15837 15827->15824 15828 407980 EqualSid 15828->15837 15829 4079be EqualSid 15829->15837 15830 407a3d 15830->15817 15831 407a43 LocalAlloc 15830->15831 15831->15817 15833 407a56 InitializeSecurityDescriptor 15831->15833 15832 40799d DeleteAce 15832->15837 15834 407a62 SetSecurityDescriptorDacl 15833->15834 15835 407a86 LocalFree 15833->15835 15834->15835 15836 407a73 SetFileSecurityA 15834->15836 15835->15817 15836->15835 15838 407a83 15836->15838 15837->15817 15837->15826 15837->15828 15837->15829 15837->15830 15837->15832 15838->15835 15840 407ac4 15839->15840 15841 407acb GetUserNameA 15839->15841 15840->15805 15842 407da7 RegCloseKey 15841->15842 15843 407aed LookupAccountNameA 15841->15843 15842->15840 15843->15842 15844 407b24 RegGetKeySecurity 15843->15844 15844->15842 15845 407b49 GetSecurityDescriptorOwner 15844->15845 15846 407b63 EqualSid 15845->15846 15847 407bb8 GetSecurityDescriptorDacl 15845->15847 15846->15847 15849 407b74 LocalAlloc 15846->15849 15848 407da6 15847->15848 15859 407bdc 15847->15859 15848->15842 15849->15847 15850 407b8a InitializeSecurityDescriptor 15849->15850 15851 407bb1 LocalFree 15850->15851 15852 407b96 SetSecurityDescriptorOwner 15850->15852 15851->15847 15852->15851 15854 407ba6 RegSetKeySecurity 15852->15854 15853 407bf8 GetAce 15853->15859 15854->15851 15855 407c1d EqualSid 15855->15859 15856 407cd9 15856->15848 15860 407d5a LocalAlloc 15856->15860 15862 407cf2 RegOpenKeyExA 15856->15862 15857 407c5f EqualSid 15857->15859 15858 407c3a DeleteAce 15858->15859 15859->15848 15859->15853 15859->15855 15859->15856 15859->15857 15859->15858 15860->15848 15861 407d70 InitializeSecurityDescriptor 15860->15861 15863 407d7c SetSecurityDescriptorDacl 15861->15863 15864 407d9f LocalFree 15861->15864 15862->15860 15867 407d0f 15862->15867 15863->15864 15865 407d8c RegSetKeySecurity 15863->15865 15864->15848 15865->15864 15866 407d9c 15865->15866 15866->15864 15868 407d43 RegSetValueExA 15867->15868 15868->15860 15869 407d54 15868->15869 15869->15860 15870->15322 15872 40dd05 6 API calls 15871->15872 15875 40e65f 15872->15875 15873 40e6a5 15874 40ebcc 4 API calls 15873->15874 15878 40e6f5 15873->15878 15877 40e6b0 15874->15877 15875->15873 15876 40e68c lstrcmpA 15875->15876 15876->15875 15877->15878 15880 40e6b7 15877->15880 15881 40e6e0 lstrcpynA 15877->15881 15879 40e71d lstrcmpA 15878->15879 15878->15880 15879->15878 15880->15324 15881->15878 15882->15330 15884 40c525 15883->15884 15885 40c532 15883->15885 15884->15885 15887 40ec2e codecvt 4 API calls 15884->15887 15886 40c548 15885->15886 16035 40e7ff 15885->16035 15889 40e7ff lstrcmpiA 15886->15889 15897 40c54f 15886->15897 15887->15885 15890 40c615 15889->15890 15891 40ebcc 4 API calls 15890->15891 15890->15897 15891->15897 15892 40c5d1 15894 40ebcc 4 API calls 15892->15894 15894->15897 15895 40e819 11 API calls 15896 40c5b7 15895->15896 15898 40f04e 4 API calls 15896->15898 15897->15343 15899 40c5bf 15898->15899 15899->15886 15899->15892 15901 402692 inet_addr 15900->15901 15902 40268e 15900->15902 15901->15902 15903 40269e gethostbyname 15901->15903 15904 40f428 15902->15904 15903->15902 16038 40f315 15904->16038 15909 40c8d2 15907->15909 15908 40c907 15908->15345 15909->15908 15910 40c517 23 API calls 15909->15910 15910->15908 15911 40f43e 15912 40f473 recv 15911->15912 15913 40f458 15912->15913 15914 40f47c 15912->15914 15913->15912 15913->15914 15914->15361 15916 40c670 15915->15916 15917 40c67d 15915->15917 15918 40ebcc 4 API calls 15916->15918 15919 40ebcc 4 API calls 15917->15919 15920 40c699 15917->15920 15918->15917 15919->15920 15921 40c6f3 15920->15921 15922 40c73c send 15920->15922 15921->15374 15921->15439 15922->15921 15924 40c770 15923->15924 15926 40c77d 15923->15926 15925 40ebcc 4 API calls 15924->15925 15925->15926 15927 40c799 15926->15927 15928 40ebcc 4 API calls 15926->15928 15929 40c7b5 15927->15929 15930 40ebcc 4 API calls 15927->15930 15928->15927 15931 40f43e recv 15929->15931 15930->15929 15932 40c7cb 15931->15932 15933 40f43e recv 15932->15933 15934 40c7d3 15932->15934 15933->15934 15934->15439 16051 407db7 15935->16051 15938 40f04e 4 API calls 15939 407e4c 15938->15939 15942 40f04e 4 API calls 15939->15942 15943 407e70 15939->15943 15940 40f04e 4 API calls 15941 407e96 15940->15941 15941->15439 15942->15943 15943->15940 15943->15941 15945 406ec3 2 API calls 15944->15945 15946 407fdd 15945->15946 15947 4080c2 CreateProcessA 15946->15947 15948 4073ff 17 API calls 15946->15948 15947->15425 15947->15426 15949 407fff 15948->15949 15949->15947 15950 407809 21 API calls 15949->15950 15951 40804d 15950->15951 15951->15947 15952 40ef1e lstrlenA 15951->15952 15953 40809e 15952->15953 15954 40ef1e lstrlenA 15953->15954 15955 4080af 15954->15955 15956 407a95 24 API calls 15955->15956 15956->15947 15958 407db7 2 API calls 15957->15958 15959 407eb8 15958->15959 15960 40f04e 4 API calls 15959->15960 15961 407ece DeleteFileA 15960->15961 15961->15439 15963 40dd05 6 API calls 15962->15963 15964 40e31d 15963->15964 16055 40e177 15964->16055 15966 40e326 15966->15399 15968 4031f3 15967->15968 15978 4031ec 15967->15978 15969 40ebcc 4 API calls 15968->15969 15983 4031fc 15969->15983 15970 40344b 15971 403459 15970->15971 15972 40349d 15970->15972 15973 40f04e 4 API calls 15971->15973 15974 40ec2e codecvt 4 API calls 15972->15974 15975 40345f 15973->15975 15974->15978 15976 4030fa 4 API calls 15975->15976 15976->15978 15977 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15977->15983 15978->15439 15979 40344d 15980 40ec2e codecvt 4 API calls 15979->15980 15980->15970 15982 403141 lstrcmpiA 15982->15983 15983->15970 15983->15977 15983->15978 15983->15979 15983->15982 16081 4030fa GetTickCount 15983->16081 15985 4030fa 4 API calls 15984->15985 15986 403c1a 15985->15986 15987 403ce6 15986->15987 16086 403a72 15986->16086 15987->15439 15990 403a72 9 API calls 15992 403c5e 15990->15992 15991 403a72 9 API calls 15991->15992 15992->15987 15992->15991 15993 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15992->15993 15993->15992 15995 403a10 15994->15995 15996 4030fa 4 API calls 15995->15996 15997 403a1a 15996->15997 15997->15439 15999 40dd05 6 API calls 15998->15999 16000 40e7be 15999->16000 16000->15439 16002 40c07e wsprintfA 16001->16002 16006 40c105 16001->16006 16095 40bfce GetTickCount wsprintfA 16002->16095 16004 40c0ef 16096 40bfce GetTickCount wsprintfA 16004->16096 16006->15439 16008 407047 16007->16008 16009 406f88 LookupAccountNameA 16007->16009 16008->15439 16011 407025 16009->16011 16013 406fcb 16009->16013 16012 406edd 5 API calls 16011->16012 16014 40702a wsprintfA 16012->16014 16015 406fdb ConvertSidToStringSidA 16013->16015 16014->16008 16015->16011 16016 406ff1 16015->16016 16017 407013 LocalFree 16016->16017 16017->16011 16019 40dd05 6 API calls 16018->16019 16020 40e85c 16019->16020 16021 40dd84 lstrcmpiA 16020->16021 16023 40e867 16021->16023 16022 40e885 lstrcpyA 16100 40dd69 16022->16100 16023->16022 16097 4024a5 16023->16097 16029 407db7 2 API calls 16028->16029 16030 407de1 16029->16030 16031 407e16 16030->16031 16032 40f04e 4 API calls 16030->16032 16031->15439 16033 407df2 16032->16033 16033->16031 16034 40f04e 4 API calls 16033->16034 16034->16031 16036 40dd84 lstrcmpiA 16035->16036 16037 40c58e 16036->16037 16037->15886 16037->15892 16037->15895 16039 40f33b 16038->16039 16047 40ca1d 16038->16047 16040 40f347 htons socket 16039->16040 16041 40f382 ioctlsocket 16040->16041 16042 40f374 closesocket 16040->16042 16043 40f3aa connect select 16041->16043 16044 40f39d 16041->16044 16042->16047 16046 40f3f2 __WSAFDIsSet 16043->16046 16043->16047 16045 40f39f closesocket 16044->16045 16045->16047 16046->16045 16048 40f403 ioctlsocket 16046->16048 16047->15358 16047->15911 16050 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16048->16050 16050->16047 16052 407dc8 InterlockedExchange 16051->16052 16053 407dc0 Sleep 16052->16053 16054 407dd4 16052->16054 16053->16052 16054->15938 16054->15943 16056 40e184 16055->16056 16057 40e2e4 16056->16057 16058 40e223 16056->16058 16071 40dfe2 16056->16071 16057->15966 16058->16057 16060 40dfe2 8 API calls 16058->16060 16064 40e23c 16060->16064 16061 40e1be 16061->16058 16062 40dbcf 3 API calls 16061->16062 16065 40e1d6 16062->16065 16063 40e21a CloseHandle 16063->16058 16064->16057 16075 40e095 RegCreateKeyExA 16064->16075 16065->16058 16065->16063 16066 40e1f9 WriteFile 16065->16066 16066->16063 16068 40e213 16066->16068 16068->16063 16069 40e2a3 16069->16057 16070 40e095 4 API calls 16069->16070 16070->16057 16072 40e024 16071->16072 16073 40dffc 16071->16073 16072->16061 16073->16072 16074 40db2e 8 API calls 16073->16074 16074->16072 16076 40e172 16075->16076 16078 40e0c0 16075->16078 16076->16069 16077 40e13d 16079 40e14e RegDeleteValueA RegCloseKey 16077->16079 16078->16077 16080 40e115 RegSetValueExA 16078->16080 16079->16076 16080->16077 16080->16078 16082 403122 InterlockedExchange 16081->16082 16083 40312e 16082->16083 16084 40310f GetTickCount 16082->16084 16083->15983 16084->16083 16085 40311a Sleep 16084->16085 16085->16082 16087 40f04e 4 API calls 16086->16087 16088 403a83 16087->16088 16090 403bc0 16088->16090 16093 403b66 lstrlenA 16088->16093 16094 403ac1 16088->16094 16089 403be6 16092 40ec2e codecvt 4 API calls 16089->16092 16090->16089 16091 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16090->16091 16091->16090 16092->16094 16093->16088 16093->16094 16094->15987 16094->15990 16095->16004 16096->16006 16098 402419 4 API calls 16097->16098 16099 4024b6 16098->16099 16099->16022 16101 40dd79 lstrlenA 16100->16101 16101->15439 16103 404084 16102->16103 16104 40407d 16102->16104 16105 403ecd 6 API calls 16103->16105 16106 40408f 16105->16106 16107 404000 3 API calls 16106->16107 16109 404095 16107->16109 16108 404130 16110 403ecd 6 API calls 16108->16110 16109->16108 16114 403f18 4 API calls 16109->16114 16111 404159 CreateNamedPipeA 16110->16111 16112 404167 Sleep 16111->16112 16113 404188 ConnectNamedPipe 16111->16113 16112->16108 16116 404176 CloseHandle 16112->16116 16115 404195 GetLastError 16113->16115 16127 4041ab 16113->16127 16117 4040da 16114->16117 16119 40425e DisconnectNamedPipe 16115->16119 16115->16127 16116->16113 16118 403f8c 4 API calls 16117->16118 16120 4040ec 16118->16120 16119->16113 16121 404127 CloseHandle 16120->16121 16122 404101 16120->16122 16121->16108 16123 403f18 4 API calls 16122->16123 16124 40411c ExitProcess 16123->16124 16125 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16125->16127 16126 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16126->16127 16127->16113 16127->16119 16127->16125 16127->16126 16128 40426a CloseHandle CloseHandle 16127->16128 16129 40e318 23 API calls 16128->16129 16130 40427b 16129->16130 16130->16130 16132 408791 16131->16132 16133 40879f 16131->16133 16135 40f04e 4 API calls 16132->16135 16134 4087bc 16133->16134 16136 40f04e 4 API calls 16133->16136 16137 40e819 11 API calls 16134->16137 16135->16133 16136->16134 16138 4087d7 16137->16138 16147 408803 16138->16147 16153 4026b2 gethostbyaddr 16138->16153 16141 4087eb 16143 40e8a1 30 API calls 16141->16143 16141->16147 16143->16147 16146 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16146->16147 16147->16146 16148 40e819 11 API calls 16147->16148 16149 4088a0 Sleep 16147->16149 16151 4026b2 2 API calls 16147->16151 16152 40e8a1 30 API calls 16147->16152 16158 408cee 16147->16158 16166 40c4d6 16147->16166 16169 40c4e2 16147->16169 16172 402011 16147->16172 16207 408328 16147->16207 16148->16147 16149->16147 16151->16147 16152->16147 16154 4026fb 16153->16154 16155 4026cd 16153->16155 16154->16141 16156 4026e1 inet_ntoa 16155->16156 16157 4026de 16155->16157 16156->16157 16157->16141 16159 408d02 GetTickCount 16158->16159 16160 408dae 16158->16160 16159->16160 16163 408d19 16159->16163 16160->16147 16161 408da1 GetTickCount 16161->16160 16163->16161 16165 408d89 16163->16165 16259 40a677 16163->16259 16262 40a688 16163->16262 16165->16161 16270 40c2dc 16166->16270 16170 40c2dc 142 API calls 16169->16170 16171 40c4ec 16170->16171 16171->16147 16173 402020 16172->16173 16174 40202e 16172->16174 16176 40f04e 4 API calls 16173->16176 16175 40204b 16174->16175 16177 40f04e 4 API calls 16174->16177 16178 40206e GetTickCount 16175->16178 16179 40f04e 4 API calls 16175->16179 16176->16174 16177->16175 16180 4020db GetTickCount 16178->16180 16190 402090 16178->16190 16183 402068 16179->16183 16181 402132 GetTickCount GetTickCount 16180->16181 16182 4020e7 16180->16182 16185 40f04e 4 API calls 16181->16185 16186 40212b GetTickCount 16182->16186 16198 401978 15 API calls 16182->16198 16203 402125 16182->16203 16604 402ef8 16182->16604 16183->16178 16184 4020d4 GetTickCount 16184->16180 16187 402159 16185->16187 16186->16181 16192 40e854 13 API calls 16187->16192 16202 4021b4 16187->16202 16188 402684 2 API calls 16188->16190 16190->16184 16190->16188 16194 4020ce 16190->16194 16599 401978 16190->16599 16191 40f04e 4 API calls 16193 4021d1 16191->16193 16195 40218e 16192->16195 16199 40ea84 30 API calls 16193->16199 16205 4021f2 16193->16205 16194->16184 16197 40e819 11 API calls 16195->16197 16200 40219c 16197->16200 16198->16182 16201 4021ec 16199->16201 16200->16202 16612 401c5f 16200->16612 16204 40f04e 4 API calls 16201->16204 16202->16191 16203->16186 16204->16205 16205->16147 16208 407dd6 6 API calls 16207->16208 16209 40833c 16208->16209 16210 408340 16209->16210 16211 406ec3 2 API calls 16209->16211 16210->16147 16212 40834f 16211->16212 16213 40835c 16212->16213 16217 40846b 16212->16217 16214 4073ff 17 API calls 16213->16214 16234 408373 16214->16234 16215 408626 GetTempPathA 16246 408638 16215->16246 16216 40675c 21 API calls 16228 4085df 16216->16228 16219 4084a7 RegOpenKeyExA 16217->16219 16244 408450 16217->16244 16220 4084c0 RegQueryValueExA 16219->16220 16221 40852f 16219->16221 16224 408521 RegCloseKey 16220->16224 16225 4084dd 16220->16225 16227 408564 RegOpenKeyExA 16221->16227 16237 4085a5 16221->16237 16222 408762 16222->16210 16232 40ec2e codecvt 4 API calls 16222->16232 16223 4086ad 16223->16222 16226 407e2f 6 API calls 16223->16226 16224->16221 16225->16224 16230 40ebcc 4 API calls 16225->16230 16238 4086bb 16226->16238 16229 408573 RegSetValueExA RegCloseKey 16227->16229 16227->16237 16228->16215 16228->16222 16228->16246 16229->16237 16233 4084f0 16230->16233 16231 40875b DeleteFileA 16231->16222 16232->16210 16233->16224 16236 4084f8 RegQueryValueExA 16233->16236 16234->16210 16239 4083ea RegOpenKeyExA 16234->16239 16234->16244 16236->16224 16240 408515 16236->16240 16241 40ec2e codecvt 4 API calls 16237->16241 16237->16244 16238->16231 16245 4086e0 lstrcpyA lstrlenA 16238->16245 16242 4083fd RegQueryValueExA 16239->16242 16239->16244 16243 40ec2e codecvt 4 API calls 16240->16243 16241->16244 16247 40842d RegSetValueExA 16242->16247 16248 40841e 16242->16248 16250 40851d 16243->16250 16244->16216 16244->16228 16251 407fcf 64 API calls 16245->16251 16684 406ba7 IsBadCodePtr 16246->16684 16249 408447 RegCloseKey 16247->16249 16248->16247 16248->16249 16249->16244 16250->16224 16252 408719 CreateProcessA 16251->16252 16253 40873d CloseHandle CloseHandle 16252->16253 16254 40874f 16252->16254 16253->16222 16255 407ee6 64 API calls 16254->16255 16256 408754 16255->16256 16257 407ead 6 API calls 16256->16257 16258 40875a 16257->16258 16258->16231 16265 40a63d 16259->16265 16261 40a685 16261->16163 16263 40a63d GetTickCount 16262->16263 16264 40a696 16263->16264 16264->16163 16266 40a645 16265->16266 16267 40a64d 16265->16267 16266->16261 16268 40a66e 16267->16268 16269 40a65e GetTickCount 16267->16269 16268->16261 16269->16268 16286 40a4c7 GetTickCount 16270->16286 16273 40c45e 16278 40c4d2 16273->16278 16279 40c4ab InterlockedIncrement CreateThread 16273->16279 16274 40c300 GetTickCount 16276 40c337 16274->16276 16275 40c326 16275->16276 16277 40c32b GetTickCount 16275->16277 16276->16273 16281 40c363 GetTickCount 16276->16281 16277->16276 16278->16147 16279->16278 16280 40c4cb CloseHandle 16279->16280 16291 40b535 16279->16291 16280->16278 16281->16273 16282 40c373 16281->16282 16283 40c378 GetTickCount 16282->16283 16284 40c37f 16282->16284 16283->16284 16285 40c43b GetTickCount 16284->16285 16285->16273 16287 40a4f7 InterlockedExchange 16286->16287 16288 40a500 16287->16288 16289 40a4e4 GetTickCount 16287->16289 16288->16273 16288->16274 16288->16275 16289->16288 16290 40a4ef Sleep 16289->16290 16290->16287 16292 40b566 16291->16292 16293 40ebcc 4 API calls 16292->16293 16294 40b587 16293->16294 16295 40ebcc 4 API calls 16294->16295 16329 40b590 16295->16329 16296 40bdcd InterlockedDecrement 16297 40bde2 16296->16297 16299 40ec2e codecvt 4 API calls 16297->16299 16300 40bdea 16299->16300 16302 40ec2e codecvt 4 API calls 16300->16302 16301 40bdb7 Sleep 16301->16329 16303 40bdf2 16302->16303 16304 40be05 16303->16304 16306 40ec2e codecvt 4 API calls 16303->16306 16305 40bdcc 16305->16296 16306->16304 16307 40ebed 8 API calls 16307->16329 16310 40b6b6 lstrlenA 16310->16329 16311 4030b5 2 API calls 16311->16329 16312 40e819 11 API calls 16312->16329 16313 40b6ed lstrcpyA 16366 405ce1 16313->16366 16316 40b731 lstrlenA 16316->16329 16317 40b71f lstrcmpA 16317->16316 16317->16329 16318 40b772 GetTickCount 16318->16329 16319 40bd49 InterlockedIncrement 16460 40a628 16319->16460 16322 40b7ce InterlockedIncrement 16376 40acd7 16322->16376 16323 4038f0 6 API calls 16323->16329 16324 40bc5b InterlockedIncrement 16324->16329 16327 40b912 GetTickCount 16327->16329 16328 40b826 InterlockedIncrement 16328->16318 16329->16296 16329->16301 16329->16305 16329->16307 16329->16310 16329->16311 16329->16312 16329->16313 16329->16316 16329->16317 16329->16318 16329->16319 16329->16322 16329->16323 16329->16324 16329->16327 16329->16328 16330 40b932 GetTickCount 16329->16330 16331 40bcdc closesocket 16329->16331 16334 40bba6 InterlockedIncrement 16329->16334 16336 40a7c1 22 API calls 16329->16336 16338 40bc4c closesocket 16329->16338 16340 40ba71 wsprintfA 16329->16340 16341 405ded 12 API calls 16329->16341 16342 40ab81 lstrcpynA InterlockedIncrement 16329->16342 16344 405ce1 23 API calls 16329->16344 16346 40ef1e lstrlenA 16329->16346 16347 40a688 GetTickCount 16329->16347 16348 403e10 16329->16348 16351 403e4f 16329->16351 16354 40384f 16329->16354 16374 40a7a3 inet_ntoa 16329->16374 16381 40abee 16329->16381 16393 401feb GetTickCount 16329->16393 16414 403cfb 16329->16414 16417 40b3c5 16329->16417 16448 40ab81 16329->16448 16330->16329 16332 40bc6d InterlockedIncrement 16330->16332 16331->16329 16332->16329 16334->16329 16336->16329 16338->16329 16394 40a7c1 16340->16394 16341->16329 16342->16329 16344->16329 16346->16329 16347->16329 16349 4030fa 4 API calls 16348->16349 16350 403e1d 16349->16350 16350->16329 16352 4030fa 4 API calls 16351->16352 16353 403e5c 16352->16353 16353->16329 16355 4030fa 4 API calls 16354->16355 16357 403863 16355->16357 16356 4038b2 16356->16329 16357->16356 16358 4038b9 16357->16358 16359 403889 16357->16359 16469 4035f9 16358->16469 16463 403718 16359->16463 16364 403718 6 API calls 16364->16356 16365 4035f9 6 API calls 16365->16356 16367 405cf4 16366->16367 16368 405cec 16366->16368 16370 404bd1 4 API calls 16367->16370 16475 404bd1 GetTickCount 16368->16475 16371 405d02 16370->16371 16480 405472 16371->16480 16375 40a7b9 16374->16375 16375->16329 16377 40f315 14 API calls 16376->16377 16378 40aceb 16377->16378 16379 40acff 16378->16379 16380 40f315 14 API calls 16378->16380 16379->16329 16380->16379 16382 40abfb 16381->16382 16386 40ac65 16382->16386 16545 402f22 16382->16545 16384 40f315 14 API calls 16384->16386 16385 40ac8a 16385->16329 16386->16384 16386->16385 16387 40ac6f 16386->16387 16388 40ab81 2 API calls 16387->16388 16390 40ac81 16388->16390 16389 402684 2 API calls 16391 40ac23 16389->16391 16553 4038f0 16390->16553 16391->16386 16391->16389 16393->16329 16395 40a87d lstrlenA send 16394->16395 16396 40a7df 16394->16396 16397 40a899 16395->16397 16398 40a8bf 16395->16398 16396->16395 16402 40a7fa wsprintfA 16396->16402 16405 40a80a 16396->16405 16406 40a8f2 16396->16406 16400 40a8a5 wsprintfA 16397->16400 16407 40a89e 16397->16407 16401 40a8c4 send 16398->16401 16398->16406 16399 40a978 recv 16399->16406 16408 40a982 16399->16408 16400->16407 16403 40a8d8 wsprintfA 16401->16403 16401->16406 16402->16405 16403->16407 16404 40a9b0 wsprintfA 16404->16407 16405->16395 16406->16399 16406->16404 16406->16408 16407->16329 16408->16407 16409 4030b5 2 API calls 16408->16409 16410 40ab05 16409->16410 16411 40e819 11 API calls 16410->16411 16412 40ab17 16411->16412 16413 40a7a3 inet_ntoa 16412->16413 16413->16407 16415 4030fa 4 API calls 16414->16415 16416 403d0b 16415->16416 16416->16329 16418 405ce1 23 API calls 16417->16418 16419 40b3e6 16418->16419 16420 405ce1 23 API calls 16419->16420 16422 40b404 16420->16422 16421 40b440 16424 40ef7c 3 API calls 16421->16424 16422->16421 16423 40ef7c 3 API calls 16422->16423 16425 40b42b 16423->16425 16426 40b458 wsprintfA 16424->16426 16427 40ef7c 3 API calls 16425->16427 16428 40ef7c 3 API calls 16426->16428 16427->16421 16429 40b480 16428->16429 16430 40ef7c 3 API calls 16429->16430 16431 40b493 16430->16431 16432 40ef7c 3 API calls 16431->16432 16433 40b4bb 16432->16433 16567 40ad89 GetLocalTime SystemTimeToFileTime 16433->16567 16437 40b4cc 16438 40ef7c 3 API calls 16437->16438 16439 40b4dd 16438->16439 16440 40b211 7 API calls 16439->16440 16441 40b4ec 16440->16441 16442 40ef7c 3 API calls 16441->16442 16443 40b4fd 16442->16443 16444 40b211 7 API calls 16443->16444 16445 40b509 16444->16445 16446 40ef7c 3 API calls 16445->16446 16447 40b51a 16446->16447 16447->16329 16449 40abe9 GetTickCount 16448->16449 16451 40ab8c 16448->16451 16453 40a51d 16449->16453 16450 40aba8 lstrcpynA 16450->16451 16451->16449 16451->16450 16452 40abe1 InterlockedIncrement 16451->16452 16452->16451 16454 40a4c7 4 API calls 16453->16454 16455 40a52c 16454->16455 16456 40a542 GetTickCount 16455->16456 16458 40a539 GetTickCount 16455->16458 16456->16458 16459 40a56c 16458->16459 16459->16329 16461 40a4c7 4 API calls 16460->16461 16462 40a633 16461->16462 16462->16329 16464 40f04e 4 API calls 16463->16464 16466 40372a 16464->16466 16465 403847 16465->16356 16465->16364 16466->16465 16467 4037b3 GetCurrentThreadId 16466->16467 16467->16466 16468 4037c8 GetCurrentThreadId 16467->16468 16468->16466 16470 40f04e 4 API calls 16469->16470 16471 40360c 16470->16471 16472 4036da GetCurrentThreadId 16471->16472 16473 4036f1 16471->16473 16472->16473 16474 4036e5 GetCurrentThreadId 16472->16474 16473->16356 16473->16365 16474->16473 16476 404bff InterlockedExchange 16475->16476 16477 404c08 16476->16477 16478 404bec GetTickCount 16476->16478 16477->16367 16478->16477 16479 404bf7 Sleep 16478->16479 16479->16476 16501 404763 16480->16501 16482 404ae6 8 API calls 16500 40548a 16482->16500 16483 405b58 16511 404699 16483->16511 16486 404763 lstrlenA 16487 405b6e 16486->16487 16532 404f9f 16487->16532 16489 405b79 16489->16329 16491 405549 lstrlenA 16491->16500 16492 405472 13 API calls 16492->16500 16494 40558d lstrcpynA 16494->16500 16495 405a9f lstrcpyA 16495->16500 16496 405935 lstrcpynA 16496->16500 16497 404ae6 8 API calls 16498 405643 LoadLibraryW 16497->16498 16498->16500 16499 4058e7 lstrcpyA 16499->16500 16500->16482 16500->16483 16500->16492 16500->16494 16500->16495 16500->16496 16500->16497 16500->16499 16505 404ae6 16500->16505 16509 40ef7c lstrlenA lstrlenA lstrlenA 16500->16509 16502 40477a 16501->16502 16503 404859 16502->16503 16504 40480d lstrlenA 16502->16504 16503->16500 16504->16502 16506 404af3 16505->16506 16508 404b03 16505->16508 16507 40ebed 8 API calls 16506->16507 16507->16508 16508->16491 16510 40efb4 16509->16510 16510->16500 16537 4045b3 16511->16537 16514 4045b3 7 API calls 16515 4046c6 16514->16515 16516 4045b3 7 API calls 16515->16516 16517 4046d8 16516->16517 16518 4045b3 7 API calls 16517->16518 16519 4046ea 16518->16519 16520 4045b3 7 API calls 16519->16520 16521 4046ff 16520->16521 16522 4045b3 7 API calls 16521->16522 16523 404711 16522->16523 16524 4045b3 7 API calls 16523->16524 16525 404723 16524->16525 16526 40ef7c 3 API calls 16525->16526 16527 404735 16526->16527 16528 40ef7c 3 API calls 16527->16528 16529 40474a 16528->16529 16530 40ef7c 3 API calls 16529->16530 16531 40475c 16530->16531 16531->16486 16533 404fac 16532->16533 16536 404fb0 16532->16536 16533->16489 16534 404ffd 16534->16489 16535 404fd5 IsBadCodePtr 16535->16536 16536->16534 16536->16535 16538 4045c1 16537->16538 16539 4045c8 16537->16539 16540 40ebcc 4 API calls 16538->16540 16541 40ebcc 4 API calls 16539->16541 16543 4045e1 16539->16543 16540->16539 16541->16543 16542 404691 16542->16514 16543->16542 16544 40ef7c 3 API calls 16543->16544 16544->16543 16560 402d21 GetModuleHandleA 16545->16560 16548 402fcf GetProcessHeap HeapFree 16552 402f44 16548->16552 16549 402f4f 16551 402f6b GetProcessHeap HeapFree 16549->16551 16550 402f85 16550->16548 16550->16550 16551->16552 16552->16391 16554 403900 16553->16554 16555 403980 16553->16555 16556 4030fa 4 API calls 16554->16556 16555->16385 16559 40390a 16556->16559 16557 40391b GetCurrentThreadId 16557->16559 16558 403939 GetCurrentThreadId 16558->16559 16559->16555 16559->16557 16559->16558 16561 402d46 LoadLibraryA 16560->16561 16562 402d5b GetProcAddress 16560->16562 16561->16562 16564 402d54 16561->16564 16562->16564 16566 402d6b 16562->16566 16563 402d97 GetProcessHeap HeapAlloc 16563->16564 16563->16566 16564->16549 16564->16550 16564->16552 16565 402db5 lstrcpynA 16565->16566 16566->16563 16566->16564 16566->16565 16568 40adbf 16567->16568 16592 40ad08 gethostname 16568->16592 16571 4030b5 2 API calls 16572 40add3 16571->16572 16573 40a7a3 inet_ntoa 16572->16573 16576 40ade4 16572->16576 16573->16576 16574 40ae85 wsprintfA 16575 40ef7c 3 API calls 16574->16575 16577 40aebb 16575->16577 16576->16574 16578 40ae36 wsprintfA wsprintfA 16576->16578 16579 40ef7c 3 API calls 16577->16579 16580 40ef7c 3 API calls 16578->16580 16581 40aed2 16579->16581 16580->16576 16582 40b211 16581->16582 16583 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16582->16583 16584 40b2af GetLocalTime 16582->16584 16585 40b2d2 16583->16585 16584->16585 16586 40b2d9 SystemTimeToFileTime 16585->16586 16587 40b31c GetTimeZoneInformation 16585->16587 16589 40b2ec 16586->16589 16588 40b33a wsprintfA 16587->16588 16588->16437 16590 40b312 FileTimeToSystemTime 16589->16590 16590->16587 16593 40ad71 16592->16593 16598 40ad26 lstrlenA 16592->16598 16595 40ad85 16593->16595 16596 40ad79 lstrcpyA 16593->16596 16595->16571 16596->16595 16597 40ad68 lstrlenA 16597->16593 16598->16593 16598->16597 16600 40f428 14 API calls 16599->16600 16601 40198a 16600->16601 16602 401990 closesocket 16601->16602 16603 401998 16601->16603 16602->16603 16603->16190 16605 402d21 6 API calls 16604->16605 16606 402f01 16605->16606 16607 402f0f 16606->16607 16620 402df2 GetModuleHandleA 16606->16620 16609 402684 2 API calls 16607->16609 16611 402f1f 16607->16611 16610 402f1d 16609->16610 16610->16182 16611->16182 16613 401c80 16612->16613 16614 401cc2 wsprintfA 16613->16614 16615 401d1c 16613->16615 16619 401d79 16613->16619 16616 402684 2 API calls 16614->16616 16617 401d47 wsprintfA 16615->16617 16616->16613 16618 402684 2 API calls 16617->16618 16618->16619 16619->16202 16621 402e10 LoadLibraryA 16620->16621 16622 402e0b 16620->16622 16623 402e17 16621->16623 16622->16621 16622->16623 16624 402ef1 16623->16624 16625 402e28 GetProcAddress 16623->16625 16624->16607 16625->16624 16626 402e3e GetProcessHeap HeapAlloc 16625->16626 16627 402e62 16626->16627 16627->16624 16628 402ede GetProcessHeap HeapFree 16627->16628 16629 402e7f htons inet_addr 16627->16629 16630 402ea5 gethostbyname 16627->16630 16632 402ceb 16627->16632 16628->16624 16629->16627 16629->16630 16630->16627 16633 402cf2 16632->16633 16635 402d1c 16633->16635 16636 402d0e Sleep 16633->16636 16637 402a62 GetProcessHeap HeapAlloc 16633->16637 16635->16627 16636->16633 16636->16635 16638 402a92 16637->16638 16639 402a99 socket 16637->16639 16638->16633 16640 402cd3 GetProcessHeap HeapFree 16639->16640 16641 402ab4 16639->16641 16640->16638 16641->16640 16645 402abd 16641->16645 16642 402adb htons 16657 4026ff 16642->16657 16644 402b04 select 16644->16645 16645->16642 16645->16644 16646 402ca4 16645->16646 16647 402cb3 GetProcessHeap HeapFree closesocket 16645->16647 16648 402b3f recv 16645->16648 16649 402b66 htons 16645->16649 16650 402b87 htons 16645->16650 16653 402bf3 GetProcessHeap HeapAlloc 16645->16653 16654 402c17 htons 16645->16654 16656 402c4d GetProcessHeap HeapFree 16645->16656 16664 402923 16645->16664 16676 402904 16645->16676 16646->16647 16647->16638 16648->16645 16649->16645 16649->16646 16650->16645 16650->16646 16653->16645 16672 402871 16654->16672 16656->16645 16658 40271d 16657->16658 16659 402717 16657->16659 16661 40272b GetTickCount htons 16658->16661 16660 40ebcc 4 API calls 16659->16660 16660->16658 16662 4027cc htons htons sendto 16661->16662 16663 40278a 16661->16663 16662->16645 16663->16662 16665 402944 16664->16665 16667 40293d 16664->16667 16680 402816 htons 16665->16680 16667->16645 16668 402871 htons 16671 402950 16668->16671 16669 4029bd htons htons htons 16669->16667 16670 4029f6 GetProcessHeap HeapAlloc 16669->16670 16670->16667 16670->16671 16671->16667 16671->16668 16671->16669 16673 4028e3 16672->16673 16674 402889 16672->16674 16673->16645 16674->16673 16674->16674 16675 4028c3 htons 16674->16675 16675->16673 16675->16674 16677 402921 16676->16677 16678 402908 16676->16678 16677->16645 16679 402909 GetProcessHeap HeapFree 16678->16679 16679->16677 16679->16679 16681 40286b 16680->16681 16682 402836 16680->16682 16681->16671 16682->16681 16683 40285c htons 16682->16683 16683->16681 16683->16682 16685 406bc0 16684->16685 16686 406bbc 16684->16686 16687 406bd4 16685->16687 16688 40ebcc 4 API calls 16685->16688 16686->16223 16687->16223 16689 406be4 16688->16689 16689->16687 16690 406c07 CreateFileA 16689->16690 16691 406bfc 16689->16691 16693 406c34 WriteFile 16690->16693 16694 406c2a 16690->16694 16692 40ec2e codecvt 4 API calls 16691->16692 16692->16687 16695 406c49 CloseHandle DeleteFileA 16693->16695 16696 406c5a CloseHandle 16693->16696 16697 40ec2e codecvt 4 API calls 16694->16697 16695->16694 16698 40ec2e codecvt 4 API calls 16696->16698 16697->16687 16698->16687 14936 7a0920 TerminateProcess 16699 7a0005 16704 7a092b GetPEB 16699->16704 16701 7a0030 16706 7a003c 16701->16706 16705 7a0972 16704->16705 16705->16701 16707 7a0049 16706->16707 16721 7a0e0f SetErrorMode SetErrorMode 16707->16721 16712 7a0265 16713 7a02ce VirtualProtect 16712->16713 16715 7a030b 16713->16715 16714 7a0439 VirtualFree 16719 7a05f4 LoadLibraryA 16714->16719 16720 7a04be 16714->16720 16715->16714 16716 7a04e3 LoadLibraryA 16716->16720 16718 7a08c7 16719->16718 16720->16716 16720->16719 16722 7a0223 16721->16722 16723 7a0d90 16722->16723 16724 7a0dad 16723->16724 16725 7a0dbb GetPEB 16724->16725 16726 7a0238 VirtualAlloc 16724->16726 16725->16726 16726->16712 16727 6798d8 16728 6798e7 16727->16728 16731 67a078 16728->16731 16736 67a093 16731->16736 16732 67a09c CreateToolhelp32Snapshot 16733 67a0b8 Module32First 16732->16733 16732->16736 16734 67a0c7 16733->16734 16737 6798f0 16733->16737 16738 679d37 16734->16738 16736->16732 16736->16733 16739 679d62 16738->16739 16740 679d73 VirtualAlloc 16739->16740 16741 679dab 16739->16741 16740->16741 16741->16741 14905 407a95 RegOpenKeyExA 14906 407ac4 14905->14906 14907 407acb GetUserNameA 14905->14907 14908 407da7 RegCloseKey 14907->14908 14909 407aed LookupAccountNameA 14907->14909 14908->14906 14909->14908 14910 407b24 RegGetKeySecurity 14909->14910 14910->14908 14911 407b49 GetSecurityDescriptorOwner 14910->14911 14912 407b63 EqualSid 14911->14912 14913 407bb8 GetSecurityDescriptorDacl 14911->14913 14912->14913 14915 407b74 LocalAlloc 14912->14915 14914 407da6 14913->14914 14925 407bdc 14913->14925 14914->14908 14915->14913 14916 407b8a InitializeSecurityDescriptor 14915->14916 14917 407bb1 LocalFree 14916->14917 14918 407b96 SetSecurityDescriptorOwner 14916->14918 14917->14913 14918->14917 14920 407ba6 RegSetKeySecurity 14918->14920 14919 407bf8 GetAce 14919->14925 14920->14917 14921 407c1d EqualSid 14921->14925 14922 407cd9 14922->14914 14926 407d5a LocalAlloc 14922->14926 14928 407cf2 RegOpenKeyExA 14922->14928 14923 407c5f EqualSid 14923->14925 14924 407c3a DeleteAce 14924->14925 14925->14914 14925->14919 14925->14921 14925->14922 14925->14923 14925->14924 14926->14914 14927 407d70 InitializeSecurityDescriptor 14926->14927 14929 407d7c SetSecurityDescriptorDacl 14927->14929 14930 407d9f LocalFree 14927->14930 14928->14926 14933 407d0f 14928->14933 14929->14930 14931 407d8c RegSetKeySecurity 14929->14931 14930->14914 14931->14930 14932 407d9c 14931->14932 14932->14930 14934 407d43 RegSetValueExA 14933->14934 14934->14926 14935 407d54 14934->14935 14935->14926
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                          • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                          • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                          • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                        • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                        • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                        • ExitProcess.KERNEL32 ref: 00409C06
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                        • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                        • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                        • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                        • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                        • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                        • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                        • wsprintfA.USER32 ref: 0040A0B6
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                        • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                        • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                        • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                          • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                        • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                        • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                        • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                        • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                        • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                        • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                        • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                        • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                        • API String ID: 2089075347-2824936573
                                                                                        • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                        • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                        • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                        • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 264 407a95-407ac2 RegOpenKeyExA 265 407ac4-407ac6 264->265 266 407acb-407ae7 GetUserNameA 264->266 267 407db4-407db6 265->267 268 407da7-407db3 RegCloseKey 266->268 269 407aed-407b1e LookupAccountNameA 266->269 268->267 269->268 270 407b24-407b43 RegGetKeySecurity 269->270 270->268 271 407b49-407b61 GetSecurityDescriptorOwner 270->271 272 407b63-407b72 EqualSid 271->272 273 407bb8-407bd6 GetSecurityDescriptorDacl 271->273 272->273 276 407b74-407b88 LocalAlloc 272->276 274 407da6 273->274 275 407bdc-407be1 273->275 274->268 275->274 278 407be7-407bf2 275->278 276->273 277 407b8a-407b94 InitializeSecurityDescriptor 276->277 279 407bb1-407bb2 LocalFree 277->279 280 407b96-407ba4 SetSecurityDescriptorOwner 277->280 278->274 281 407bf8-407c08 GetAce 278->281 279->273 280->279 282 407ba6-407bab RegSetKeySecurity 280->282 283 407cc6 281->283 284 407c0e-407c1b 281->284 282->279 285 407cc9-407cd3 283->285 286 407c1d-407c2f EqualSid 284->286 287 407c4f-407c52 284->287 285->281 288 407cd9-407cdc 285->288 289 407c31-407c34 286->289 290 407c36-407c38 286->290 291 407c54-407c5e 287->291 292 407c5f-407c71 EqualSid 287->292 288->274 295 407ce2-407ce8 288->295 289->286 289->290 290->287 296 407c3a-407c4d DeleteAce 290->296 291->292 293 407c73-407c84 292->293 294 407c86 292->294 297 407c8b-407c8e 293->297 294->297 298 407d5a-407d6e LocalAlloc 295->298 299 407cea-407cf0 295->299 296->285 300 407c90-407c96 297->300 301 407c9d-407c9f 297->301 298->274 302 407d70-407d7a InitializeSecurityDescriptor 298->302 299->298 303 407cf2-407d0d RegOpenKeyExA 299->303 300->301 304 407ca1-407ca5 301->304 305 407ca7-407cc3 301->305 306 407d7c-407d8a SetSecurityDescriptorDacl 302->306 307 407d9f-407da0 LocalFree 302->307 303->298 308 407d0f-407d16 303->308 304->283 304->305 305->283 306->307 309 407d8c-407d9a RegSetKeySecurity 306->309 307->274 310 407d19-407d1e 308->310 309->307 311 407d9c 309->311 310->310 312 407d20-407d52 call 402544 RegSetValueExA 310->312 311->307 312->298 315 407d54 312->315 315->298
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                        • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                        • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                        • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: D$PromptOnSecureDesktop
                                                                                        • API String ID: 2976863881-1403908072
                                                                                        • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                        • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 549 409326-409348 call 401910 GetVersionExA 552 409358-40935c 549->552 553 40934a-409356 549->553 554 409360-40937d GetModuleHandleA GetModuleFileNameA 552->554 553->554 555 409385-4093a2 554->555 556 40937f 554->556 557 4093a4-4093d7 call 402544 wsprintfA 555->557 558 4093d9-409412 call 402544 wsprintfA 555->558 556->555 563 409415-40942c call 40ee2a 557->563 558->563 566 4094a3-4094b3 call 406edd 563->566 567 40942e-409432 563->567 572 4094b9-4094f9 call 402544 RegOpenKeyExA 566->572 573 40962f-409632 566->573 567->566 569 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 567->569 569->566 583 409502-40952e call 402544 RegQueryValueExA 572->583 584 4094fb-409500 572->584 575 409634-409637 573->575 578 409639-40964a call 401820 575->578 579 40967b-409682 575->579 595 40964c-409662 578->595 596 40966d-409679 578->596 586 409683 call 4091eb 579->586 604 409530-409537 583->604 605 409539-409565 call 402544 RegQueryValueExA 583->605 588 40957a-40957f 584->588 592 409688-409690 586->592 593 409581-409584 588->593 594 40958a-40958d 588->594 599 409692 592->599 600 409698-4096a0 592->600 593->575 593->594 594->579 601 409593-40959a 594->601 602 409664-40966b 595->602 603 40962b-40962d 595->603 596->586 599->600 609 4096a2-4096a9 600->609 610 40961a-40961f 601->610 611 40959c-4095a1 601->611 602->603 603->609 612 40956e-409577 RegCloseKey 604->612 605->612 617 409567 605->617 615 409625 610->615 611->610 616 4095a3-4095c0 call 40f0e4 611->616 612->588 615->603 622 4095c2-4095db call 4018e0 616->622 623 40960c-409618 616->623 617->612 622->609 626 4095e1-4095f9 622->626 623->615 626->609 627 4095ff-409607 626->627 627->609
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                        • wsprintfA.USER32 ref: 004093CE
                                                                                        • wsprintfA.USER32 ref: 0040940C
                                                                                        • wsprintfA.USER32 ref: 0040948D
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID: PromptOnSecureDesktop$runas
                                                                                        • API String ID: 3696105349-2220793183
                                                                                        • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                        • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                        • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                        • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 666 406a60-406a89 CreateFileA 667 406b8c-406ba1 GetLastError 666->667 668 406a8f-406ac3 GetDiskFreeSpaceA 666->668 671 406ba3-406ba6 667->671 669 406ac5-406adc call 40eb0e 668->669 670 406b1d-406b34 call 406987 668->670 669->670 678 406ade 669->678 676 406b56-406b63 FindCloseChangeNotification 670->676 677 406b36-406b54 GetLastError CloseHandle 670->677 680 406b65-406b7d GetLastError CloseHandle 676->680 681 406b86-406b8a 676->681 679 406b7f-406b80 DeleteFileA 677->679 682 406ae0-406ae5 678->682 683 406ae7-406afb call 40eca5 678->683 679->681 680->679 681->671 682->683 684 406afd-406aff 682->684 683->670 684->670 687 406b01 684->687 688 406b03-406b08 687->688 689 406b0a-406b17 call 40eca5 687->689 688->670 688->689 689->670
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                        • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                        • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                        • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1251348514-2980165447
                                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                        • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$CountFileInformationSystemTickVolume
                                                                                        • String ID:
                                                                                        • API String ID: 1209300637-0
                                                                                        • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                        • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 821 7a092b-7a0970 GetPEB 822 7a0972-7a0978 821->822 823 7a097a-7a098a call 7a0d35 822->823 824 7a098c-7a098e 822->824 823->824 829 7a0992-7a0994 823->829 824->822 825 7a0990 824->825 827 7a0996-7a0998 825->827 830 7a0a3b-7a0a3e 827->830 829->827 831 7a099d-7a09d3 829->831 832 7a09dc-7a09ee call 7a0d0c 831->832 835 7a09f0-7a0a3a 832->835 836 7a09d5-7a09d8 832->836 835->830 836->832
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .$GetProcAddress.$l
                                                                                        • API String ID: 0-2784972518
                                                                                        • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                        • Instruction ID: 25832fa1444af66ef1e743b70733ccc99ec660d3ec924cc2d2e4fc63a549f9ad
                                                                                        • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                        • Instruction Fuzzy Hash: C4318AB6900609CFEB10CF99C884AAEBBF9FF49324F24454AD841A7311D775EA45CFA4

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 892 67a078-67a091 893 67a093-67a095 892->893 894 67a097 893->894 895 67a09c-67a0a8 CreateToolhelp32Snapshot 893->895 894->895 896 67a0aa-67a0b0 895->896 897 67a0b8-67a0c5 Module32First 895->897 896->897 902 67a0b2-67a0b6 896->902 898 67a0c7-67a0c8 call 679d37 897->898 899 67a0ce-67a0d6 897->899 903 67a0cd 898->903 902->893 902->897 903->899
                                                                                        APIs
                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0067A0A0
                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 0067A0C0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089364508.000000000066A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0066A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_66a000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                        • String ID:
                                                                                        • API String ID: 3833638111-0
                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                        • Instruction ID: f99fea7e0203cee00dd8db9cce3293b519344754f9fe84b8b0e3880384836728
                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                        • Instruction Fuzzy Hash: CAF09635500714AFD7303BF99D8DBAF76E9AF89729F104A2CF64A911C0DB70EC494A62
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                          • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                          • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AllocateSize
                                                                                        • String ID:
                                                                                        • API String ID: 2559512979-0
                                                                                        • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                        • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                        • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                        • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 316 4073ff-407419 317 40741b 316->317 318 40741d-407422 316->318 317->318 319 407424 318->319 320 407426-40742b 318->320 319->320 321 407430-407435 320->321 322 40742d 320->322 323 407437 321->323 324 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 321->324 322->321 323->324 329 407487-40749d call 40ee2a 324->329 330 4077f9-4077fe call 40ee2a 324->330 336 407703-40770e RegEnumKeyA 329->336 335 407801 330->335 339 407804-407808 335->339 337 4074a2-4074b1 call 406cad 336->337 338 407714-40771d RegCloseKey 336->338 342 4074b7-4074cc call 40f1a5 337->342 343 4076ed-407700 337->343 338->335 342->343 346 4074d2-4074f8 RegOpenKeyExA 342->346 343->336 347 407727-40772a 346->347 348 4074fe-407530 call 402544 RegQueryValueExA 346->348 349 407755-407764 call 40ee2a 347->349 350 40772c-407740 call 40ef00 347->350 348->347 356 407536-40753c 348->356 361 4076df-4076e2 349->361 358 407742-407745 RegCloseKey 350->358 359 40774b-40774e 350->359 360 40753f-407544 356->360 358->359 363 4077ec-4077f7 RegCloseKey 359->363 360->360 362 407546-40754b 360->362 361->343 364 4076e4-4076e7 RegCloseKey 361->364 362->349 365 407551-40756b call 40ee95 362->365 363->339 364->343 365->349 368 407571-407593 call 402544 call 40ee95 365->368 373 407753 368->373 374 407599-4075a0 368->374 373->349 375 4075a2-4075c6 call 40ef00 call 40ed03 374->375 376 4075c8-4075d7 call 40ed03 374->376 382 4075d8-4075da 375->382 376->382 384 4075dc 382->384 385 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 382->385 384->385 394 407626-40762b 385->394 394->394 395 40762d-407634 394->395 396 407637-40763c 395->396 396->396 397 40763e-407642 396->397 398 407644-407656 call 40ed77 397->398 399 40765c-407673 call 40ed23 397->399 398->399 406 407769-40777c call 40ef00 398->406 404 407680 399->404 405 407675-40767e 399->405 407 407683-40768e call 406cad 404->407 405->407 411 4077e3-4077e6 RegCloseKey 406->411 413 407722-407725 407->413 414 407694-4076bf call 40f1a5 call 406c96 407->414 411->363 415 4076dd 413->415 420 4076c1-4076c7 414->420 421 4076d8 414->421 415->361 420->421 422 4076c9-4076d2 420->422 421->415 422->421 423 40777e-407797 GetFileAttributesExA 422->423 424 407799 423->424 425 40779a-40779f 423->425 424->425 426 4077a1 425->426 427 4077a3-4077a8 425->427 426->427 428 4077c4-4077c8 427->428 429 4077aa-4077c0 call 40ee08 427->429 431 4077d7-4077dc 428->431 432 4077ca-4077d6 call 40ef00 428->432 429->428 435 4077e0-4077e2 431->435 436 4077de 431->436 432->431 435->411 436->435
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                        • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                        • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "$PromptOnSecureDesktop
                                                                                        • API String ID: 3433985886-3108538426
                                                                                        • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                        • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                        • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                        • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 438 40704c-407071 439 407073 438->439 440 407075-40707a 438->440 439->440 441 40707c 440->441 442 40707e-407083 440->442 441->442 443 407085 442->443 444 407087-40708c 442->444 443->444 445 407090-4070ca call 402544 RegOpenKeyExA 444->445 446 40708e 444->446 449 4070d0-4070f6 call 406dc2 445->449 450 4071b8-4071c8 call 40ee2a 445->450 446->445 456 40719b-4071a9 RegEnumValueA 449->456 455 4071cb-4071cf 450->455 457 4070fb-4070fd 456->457 458 4071af-4071b2 RegCloseKey 456->458 459 40716e-407194 457->459 460 4070ff-407102 457->460 458->450 459->456 460->459 461 407104-407107 460->461 461->459 462 407109-40710d 461->462 462->459 463 40710f-407133 call 402544 call 40eed1 462->463 468 4071d0-407203 call 402544 call 40ee95 call 40ee2a 463->468 469 407139-407145 call 406cad 463->469 484 407205-407212 RegCloseKey 468->484 485 407227-40722e 468->485 475 407147-40715c call 40f1a5 469->475 476 40715e-40716b call 40ee2a 469->476 475->468 475->476 476->459 488 407222-407225 484->488 489 407214-407221 call 40ef00 484->489 486 407230-407256 call 40ef00 call 40ed23 485->486 487 40725b-40728c call 402544 call 40ee95 call 40ee2a 485->487 486->487 500 407258 486->500 503 4072b8-4072cb call 40ed77 487->503 504 40728e-40729a RegCloseKey 487->504 488->455 489->488 500->487 511 4072dd-4072f4 call 40ed23 503->511 512 4072cd-4072d8 RegCloseKey 503->512 506 4072aa-4072b3 504->506 507 40729c-4072a9 call 40ef00 504->507 506->455 507->506 515 407301 511->515 516 4072f6-4072ff 511->516 512->455 517 407304-40730f call 406cad 515->517 516->517 520 407311-40731d RegCloseKey 517->520 521 407335-40735d call 406c96 517->521 522 40732d-407330 520->522 523 40731f-40732c call 40ef00 520->523 528 4073d5-4073e2 RegCloseKey 521->528 529 40735f-407365 521->529 522->506 523->522 531 4073f2-4073f7 528->531 532 4073e4-4073f1 call 40ef00 528->532 529->528 530 407367-407370 529->530 530->528 533 407372-40737c 530->533 532->531 535 40739d-4073a2 533->535 536 40737e-407395 GetFileAttributesExA 533->536 539 4073a4 535->539 540 4073a6-4073a9 535->540 536->535 538 407397 536->538 538->535 539->540 541 4073b9-4073bc 540->541 542 4073ab-4073b8 call 40ef00 540->542 544 4073cb-4073cd 541->544 545 4073be-4073ca call 40ef00 541->545 542->541 544->528 545->544
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                        • RegEnumValueA.KERNELBASE(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                        • RegCloseKey.KERNELBASE(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                        • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                        • String ID: $"$PromptOnSecureDesktop
                                                                                        • API String ID: 4293430545-98143240
                                                                                        • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                        • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                        • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                        • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 628 40675c-406778 629 406784-4067a2 CreateFileA 628->629 630 40677a-40677e SetFileAttributesA 628->630 631 4067a4-4067b2 CreateFileA 629->631 632 4067b5-4067b8 629->632 630->629 631->632 633 4067c5-4067c9 632->633 634 4067ba-4067bf SetFileAttributesA 632->634 635 406977-406986 633->635 636 4067cf-4067df GetFileSize 633->636 634->633 637 4067e5-4067e7 636->637 638 40696b 636->638 637->638 639 4067ed-40680b ReadFile 637->639 640 40696e-406971 FindCloseChangeNotification 638->640 639->638 641 406811-406824 SetFilePointer 639->641 640->635 641->638 642 40682a-406842 ReadFile 641->642 642->638 643 406848-406861 SetFilePointer 642->643 643->638 644 406867-406876 643->644 645 4068d5-4068df 644->645 646 406878-40688f ReadFile 644->646 645->640 647 4068e5-4068eb 645->647 648 406891-40689e 646->648 649 4068d2 646->649 650 4068f0-4068fe call 40ebcc 647->650 651 4068ed 647->651 652 4068a0-4068b5 648->652 653 4068b7-4068ba 648->653 649->645 650->638 659 406900-40690b SetFilePointer 650->659 651->650 655 4068bd-4068c3 652->655 653->655 657 4068c5 655->657 658 4068c8-4068ce 655->658 657->658 658->646 660 4068d0 658->660 661 40695a-406969 call 40ec2e 659->661 662 40690d-406920 ReadFile 659->662 660->645 661->640 662->661 663 406922-406958 662->663 663->640
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                        • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                        • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                        • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                        • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                        • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                        • FindCloseChangeNotification.KERNELBASE(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 1400801100-0
                                                                                        • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                        • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 692 7a003c-7a0047 693 7a0049 692->693 694 7a004c-7a0263 call 7a0a3f call 7a0e0f call 7a0d90 VirtualAlloc 692->694 693->694 709 7a028b-7a0292 694->709 710 7a0265-7a0289 call 7a0a69 694->710 712 7a02a1-7a02b0 709->712 714 7a02ce-7a03c2 VirtualProtect call 7a0cce call 7a0ce7 710->714 712->714 715 7a02b2-7a02cc 712->715 721 7a03d1-7a03e0 714->721 715->712 722 7a0439-7a04b8 VirtualFree 721->722 723 7a03e2-7a0437 call 7a0ce7 721->723 725 7a04be-7a04cd 722->725 726 7a05f4-7a05fe 722->726 723->721 728 7a04d3-7a04dd 725->728 729 7a077f-7a0789 726->729 730 7a0604-7a060d 726->730 728->726 734 7a04e3-7a0505 LoadLibraryA 728->734 732 7a078b-7a07a3 729->732 733 7a07a6-7a07b0 729->733 730->729 735 7a0613-7a0637 730->735 732->733 737 7a086e-7a08be LoadLibraryA 733->737 738 7a07b6-7a07cb 733->738 739 7a0517-7a0520 734->739 740 7a0507-7a0515 734->740 736 7a063e-7a0648 735->736 736->729 742 7a064e-7a065a 736->742 748 7a08c7-7a08f9 737->748 743 7a07d2-7a07d5 738->743 741 7a0526-7a0547 739->741 740->741 746 7a054d-7a0550 741->746 742->729 747 7a0660-7a066a 742->747 744 7a07d7-7a07e0 743->744 745 7a0824-7a0833 743->745 749 7a07e2 744->749 750 7a07e4-7a0822 744->750 754 7a0839-7a083c 745->754 751 7a05e0-7a05ef 746->751 752 7a0556-7a056b 746->752 753 7a067a-7a0689 747->753 755 7a08fb-7a0901 748->755 756 7a0902-7a091d 748->756 749->745 750->743 751->728 757 7a056f-7a057a 752->757 758 7a056d 752->758 759 7a068f-7a06b2 753->759 760 7a0750-7a077a 753->760 754->737 761 7a083e-7a0847 754->761 755->756 762 7a059b-7a05bb 757->762 763 7a057c-7a0599 757->763 758->751 764 7a06ef-7a06fc 759->764 765 7a06b4-7a06ed 759->765 760->736 766 7a084b-7a086c 761->766 767 7a0849 761->767 775 7a05bd-7a05db 762->775 763->775 769 7a074b 764->769 770 7a06fe-7a0748 764->770 765->764 766->754 767->737 769->753 770->769 775->746
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 007A024D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID: cess$kernel32.dll
                                                                                        • API String ID: 4275171209-1230238691
                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                        • Instruction ID: cc6d5921154b78107d5c505add64502630adb7c0d8fbae98864914a037feabd1
                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                        • Instruction Fuzzy Hash: 4E528874A01229DFDB64CF68C984BA8BBB1BF09304F1485D9E80DAB351DB34AE94DF54

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                        • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                        • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                          • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                          • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                          • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                          • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                          • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 4131120076-2980165447
                                                                                        • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                        • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                        • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                        • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 791 404000-404008 792 40400b-40402a CreateFileA 791->792 793 404057 792->793 794 40402c-404035 GetLastError 792->794 797 404059-40405c 793->797 795 404052 794->795 796 404037-40403a 794->796 798 404054-404056 795->798 796->795 799 40403c-40403f 796->799 797->798 799->797 800 404041-404050 Sleep 799->800 800->792 800->795
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                        • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                        • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLastSleep
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 408151869-2980165447
                                                                                        • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                        • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 801 406987-4069b7 802 4069e0 801->802 803 4069b9-4069be 801->803 804 4069e4-4069fd WriteFile 802->804 803->802 805 4069c0-4069d0 803->805 808 406a4d-406a51 804->808 809 4069ff-406a02 804->809 806 4069d2 805->806 807 4069d5-4069de 805->807 806->807 807->804 811 406a53-406a56 808->811 812 406a59 808->812 809->808 810 406a04-406a08 809->810 813 406a0a-406a0d 810->813 814 406a3c-406a3e 810->814 811->812 815 406a5b-406a5f 812->815 816 406a10-406a2e WriteFile 813->816 814->815 817 406a40-406a4b 816->817 818 406a30-406a33 816->818 817->815 818->817 819 406a35-406a3a 818->819 819->814 819->816
                                                                                        APIs
                                                                                        • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                        • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID: ,k@
                                                                                        • API String ID: 3934441357-1053005162
                                                                                        • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                        • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 838 406dc2-406dd5 839 406e33-406e35 838->839 840 406dd7-406df1 call 406cc9 call 40ef00 838->840 845 406df4-406df9 840->845 845->845 846 406dfb-406e00 845->846 847 406e02-406e22 GetVolumeInformationA 846->847 848 406e24 846->848 847->848 849 406e2e 847->849 848->849 849->839
                                                                                        APIs
                                                                                          • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                          • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                          • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                          • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                        • String ID: /{Q
                                                                                        • API String ID: 1823874839-485955984
                                                                                        • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                        • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                        • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                        • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 850 4091eb-409208 851 409308 850->851 852 40920e-40921c call 40ed03 850->852 853 40930b-40930f 851->853 856 40921e-40922c call 40ed03 852->856 857 40923f-409249 852->857 856->857 863 40922e-409230 856->863 858 409250-409270 call 40ee08 857->858 859 40924b 857->859 866 409272-40927f 858->866 867 4092dd-4092e1 858->867 859->858 865 409233-409238 863->865 865->865 868 40923a-40923c 865->868 869 409281-409285 866->869 870 40929b-40929e 866->870 871 4092e3-4092e5 867->871 872 4092e7-4092e8 867->872 868->857 869->869 875 409287 869->875 873 4092a0 870->873 874 40928e-409293 870->874 871->872 876 4092ea-4092ef 871->876 872->867 877 4092a8-4092ab 873->877 878 409295-409298 874->878 879 409289-40928c 874->879 875->870 880 4092f1-4092f6 Sleep 876->880 881 4092fc-409302 876->881 882 4092a2-4092a5 877->882 883 4092ad-4092b0 877->883 878->877 884 40929a 878->884 879->874 879->884 880->881 881->851 881->852 885 4092b2 882->885 886 4092a7 882->886 883->885 887 4092bd 883->887 884->870 888 4092b5-4092b9 885->888 886->877 889 4092bf-4092db ShellExecuteA 887->889 888->888 890 4092bb 888->890 889->867 891 409310-409324 889->891 890->889 891->853
                                                                                        APIs
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                        • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShellSleep
                                                                                        • String ID:
                                                                                        • API String ID: 4194306370-0
                                                                                        • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                        • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                        • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                        • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,007A0223,?,?), ref: 007A0E19
                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,007A0223,?,?), ref: 007A0E1E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorMode
                                                                                        • String ID:
                                                                                        • API String ID: 2340568224-0
                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                        • Instruction ID: 60cb3f40b0b8b15a525da7d8e95f9786b204af80b7b2fad890f04ce13a54c87c
                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                        • Instruction Fuzzy Hash: 44D0123114512877DB003B94DC09BCD7B1CDF09B62F008411FB0DD9080C774994046E5
                                                                                        APIs
                                                                                        • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 007A0929
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 560597551-0
                                                                                        • Opcode ID: ed1fa5443604d132978e6c58f8cc4a5f1646693310c318f56ccf6213ab4b7ad9
                                                                                        • Instruction ID: 46c7c7c6dcd93c711cbd188b681eb9ae36fa97d9339837816e323f92b9b16bc3
                                                                                        • Opcode Fuzzy Hash: ed1fa5443604d132978e6c58f8cc4a5f1646693310c318f56ccf6213ab4b7ad9
                                                                                        • Instruction Fuzzy Hash: 9F90043034437511DC3035DC0C01F4500133741734F7047307533DD1D0C54157004117
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00679D88
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089364508.000000000066A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0066A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_66a000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                        • Instruction ID: dc93ad87f07fa61d11f3e4818c51c17241767802e22cae7f17033e5879e85105
                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                        • Instruction Fuzzy Hash: A4113C79A00208EFDB01DF98C985E98BBF5AF08350F09C094F9489B362D771EA50DF90
                                                                                        APIs
                                                                                        • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                        • closesocket.WS2_32(?), ref: 0040CB63
                                                                                        • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                        • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                        • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                        • wsprintfA.USER32 ref: 0040CD21
                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                        • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                        • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                        • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                        • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                        • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                        • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                        • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                        • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                        • closesocket.WS2_32(?), ref: 0040D56C
                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                        • ExitProcess.KERNEL32 ref: 0040D583
                                                                                        • wsprintfA.USER32 ref: 0040D81F
                                                                                          • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                        • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                        • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                        • API String ID: 562065436-3791576231
                                                                                        • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                        • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                        • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                        • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                        • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                        • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                        • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                        • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                        • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                        • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                        • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                        • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                        • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                        • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                        • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                        • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                        • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                        • API String ID: 2238633743-3228201535
                                                                                        • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                        • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                        • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                        • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                        • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                        • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                        • wsprintfA.USER32 ref: 0040B3B7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                        • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                        • API String ID: 766114626-2976066047
                                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                        • API String ID: 1628651668-3716895483
                                                                                        • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                        • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                        • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                          • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                        • API String ID: 4207808166-1381319158
                                                                                        • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                        • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                        • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                        • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                        • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                        • htons.WS2_32(00000000), ref: 00402ADB
                                                                                        • select.WS2_32 ref: 00402B28
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                        • htons.WS2_32(?), ref: 00402B71
                                                                                        • htons.WS2_32(?), ref: 00402B8C
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 1639031587-0
                                                                                        • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                        • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                        • ExitProcess.KERNEL32 ref: 00404121
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventExitProcess
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2404124870-2980165447
                                                                                        • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                        • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                        • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                        • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2438460464-0
                                                                                        • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                        • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                        APIs
                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                        • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                        • String ID: *p@
                                                                                        • API String ID: 3429775523-2474123842
                                                                                        • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                        • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                        • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 007A65F6
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 007A6610
                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 007A6631
                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 007A6652
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                        • Instruction ID: 0ff85868b294882798ef9655ec715953e1f667b82fef1acf06e34b3dbf40103d
                                                                                        • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                        • Instruction Fuzzy Hash: 4011A3B1A00218BFDB219F75DC0AF9B3FA8EB457A5F144124F908E7251D7B5DD008AA4
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                        • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                          • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                          • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3754425949-0
                                                                                        • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                        • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                        • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                        • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                        • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                        • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                        • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089364508.000000000066A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0066A000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_66a000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                        • Instruction ID: 0f5b54a4192c705d112e100ea6fe7105aa5d06c880a61d60bed92612fd99926d
                                                                                        • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                        • Instruction Fuzzy Hash: E21130727405009FEB54DE55DCD1EA673EAEB99320B298059EA08CB316E679E842C760
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                        • Instruction ID: d5d320989883a75441cc4847dc7e3c057b311ac91c638186312ac6d0dcdec9a6
                                                                                        • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                        • Instruction Fuzzy Hash: 4801A277B016049FDF21DF64C804BAA33E5FBC7316F454AA9D90A97282E778AD418BD0
                                                                                        APIs
                                                                                        • ExitProcess.KERNEL32 ref: 007A9E6D
                                                                                        • lstrcpy.KERNEL32(?,00000000), ref: 007A9FE1
                                                                                        • lstrcat.KERNEL32(?,?), ref: 007A9FF2
                                                                                        • lstrcat.KERNEL32(?,0041070C), ref: 007AA004
                                                                                        • GetFileAttributesExA.KERNEL32(?,?,?), ref: 007AA054
                                                                                        • DeleteFileA.KERNEL32(?), ref: 007AA09F
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 007AA0D6
                                                                                        • lstrcpy.KERNEL32 ref: 007AA12F
                                                                                        • lstrlen.KERNEL32(00000022), ref: 007AA13C
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 007A9F13
                                                                                          • Part of subcall function 007A7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 007A7081
                                                                                          • Part of subcall function 007A6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\dsjfzmi,007A7043), ref: 007A6F4E
                                                                                          • Part of subcall function 007A6F30: GetProcAddress.KERNEL32(00000000), ref: 007A6F55
                                                                                          • Part of subcall function 007A6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 007A6F7B
                                                                                          • Part of subcall function 007A6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 007A6F92
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 007AA1A2
                                                                                        • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 007AA1C5
                                                                                        • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 007AA214
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 007AA21B
                                                                                        • GetDriveTypeA.KERNEL32(?), ref: 007AA265
                                                                                        • lstrcat.KERNEL32(?,00000000), ref: 007AA29F
                                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 007AA2C5
                                                                                        • lstrcat.KERNEL32(?,00000022), ref: 007AA2D9
                                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 007AA2F4
                                                                                        • wsprintfA.USER32 ref: 007AA31D
                                                                                        • lstrcat.KERNEL32(?,00000000), ref: 007AA345
                                                                                        • lstrcat.KERNEL32(?,?), ref: 007AA364
                                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 007AA387
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 007AA398
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 007AA1D1
                                                                                          • Part of subcall function 007A9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 007A999D
                                                                                          • Part of subcall function 007A9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 007A99BD
                                                                                          • Part of subcall function 007A9966: RegCloseKey.ADVAPI32(?), ref: 007A99C6
                                                                                        • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 007AA3DB
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 007AA3E2
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 007AA41D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                        • String ID: "$"$"$D$P$\
                                                                                        • API String ID: 1653845638-2605685093
                                                                                        • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                        • Instruction ID: 1150c8836950b4f9d42b6f88caa3056a332e3f564bddee1cabc3918e40d09a65
                                                                                        • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                        • Instruction Fuzzy Hash: 5DF13EB1D40259FEDF21DBA08C49EEF7BBCAB4A300F0445A6F605E2141E7798A85CF65
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 007A7D21
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 007A7D46
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 007A7D7D
                                                                                        • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 007A7DA2
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 007A7DC0
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 007A7DD1
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 007A7DE5
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 007A7DF3
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 007A7E03
                                                                                        • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 007A7E12
                                                                                        • LocalFree.KERNEL32(00000000), ref: 007A7E19
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007A7E35
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: D$PromptOnSecureDesktop
                                                                                        • API String ID: 2976863881-1403908072
                                                                                        • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                        • Instruction ID: cba050a2f6fb085e1fa867729cb4c2c42fcd8e25d132e39b2821e5203c8be78f
                                                                                        • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                        • Instruction Fuzzy Hash: A5A15B71904219AFDF119FA0DD88FEFBFB9FB89300F04816AE515E2150DB798A85CB64
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                        • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                        • API String ID: 2400214276-165278494
                                                                                        • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                        • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                        • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                        • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040A7FB
                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                        • wsprintfA.USER32 ref: 0040A8AF
                                                                                        • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                        • wsprintfA.USER32 ref: 0040A8E2
                                                                                        • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                        • wsprintfA.USER32 ref: 0040A9B9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$send$lstrlenrecv
                                                                                        • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                        • API String ID: 3650048968-2394369944
                                                                                        • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                        • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                        • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 007A7A96
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 007A7ACD
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 007A7ADF
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 007A7B01
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 007A7B1F
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 007A7B39
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 007A7B4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 007A7B58
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 007A7B68
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 007A7B77
                                                                                        • LocalFree.KERNEL32(00000000), ref: 007A7B7E
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007A7B9A
                                                                                        • GetAce.ADVAPI32(?,?,?), ref: 007A7BCA
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 007A7BF1
                                                                                        • DeleteAce.ADVAPI32(?,?), ref: 007A7C0A
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 007A7C2C
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 007A7CB1
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 007A7CBF
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 007A7CD0
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 007A7CE0
                                                                                        • LocalFree.KERNEL32(00000000), ref: 007A7CEE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction ID: fa13c28fa9c47b9b90c86a8707e828e5432e5134004a72d2210524d721d807bd
                                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction Fuzzy Hash: 87815D72904219AFDB11CFA4DD88FEEBBBCAF49310F04817AE505E6150D7798A41CBA4
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                        • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                        • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                        • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: PromptOnSecureDesktop$localcfg
                                                                                        • API String ID: 237177642-1678164370
                                                                                        • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                        • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                        • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                        • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                        • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                        • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                        • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                        • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                        • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                        • API String ID: 835516345-270533642
                                                                                        • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                        • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 007A865A
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 007A867B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 007A86A8
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 007A86B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: "$PromptOnSecureDesktop
                                                                                        • API String ID: 237177642-3108538426
                                                                                        • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                        • Instruction ID: f39750b59d3a167cac0febac4953d8d45a102e2eed560d698f87c347f5c39f61
                                                                                        • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                        • Instruction Fuzzy Hash: CAC1B67190010CFEEB51ABA4DD85EEF7B7DEB46300F144275F604E6051EB784E948B66
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 007A1601
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 007A17D8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $<$@$D
                                                                                        • API String ID: 1628651668-1974347203
                                                                                        • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                        • Instruction ID: 0ac5aa67505872d72649233e28850e15efb93b1bb2b8c1aff0a949ad70595a79
                                                                                        • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                        • Instruction Fuzzy Hash: 2EF17DB1508341DFE720CF64C888BABB7E5FBCA304F508A2DF59697290D7B89944CB56
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 007A76D9
                                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 007A7757
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 007A778F
                                                                                        • ___ascii_stricmp.LIBCMT ref: 007A78B4
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 007A794E
                                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 007A796D
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 007A797E
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 007A79AC
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 007A7A56
                                                                                          • Part of subcall function 007AF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,007A772A,?), ref: 007AF414
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 007A79F6
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 007A7A4D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "$PromptOnSecureDesktop
                                                                                        • API String ID: 3433985886-3108538426
                                                                                        • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                        • Instruction ID: 6648a38b74676732547aa1f934073fd7732def69b2b0cf3e9115053933abc546
                                                                                        • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                        • Instruction Fuzzy Hash: 9DC1B472904209EFDB159BA4DC49FEF7BB9EF86310F1042A6F504E6151EB789E84CB60
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007A2CED
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 007A2D07
                                                                                        • htons.WS2_32(00000000), ref: 007A2D42
                                                                                        • select.WS2_32 ref: 007A2D8F
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 007A2DB1
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 007A2E62
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 127016686-0
                                                                                        • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                        • Instruction ID: e4af133a11f66d2a595939682ca4a7c4dab354e11b3f48817ea2d0fb7e27e46f
                                                                                        • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                        • Instruction Fuzzy Hash: EA610671508305AFC3209F68CC0CB6BBBF8FBC6741F144A19F94497152D7B8D8828BA6
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                          • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                          • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                          • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                          • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                        • wsprintfA.USER32 ref: 0040AEA5
                                                                                          • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                        • wsprintfA.USER32 ref: 0040AE4F
                                                                                        • wsprintfA.USER32 ref: 0040AE5E
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                        • API String ID: 3631595830-1816598006
                                                                                        • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                        • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                        • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                        • htons.WS2_32(00000035), ref: 00402E88
                                                                                        • inet_addr.WS2_32(?), ref: 00402E93
                                                                                        • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: GetNetworkParams$iphlpapi.dll
                                                                                        • API String ID: 929413710-2099955842
                                                                                        • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                        • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?), ref: 007A95A7
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007A95D5
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 007A95DC
                                                                                        • wsprintfA.USER32 ref: 007A9635
                                                                                        • wsprintfA.USER32 ref: 007A9673
                                                                                        • wsprintfA.USER32 ref: 007A96F4
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 007A9758
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 007A978D
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 007A97D8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3696105349-2980165447
                                                                                        • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                        • Instruction ID: 7f7fbf4d751338832f97e5e32d3102f42aaf8318778368f3c2e0060f8d9b59e9
                                                                                        • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                        • Instruction Fuzzy Hash: 1EA170B190020CEFEB21DFA0CC45FDA3BACEB86741F104126FA15D6152E779D994CBA5
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                        • API String ID: 1586166983-142018493
                                                                                        • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                        • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040B467
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$wsprintf
                                                                                        • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                        • API String ID: 1220175532-2340906255
                                                                                        • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                        • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 007A202D
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 007A204F
                                                                                        • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 007A206A
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 007A2071
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 007A2082
                                                                                        • GetTickCount.KERNEL32 ref: 007A2230
                                                                                          • Part of subcall function 007A1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 007A1E7C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                        • API String ID: 4207808166-1391650218
                                                                                        • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                        • Instruction ID: 5195866d23f7d5bc1998f78e194c42be6d744a4d59b2c5e670071bfcf2c69a98
                                                                                        • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                        • Instruction Fuzzy Hash: 1551A570504348AFE330AF758C89F677AECEF96704F004A1DF99682143D6BDA9458765
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00402078
                                                                                        • GetTickCount.KERNEL32 ref: 004020D4
                                                                                        • GetTickCount.KERNEL32 ref: 004020DB
                                                                                        • GetTickCount.KERNEL32 ref: 0040212B
                                                                                        • GetTickCount.KERNEL32 ref: 00402132
                                                                                        • GetTickCount.KERNEL32 ref: 00402142
                                                                                          • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                          • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                          • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                          • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                          • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                        • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                        • API String ID: 3976553417-1522128867
                                                                                        • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                        • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                        APIs
                                                                                        • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                        • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                        • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                        APIs
                                                                                          • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                          • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                        • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                        • GetTickCount.KERNEL32 ref: 0040C363
                                                                                        • GetTickCount.KERNEL32 ref: 0040C378
                                                                                        • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                        • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                        • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1553760989-1857712256
                                                                                        • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                        • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 007A3068
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 007A3078
                                                                                        • GetProcAddress.KERNEL32(00000000,00410408), ref: 007A3095
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007A30B6
                                                                                        • htons.WS2_32(00000035), ref: 007A30EF
                                                                                        • inet_addr.WS2_32(?), ref: 007A30FA
                                                                                        • gethostbyname.WS2_32(?), ref: 007A310D
                                                                                        • HeapFree.KERNEL32(00000000), ref: 007A314D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: iphlpapi.dll
                                                                                        • API String ID: 2869546040-3565520932
                                                                                        • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                        • Instruction ID: f5567045938bd189bdf0bb0aae11cf279b00d061e8c3c699e2edf5fc05092f2e
                                                                                        • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                        • Instruction Fuzzy Hash: 45318831A00A0AABDB119FB8DC48AAE7778EF46761F144326F518E7290DB7CDE418B54
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                        • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                        • String ID: DnsQuery_A$dnsapi.dll
                                                                                        • API String ID: 3560063639-3847274415
                                                                                        • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                        • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                        • API String ID: 1082366364-2834986871
                                                                                        • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                        • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                        • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                        • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                        • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D$PromptOnSecureDesktop
                                                                                        • API String ID: 2981417381-1403908072
                                                                                        • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                        • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                        APIs
                                                                                        • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 007A67C3
                                                                                        • htonl.WS2_32(?), ref: 007A67DF
                                                                                        • htonl.WS2_32(?), ref: 007A67EE
                                                                                        • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 007A68F1
                                                                                        • ExitProcess.KERNEL32 ref: 007A69BC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Processhtonl$CurrentExitHugeRead
                                                                                        • String ID: except_info$localcfg
                                                                                        • API String ID: 1150517154-3605449297
                                                                                        • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                        • Instruction ID: 67b28270fac1690539bb4ee92b6a9dfb792506edd4ff7a25df8e0ee952fba722
                                                                                        • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                        • Instruction Fuzzy Hash: 4C618F71940208EFDB609FB4DC45FEA77E9FB49300F14816AFA6CD2161DA75A9908F14
                                                                                        APIs
                                                                                        • htons.WS2_32(007ACC84), ref: 007AF5B4
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 007AF5CE
                                                                                        • closesocket.WS2_32(00000000), ref: 007AF5DC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                        • Instruction ID: aa80d880a691390730ed55691dbbc1ff174b7b6c1044aac1eb9e1acea4806473
                                                                                        • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                        • Instruction Fuzzy Hash: 60314972900118ABDB119FA5DC899EE7BBCEF8A310F104666F915E3150E7749A818BA4
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                        • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                        • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                        • wsprintfA.USER32 ref: 00407036
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                        • String ID: /%d$|
                                                                                        • API String ID: 676856371-4124749705
                                                                                        • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                        • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(?), ref: 007A2FA1
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 007A2FB1
                                                                                        • GetProcAddress.KERNEL32(00000000,004103F0), ref: 007A2FC8
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 007A3000
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007A3007
                                                                                        • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 007A3032
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                        • String ID: dnsapi.dll
                                                                                        • API String ID: 1242400761-3175542204
                                                                                        • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                        • Instruction ID: 54e61e94db017a45b83b65102748a17d79c9443427bdab8b5dbab64de55a3bc1
                                                                                        • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                        • Instruction Fuzzy Hash: 8B219271900225BBCB219F54DC489AFBBB9EF49B10F108521F901E7141D7B89E8187D4
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3609698214-2980165447
                                                                                        • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                        • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\dsjfzmi,007A7043), ref: 007A6F4E
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 007A6F55
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 007A6F7B
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 007A6F92
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\dsjfzmi
                                                                                        • API String ID: 1082366364-293945363
                                                                                        • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                        • Instruction ID: 8739d23b16584eb058c9f855123ec3b1b8e895345a93a1ebf7a1fce1e00fe494
                                                                                        • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                        • Instruction Fuzzy Hash: 8721FF21745340BEF7225331AC8DFBB2A4C8B93721F1842A5F504E6082DADD88D682AD
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                        • wsprintfA.USER32 ref: 004090E9
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                        • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2439722600-2980165447
                                                                                        • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                        • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?), ref: 007A92E2
                                                                                        • wsprintfA.USER32 ref: 007A9350
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 007A9375
                                                                                        • lstrlen.KERNEL32(?,?,00000000), ref: 007A9389
                                                                                        • WriteFile.KERNEL32(00000000,?,00000000), ref: 007A9394
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 007A939B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2439722600-2980165447
                                                                                        • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                        • Instruction ID: 0743ca3a0b68a31b67daaabc73f7a65059d5e3f029388e34c396031e7c106ac4
                                                                                        • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                        • Instruction Fuzzy Hash: 7F1184B1740114BFEB606B72EC0EFEF3A6DDBC9B10F008165BB09E5091EAB94A518664
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 007A9A18
                                                                                        • GetThreadContext.KERNEL32(?,?), ref: 007A9A52
                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 007A9A60
                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 007A9A98
                                                                                        • SetThreadContext.KERNEL32(?,00010002), ref: 007A9AB5
                                                                                        • ResumeThread.KERNEL32(?), ref: 007A9AC2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D
                                                                                        • API String ID: 2981417381-2746444292
                                                                                        • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                        • Instruction ID: dbdfcde3d04210e57e9ab94e5d80ba9fd03f78c79d8396e5120e731a9e53c034
                                                                                        • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                        • Instruction Fuzzy Hash: 28216BB1E01219BBDB119BA1DC09EEF7BBCEF05750F008161FA09E1050E7798A50CBA4
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(004102D8), ref: 007A1C18
                                                                                        • LoadLibraryA.KERNEL32(004102C8), ref: 007A1C26
                                                                                        • GetProcessHeap.KERNEL32 ref: 007A1C84
                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 007A1C9D
                                                                                        • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 007A1CC1
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000), ref: 007A1D02
                                                                                        • FreeLibrary.KERNEL32(?), ref: 007A1D0B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                        • String ID:
                                                                                        • API String ID: 2324436984-0
                                                                                        • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                        • Instruction ID: 28128e4a67706c6e1e1faf78f15c1553927c704922cbcefc5691c181440db9ee
                                                                                        • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                        • Instruction Fuzzy Hash: CF314132E00219BFDB119FE4DC888FEBBB9EB86751F64457AE501A3110D7B94E80DB64
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                        • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: QueryValue$CloseOpen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1586453840-2980165447
                                                                                        • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                        • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                        • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                        • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$CreateEvent
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1371578007-2980165447
                                                                                        • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                        • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                        • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                        • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 007A6CE4
                                                                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 007A6D22
                                                                                        • GetLastError.KERNEL32 ref: 007A6DA7
                                                                                        • CloseHandle.KERNEL32(?), ref: 007A6DB5
                                                                                        • GetLastError.KERNEL32 ref: 007A6DD6
                                                                                        • DeleteFileA.KERNEL32(?), ref: 007A6DE7
                                                                                        • GetLastError.KERNEL32 ref: 007A6DFD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                        • String ID:
                                                                                        • API String ID: 3873183294-0
                                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction ID: 067fb9b6a19a9ee56bf0196b7f03e3378b6244ccc832da9f8c147c0495844b32
                                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction Fuzzy Hash: E5310176A00249FFCF01EFA4DD48ADE7F79EB8A340F188275E211E3251D7748A958B61
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,007AE50A,00000000,00000000,00000000,00020106,00000000,007AE50A,00000000,000000E4), ref: 007AE319
                                                                                        • RegSetValueExA.ADVAPI32(007AE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 007AE38E
                                                                                        • RegDeleteValueA.ADVAPI32(007AE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dz), ref: 007AE3BF
                                                                                        • RegCloseKey.ADVAPI32(007AE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dz,007AE50A), ref: 007AE3C8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID: PromptOnSecureDesktop$Dz
                                                                                        • API String ID: 2667537340-2866320310
                                                                                        • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                        • Instruction ID: 6190a51b128b817c32ba371f9950b425b5e7b028ee81b371d635e9814615a2e0
                                                                                        • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                        • Instruction Fuzzy Hash: 59214A71A0021DBBDF209FA5EC89EEF7F79EF49750F008161F904A7151E2718A54D7A0
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                        • CharToOemA.USER32(?,?), ref: 00409174
                                                                                        • wsprintfA.USER32 ref: 004091A9
                                                                                          • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                          • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                          • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                          • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                          • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                          • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3857584221-2980165447
                                                                                        • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                        • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007A93C6
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 007A93CD
                                                                                        • CharToOemA.USER32(?,?), ref: 007A93DB
                                                                                        • wsprintfA.USER32 ref: 007A9410
                                                                                          • Part of subcall function 007A92CB: GetTempPathA.KERNEL32(00000400,?), ref: 007A92E2
                                                                                          • Part of subcall function 007A92CB: wsprintfA.USER32 ref: 007A9350
                                                                                          • Part of subcall function 007A92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 007A9375
                                                                                          • Part of subcall function 007A92CB: lstrlen.KERNEL32(?,?,00000000), ref: 007A9389
                                                                                          • Part of subcall function 007A92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 007A9394
                                                                                          • Part of subcall function 007A92CB: CloseHandle.KERNEL32(00000000), ref: 007A939B
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 007A9448
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3857584221-2980165447
                                                                                        • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                        • Instruction ID: e8b6d333aa1cb0e77c928694c4141108b627b88907bf724bf2ceb66178d3d8e8
                                                                                        • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                        • Instruction Fuzzy Hash: 090140F6900158BBD721A7619D8DEDF367CDBD6701F0041A1BB49E2080DAB896C58F75
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen
                                                                                        • String ID: $localcfg
                                                                                        • API String ID: 1659193697-2018645984
                                                                                        • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                        • Instruction ID: 18f0e572ac2a83815d2fabe8e2639f6fe5a0cd286f2468694c327b716c25d3ce
                                                                                        • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                        • Instruction Fuzzy Hash: E7712A72B00304BAEF218B94DC85FEE37699B83315F244236F945A6091DB6E9D84C767
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                        • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                        • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                        • String ID: flags_upd$localcfg
                                                                                        • API String ID: 204374128-3505511081
                                                                                        • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                        • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                        APIs
                                                                                          • Part of subcall function 007ADF6C: GetCurrentThreadId.KERNEL32 ref: 007ADFBA
                                                                                        • lstrcmp.KERNEL32(00410178,00000000), ref: 007AE8FA
                                                                                        • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,007A6128), ref: 007AE950
                                                                                        • lstrcmp.KERNEL32(?,00000008), ref: 007AE989
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 2920362961-1846390581
                                                                                        • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                        • Instruction ID: d81ad8cd2e37816e137841f4ac23e8fd88ade8a58b116fa896468cf86dfb369a
                                                                                        • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                        • Instruction Fuzzy Hash: B0319E31600705DBDB718F24C888BA77BE8EB96720F108B2AE59687551D378FC80CB92
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID:
                                                                                        • API String ID: 3609698214-0
                                                                                        • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                        • Instruction ID: 4c70d75e1041cd4fa40e2d6bc6398d017097a6ba60fb93194e179ff5052f4514
                                                                                        • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                        • Instruction Fuzzy Hash: B421A27A209115FFDB10AB70FC49EDF7FADEB8A360B248625F502D1091EB78DA009674
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                        • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                        • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3819781495-0
                                                                                        • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                        • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 007AC6B4
                                                                                        • InterlockedIncrement.KERNEL32(007AC74B), ref: 007AC715
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,007AC747), ref: 007AC728
                                                                                        • CloseHandle.KERNEL32(00000000,?,007AC747,00413588,007A8A77), ref: 007AC733
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1026198776-1857712256
                                                                                        • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                        • Instruction ID: e861f1896a11af9f98d05bc03bcc7904bf066f8f650d31a56897882b4fe0143f
                                                                                        • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                        • Instruction Fuzzy Hash: 19514DB1A01B419FD725CF69C6C552ABBE9FB89300B505A3EE18BC7A90D778F844CB50
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                          • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 124786226-2980165447
                                                                                        • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                        • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                        • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                        • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                        • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                        • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                        • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 2667537340-2980165447
                                                                                        • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                        • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 007A71E1
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 007A7228
                                                                                        • LocalFree.KERNEL32(?,?,?), ref: 007A7286
                                                                                        • wsprintfA.USER32 ref: 007A729D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                        • String ID: |
                                                                                        • API String ID: 2539190677-2343686810
                                                                                        • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                        • Instruction ID: bff2add31217f678134ac0aff59f16b1751c9a593d0ef9881deb13ca6713af1f
                                                                                        • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                        • Instruction Fuzzy Hash: E2313A72A04208BBDB01DFA8DC49BDA3BBCEF45310F14C166F959DB141EA79DA48CB94
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                        • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$gethostnamelstrcpy
                                                                                        • String ID: LocalHost
                                                                                        • API String ID: 3695455745-3154191806
                                                                                        • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                        • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 007AB51A
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007AB529
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 007AB548
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 007AB590
                                                                                        • wsprintfA.USER32 ref: 007AB61E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 4026320513-0
                                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction ID: c3d9257fc7d91334dac39751921f7e1db5edabe783ee75037868421e6638344e
                                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction Fuzzy Hash: 29511271D0021CAACF14DFD5D8495EEBBB9BF49304F10826AF505A6150E7B84AC9CF94
                                                                                        APIs
                                                                                        • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 007A6303
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 007A632A
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 007A63B1
                                                                                        • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 007A6405
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: HugeRead$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 3498078134-0
                                                                                        • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                        • Instruction ID: 9edaa4551296029dce35af114830fc5f80402db6987815c4f01ada29df534f4f
                                                                                        • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                        • Instruction Fuzzy Hash: EF416DB1A00205EFDF14CF58C884BA9B7B4FF85354F288269E915D7290E779EE41CB50
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                        • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                        • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                        • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                        • String ID: A$ A
                                                                                        • API String ID: 3343386518-686259309
                                                                                        • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                        • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040272E
                                                                                        • htons.WS2_32(00000001), ref: 00402752
                                                                                        • htons.WS2_32(0000000F), ref: 004027D5
                                                                                        • htons.WS2_32(00000001), ref: 004027E3
                                                                                        • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                          • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                          • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                        • String ID:
                                                                                        • API String ID: 1128258776-0
                                                                                        • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                        • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                        APIs
                                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: setsockopt
                                                                                        • String ID:
                                                                                        • API String ID: 3981526788-0
                                                                                        • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                        • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$lstrcmpi
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1808961391-1857712256
                                                                                        • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                        • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000001,Dz,00000000,00000000,00000000), ref: 007AE470
                                                                                        • CloseHandle.KERNEL32(00000001,00000003), ref: 007AE484
                                                                                          • Part of subcall function 007AE2FC: RegCreateKeyExA.ADVAPI32(80000001,007AE50A,00000000,00000000,00000000,00020106,00000000,007AE50A,00000000,000000E4), ref: 007AE319
                                                                                          • Part of subcall function 007AE2FC: RegSetValueExA.ADVAPI32(007AE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 007AE38E
                                                                                          • Part of subcall function 007AE2FC: RegDeleteValueA.ADVAPI32(007AE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dz), ref: 007AE3BF
                                                                                          • Part of subcall function 007AE2FC: RegCloseKey.ADVAPI32(007AE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dz,007AE50A), ref: 007AE3C8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                        • String ID: PromptOnSecureDesktop$Dz
                                                                                        • API String ID: 4151426672-2866320310
                                                                                        • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                        • Instruction ID: e3ea636db6e6a9c0528cfd9d39b245b1861a5e66675956ba943cf5746de0ff32
                                                                                        • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                        • Instruction Fuzzy Hash: D041FF72D00204FBEB205F559C4AFDB3B6CEF96725F148235FA0994092E7B98B50DAB4
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                        • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 3683885500-2980165447
                                                                                        • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                        • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                        • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                        • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                        APIs
                                                                                          • Part of subcall function 007ADF6C: GetCurrentThreadId.KERNEL32 ref: 007ADFBA
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,007AA6AC), ref: 007AE7BF
                                                                                        • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,007AA6AC), ref: 007AE7EA
                                                                                        • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,007AA6AC), ref: 007AE819
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1396056608-2980165447
                                                                                        • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                        • Instruction ID: 956b943161e857144f79f7441cb6c0d3f798f736348a0bccfc2c20cf97bc3ff6
                                                                                        • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                        • Instruction Fuzzy Hash: D0210AB1A00300BAE22177755C4FFDB3D0CDBE6760F500624FA09A51D3EA5D995081B5
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                        • API String ID: 2574300362-1087626847
                                                                                        • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                        • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 007A76D9
                                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 007A796D
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 007A797E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseEnumOpen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 1332880857-2980165447
                                                                                        • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                        • Instruction ID: 2ea1eb3221b37523990adef42fb40238083386c5440e7cc7eff3f099525efabe
                                                                                        • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                        • Instruction Fuzzy Hash: A111EE30A04109AFDB128FA9DC49FEFBFB8EB82301F144261F510E6291E2B88D40CB61
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: hi_id$localcfg
                                                                                        • API String ID: 2777991786-2393279970
                                                                                        • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                        • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                        • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                        • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseDeleteOpenValue
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 849931509-2980165447
                                                                                        • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                        • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                        • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                        • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 007A999D
                                                                                        • RegDeleteValueA.ADVAPI32(?,00000000), ref: 007A99BD
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 007A99C6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseDeleteOpenValue
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 849931509-2980165447
                                                                                        • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                        • Instruction ID: eb430a4840023efddb71f9b0110ab08eda7731a187d80c25487739a902603733
                                                                                        • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                        • Instruction Fuzzy Hash: 1BF0C8B2640108BBF7116754AC0BFDB3A2CDB95710F100060F605B5082F6E55B9142B9
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg$u6A
                                                                                        • API String ID: 1594361348-1940331995
                                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction ID: ba4ee3fbd81653ec4d786a013be8289af9718a07a72f86409582ae18954ba43e
                                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction Fuzzy Hash: C2E08C316041118FCB408B2CF848AC637A4AF8B330F008280F040D31A1C7389C829640
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 007A69E5
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 007A6A26
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000), ref: 007A6A3A
                                                                                        • CloseHandle.KERNEL32(000000FF), ref: 007A6BD8
                                                                                          • Part of subcall function 007AEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,007A1DCF,?), ref: 007AEEA8
                                                                                          • Part of subcall function 007AEE95: HeapFree.KERNEL32(00000000), ref: 007AEEAF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 3384756699-0
                                                                                        • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                        • Instruction ID: d5efb313ff37d9918df2aa5da4faceda2bd517aaff7b178aa0ba0b3f8a3cf34c
                                                                                        • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                        • Instruction Fuzzy Hash: FA7139B190021DEFDF10DFA4CC80AEEBBB9FB45314F24466AE515E6190D7349E92DB60
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf
                                                                                        • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                        • API String ID: 2111968516-120809033
                                                                                        • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                        • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                        • GetLastError.KERNEL32 ref: 00403F4E
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                        • GetLastError.KERNEL32 ref: 00403FC2
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 007A41AB
                                                                                        • GetLastError.KERNEL32 ref: 007A41B5
                                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 007A41C6
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 007A41D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction ID: 71191414e70fbfd5889a7aab76b1d2399c049bc9bbf5f0824c8b4ae5a1e0dcea
                                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction Fuzzy Hash: FB01257691110EEBDF01DF90ED85BEE3BACEB58355F008461F901E2050D7B59AA08BBA
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 007A421F
                                                                                        • GetLastError.KERNEL32 ref: 007A4229
                                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 007A423A
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 007A424D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction ID: 67e8ca22c15486610c9638e7129d13b83ad10267da099e2a2f3198bb3b9eda43
                                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction Fuzzy Hash: A101E572511109ABDF01DF90EE84BEE7BACFB89355F108161F901E2090D7B59A548BB6
                                                                                        APIs
                                                                                        • lstrcmp.KERNEL32(?,80000009), ref: 007AE066
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 1534048567-1846390581
                                                                                        • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction ID: 56579ecad4bbcd52d0466792433b7a9503f3ecd1d7518f5104fcf46ed408560d
                                                                                        • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction Fuzzy Hash: A2F062312007029BCB20CF25D884A93B7E9FB86321B64872AE154C3060D3B8A8D8CB51
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                        • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                        • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                        • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                        • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                        • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                        • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                        • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                        • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00403103
                                                                                        • GetTickCount.KERNEL32 ref: 0040310F
                                                                                        • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                        • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                        • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                          • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                          • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                          • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                          • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 4151426672-2980165447
                                                                                        • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                        • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                        • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                        • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 007A83C6
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 007A8477
                                                                                          • Part of subcall function 007A69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 007A69E5
                                                                                          • Part of subcall function 007A69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 007A6A26
                                                                                          • Part of subcall function 007A69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 007A6A3A
                                                                                          • Part of subcall function 007AEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,007A1DCF,?), ref: 007AEEA8
                                                                                          • Part of subcall function 007AEE95: HeapFree.KERNEL32(00000000), ref: 007AEEAF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 359188348-2980165447
                                                                                        • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                        • Instruction ID: 5be059bff0e1c532f1252a3d96e54a90684e0ba3ae12297e2fff0ae80fed8377
                                                                                        • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                        • Instruction Fuzzy Hash: 804181B290414ABFEB50EFA09D85DFF776CEB8A340F144666F504D6011FAB85A848B62
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,007AE859,00000000,00020119,007AE859,PromptOnSecureDesktop), ref: 007AE64D
                                                                                        • RegCloseKey.ADVAPI32(007AE859,?,?,?,?,000000C8,000000E4), ref: 007AE787
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseOpen
                                                                                        • String ID: PromptOnSecureDesktop
                                                                                        • API String ID: 47109696-2980165447
                                                                                        • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                        • Instruction ID: 94af296d77724ba5de08690cd2ad21346c2d6800d1f7e8d0a13a31d6b2fb1d1b
                                                                                        • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                        • Instruction Fuzzy Hash: AF4145B2D0021DBFDF11AFE4DC85DEEBBB9EB59304F004566FA00A6160E3758A558B60
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 007AAFFF
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 007AB00D
                                                                                          • Part of subcall function 007AAF6F: gethostname.WS2_32(?,00000080), ref: 007AAF83
                                                                                          • Part of subcall function 007AAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 007AAFE6
                                                                                          • Part of subcall function 007A331C: gethostname.WS2_32(?,00000080), ref: 007A333F
                                                                                          • Part of subcall function 007A331C: gethostbyname.WS2_32(?), ref: 007A3349
                                                                                          • Part of subcall function 007AAA0A: inet_ntoa.WS2_32(00000000), ref: 007AAA10
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %OUTLOOK_BND_
                                                                                        • API String ID: 1981676241-3684217054
                                                                                        • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                        • Instruction ID: e0c96fee9aeb6afbc09a366da71afaf6ac1f020ee1bddd906446051a90a54878
                                                                                        • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                        • Instruction Fuzzy Hash: B0413E7290020CEBDB25EFA0DC4AEEF3BACFB49304F244526F92492152EB79D6548B54
                                                                                        APIs
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 007A9536
                                                                                        • Sleep.KERNEL32(000001F4), ref: 007A955D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShellSleep
                                                                                        • String ID:
                                                                                        • API String ID: 4194306370-3916222277
                                                                                        • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                        • Instruction ID: 379871369f386797d07f56488b4f2c4710de998fb1227b7bb66b48b2b696500b
                                                                                        • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                        • Instruction Fuzzy Hash: E241F771C043946EFB779B68D88E7E63BA49BC7310F2803A5D682971D2E67C4DA18711
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 007AB9D9
                                                                                        • InterlockedIncrement.KERNEL32(00413648), ref: 007ABA3A
                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 007ABA94
                                                                                        • GetTickCount.KERNEL32 ref: 007ABB79
                                                                                        • GetTickCount.KERNEL32 ref: 007ABB99
                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 007ABE15
                                                                                        • closesocket.WS2_32(00000000), ref: 007ABEB4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountIncrementInterlockedTick$closesocket
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 1869671989-2903620461
                                                                                        • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                        • Instruction ID: 87e24df7dd1b36e2436c083c6ffb6a40f04da7da88570dee73fc45816ed17ff4
                                                                                        • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                        • Instruction Fuzzy Hash: B0319371504248DFDF25DFA4DC44AED77B8FB85700F204256FA1492152DB39DA85CF10
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 536389180-1857712256
                                                                                        • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                        • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                        • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                        • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                        APIs
                                                                                        Strings
                                                                                        • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTickwsprintf
                                                                                        • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                        • API String ID: 2424974917-1012700906
                                                                                        • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                        • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                        APIs
                                                                                          • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                          • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 3716169038-2903620461
                                                                                        • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                        • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 007A70BC
                                                                                        • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 007A70F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountLookupUser
                                                                                        • String ID: |
                                                                                        • API String ID: 2370142434-2343686810
                                                                                        • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction ID: a7f2f24de218e4cd213decd8e510309bef1ceaf8066b053a9cdbe039b8a7d4ab
                                                                                        • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction Fuzzy Hash: 2F113C7290411CEBDF15CFD4DC84ADEB7FCAB85301F1442B6E501E6090E6789B88CBA4
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2777991786-1857712256
                                                                                        • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                        • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                        APIs
                                                                                        • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                        • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: IncrementInterlockedlstrcpyn
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 224340156-2903620461
                                                                                        • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                        • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                        APIs
                                                                                        • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                        • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbyaddrinet_ntoa
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2112563974-1857712256
                                                                                        • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                        • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 1594361348-2401304539
                                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: ntdll.dll
                                                                                        • API String ID: 2574300362-2227199552
                                                                                        • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                        • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                        APIs
                                                                                          • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                          • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2085970655.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2085970655.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                        • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                        APIs
                                                                                          • Part of subcall function 007A2F88: GetModuleHandleA.KERNEL32(?), ref: 007A2FA1
                                                                                          • Part of subcall function 007A2F88: LoadLibraryA.KERNEL32(?), ref: 007A2FB1
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007A31DA
                                                                                        • HeapFree.KERNEL32(00000000), ref: 007A31E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2089631282.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7a0000_UUJycuNA6D.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                        • Instruction ID: af197b0d932ca68f2e1db79ec4f7c157d8bed92ce145bb33e618a6785f27e19f
                                                                                        • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                        • Instruction Fuzzy Hash: 2051AA3190020AEFCF019F64D888AFAB775FF56305B244669FC9687251E7369A19CB90

                                                                                        Execution Graph

                                                                                        Execution Coverage:3%
                                                                                        Dynamic/Decrypted Code Coverage:29.7%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:1607
                                                                                        Total number of Limit Nodes:15
                                                                                        execution_graph 14915 409961 RegisterServiceCtrlHandlerA 14916 40997d 14915->14916 14923 4099cb 14915->14923 14925 409892 14916->14925 14918 40999a 14919 4099ba 14918->14919 14920 409892 SetServiceStatus 14918->14920 14921 409892 SetServiceStatus 14919->14921 14919->14923 14922 4099aa 14920->14922 14921->14923 14922->14919 14928 4098f2 14922->14928 14926 4098c2 SetServiceStatus 14925->14926 14926->14918 14929 4098f6 14928->14929 14931 409904 Sleep 14929->14931 14932 409917 14929->14932 14936 404280 CreateEventA 14929->14936 14931->14929 14933 409915 14931->14933 14934 409947 14932->14934 14963 40977c 14932->14963 14933->14932 14934->14919 14937 4042a5 14936->14937 14938 40429d 14936->14938 14977 403ecd 14937->14977 14938->14929 14940 4042b0 14981 404000 14940->14981 14943 4043c1 FindCloseChangeNotification 14943->14938 14944 4042ce 14987 403f18 WriteFile 14944->14987 14949 4043ba CloseHandle 14949->14943 14950 404318 14951 403f18 4 API calls 14950->14951 14952 404331 14951->14952 14953 403f18 4 API calls 14952->14953 14954 40434a 14953->14954 14995 40ebcc GetProcessHeap HeapAlloc 14954->14995 14957 403f18 4 API calls 14958 404389 14957->14958 14998 40ec2e 14958->14998 14961 403f8c 4 API calls 14962 40439f CloseHandle CloseHandle 14961->14962 14962->14938 15027 40ee2a 14963->15027 14966 4097c2 14968 4097d4 Wow64GetThreadContext 14966->14968 14967 4097bb 14967->14934 14969 409801 14968->14969 14970 4097f5 14968->14970 15029 40637c 14969->15029 14971 4097f6 TerminateProcess 14970->14971 14971->14967 14973 409816 14973->14971 14974 40981e WriteProcessMemory 14973->14974 14974->14970 14975 40983b Wow64SetThreadContext 14974->14975 14975->14970 14976 409858 ResumeThread 14975->14976 14976->14967 14978 403edc 14977->14978 14980 403ee2 14977->14980 15003 406dc2 14978->15003 14980->14940 14982 40400b CreateFileA 14981->14982 14983 40402c GetLastError 14982->14983 14984 404052 14982->14984 14983->14984 14985 404037 14983->14985 14984->14938 14984->14943 14984->14944 14985->14984 14986 404041 Sleep 14985->14986 14986->14982 14986->14984 14988 403f4e GetLastError 14987->14988 14989 403f7c 14987->14989 14988->14989 14990 403f5b WaitForSingleObject GetOverlappedResult 14988->14990 14991 403f8c ReadFile 14989->14991 14990->14989 14992 403ff0 14991->14992 14993 403fc2 GetLastError 14991->14993 14992->14949 14992->14950 14993->14992 14994 403fcf WaitForSingleObject GetOverlappedResult 14993->14994 14994->14992 15021 40eb74 14995->15021 14999 40ec37 14998->14999 15000 40438f 14998->15000 15024 40eba0 14999->15024 15000->14961 15004 406dd7 15003->15004 15008 406e24 15003->15008 15009 406cc9 15004->15009 15006 406ddc 15007 406e02 GetVolumeInformationA 15006->15007 15006->15008 15007->15008 15008->14980 15010 406cdc GetModuleHandleA GetProcAddress 15009->15010 15011 406dbe 15009->15011 15012 406d12 GetSystemDirectoryA 15010->15012 15013 406cfd 15010->15013 15011->15006 15014 406d27 GetWindowsDirectoryA 15012->15014 15015 406d1e 15012->15015 15013->15012 15016 406d8b 15013->15016 15018 406d42 15014->15018 15015->15014 15015->15016 15016->15011 15019 40ef1e lstrlenA 15018->15019 15020 40ef32 15019->15020 15020->15016 15022 40eb7b GetProcessHeap HeapSize 15021->15022 15023 404350 15021->15023 15022->15023 15023->14957 15025 40eba7 GetProcessHeap HeapSize 15024->15025 15026 40ebbf GetProcessHeap HeapFree 15024->15026 15025->15026 15026->15000 15028 409794 CreateProcessA 15027->15028 15028->14966 15028->14967 15030 406386 15029->15030 15031 40638a GetModuleHandleA VirtualAlloc 15029->15031 15030->14973 15032 4063b6 15031->15032 15036 4063f5 15031->15036 15033 4063be VirtualAllocEx 15032->15033 15034 4063d6 15033->15034 15033->15036 15035 4063df WriteProcessMemory 15034->15035 15035->15036 15036->14973 15069 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15186 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15069->15186 15071 409a95 15072 409aa3 GetModuleHandleA GetModuleFileNameA 15071->15072 15077 40a3c7 15071->15077 15084 409ac4 15072->15084 15073 40a41c CreateThread WSAStartup 15297 40e52e 15073->15297 16124 40405e CreateEventA 15073->16124 15074 409afd GetCommandLineA 15085 409b22 15074->15085 15075 40a406 DeleteFileA 15075->15077 15078 40a40d 15075->15078 15077->15073 15077->15075 15077->15078 15080 40a3ed GetLastError 15077->15080 15078->15073 15079 40a445 15316 40eaaf 15079->15316 15080->15078 15082 40a3f8 Sleep 15080->15082 15082->15075 15083 40a44d 15320 401d96 15083->15320 15084->15074 15090 409c0c 15085->15090 15096 409b47 15085->15096 15087 40a457 15368 4080c9 15087->15368 15187 4096aa 15090->15187 15100 409b96 lstrlenA 15096->15100 15102 409b58 15096->15102 15097 40a1d2 15103 40a1e3 GetCommandLineA 15097->15103 15098 409c39 15101 40a167 GetModuleHandleA GetModuleFileNameA 15098->15101 15107 409c4b 15098->15107 15100->15102 15105 409c05 ExitProcess 15101->15105 15106 40a189 15101->15106 15102->15105 15110 409bd2 15102->15110 15131 40a205 15103->15131 15106->15105 15116 40a1b2 GetDriveTypeA 15106->15116 15107->15101 15109 404280 30 API calls 15107->15109 15112 409c5b 15109->15112 15199 40675c 15110->15199 15112->15101 15117 40675c 21 API calls 15112->15117 15116->15105 15118 40a1c5 15116->15118 15119 409c79 15117->15119 15289 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15118->15289 15119->15101 15126 409ca0 GetTempPathA 15119->15126 15127 409e3e 15119->15127 15121 409bff 15121->15105 15123 40a491 15124 40a49f GetTickCount 15123->15124 15128 40a4be Sleep 15123->15128 15130 40a4b7 GetTickCount 15123->15130 15414 40c913 15123->15414 15124->15123 15124->15128 15126->15127 15129 409cba 15126->15129 15137 409e6b GetEnvironmentVariableA 15127->15137 15138 409e04 15127->15138 15128->15123 15237 4099d2 lstrcpyA 15129->15237 15130->15128 15134 40a285 lstrlenA 15131->15134 15147 40a239 15131->15147 15133 40ec2e codecvt 4 API calls 15136 40a15d 15133->15136 15134->15147 15136->15101 15136->15105 15137->15138 15139 409e7d 15137->15139 15138->15133 15140 4099d2 16 API calls 15139->15140 15141 409e9d 15140->15141 15141->15138 15146 409eb0 lstrcpyA lstrlenA 15141->15146 15142 406dc2 6 API calls 15144 409d5f 15142->15144 15149 406cc9 5 API calls 15144->15149 15145 40a3c2 15150 4098f2 41 API calls 15145->15150 15148 409ef4 15146->15148 15195 406ec3 15147->15195 15152 406dc2 6 API calls 15148->15152 15155 409f03 15148->15155 15154 409d72 lstrcpyA lstrcatA lstrcatA 15149->15154 15150->15077 15151 40a35f 15151->15145 15151->15151 15153 40a39d StartServiceCtrlDispatcherA 15151->15153 15152->15155 15153->15145 15157 409cf6 15154->15157 15156 409f32 RegOpenKeyExA 15155->15156 15158 409f48 RegSetValueExA RegCloseKey 15156->15158 15163 409f70 15156->15163 15244 409326 15157->15244 15158->15163 15161 409e0c DeleteFileA 15161->15127 15162 409dde GetFileAttributesExA 15162->15161 15164 409df7 15162->15164 15166 409f9d GetModuleHandleA GetModuleFileNameA 15163->15166 15164->15138 15281 4096ff 15164->15281 15168 409fc2 15166->15168 15169 40a093 15166->15169 15168->15169 15175 409ff1 GetDriveTypeA 15168->15175 15170 40a103 CreateProcessA 15169->15170 15171 40a0a4 wsprintfA 15169->15171 15172 40a13a 15170->15172 15173 40a12a DeleteFileA 15170->15173 15287 402544 15171->15287 15172->15138 15178 4096ff 3 API calls 15172->15178 15173->15172 15175->15169 15177 40a00d 15175->15177 15176 40a0d3 lstrcatA 15179 40ee2a 15176->15179 15181 40a02d lstrcatA 15177->15181 15178->15138 15180 40a0ec lstrcatA 15179->15180 15180->15170 15182 40a046 15181->15182 15183 40a052 lstrcatA 15182->15183 15184 40a064 lstrcatA 15182->15184 15183->15184 15184->15169 15185 40a081 lstrcatA 15184->15185 15185->15169 15186->15071 15188 4096b9 15187->15188 15517 4073ff 15188->15517 15190 4096e2 15191 4096e9 15190->15191 15192 4096fa 15190->15192 15537 40704c 15191->15537 15192->15097 15192->15098 15194 4096f7 15194->15192 15196 406ed5 15195->15196 15197 406ecc 15195->15197 15196->15151 15562 406e36 GetUserNameW 15197->15562 15200 406784 CreateFileA 15199->15200 15201 40677a SetFileAttributesA 15199->15201 15202 4067a4 CreateFileA 15200->15202 15203 4067b5 15200->15203 15201->15200 15202->15203 15204 4067c5 15203->15204 15205 4067ba SetFileAttributesA 15203->15205 15206 406977 15204->15206 15207 4067cf GetFileSize 15204->15207 15205->15204 15206->15105 15224 406a60 CreateFileA 15206->15224 15208 4067e5 15207->15208 15223 406922 15207->15223 15210 4067ed ReadFile 15208->15210 15208->15223 15209 40696e CloseHandle 15209->15206 15211 406811 SetFilePointer 15210->15211 15210->15223 15212 40682a ReadFile 15211->15212 15211->15223 15213 406848 SetFilePointer 15212->15213 15212->15223 15216 406867 15213->15216 15213->15223 15214 4068d0 15214->15209 15217 40ebcc 4 API calls 15214->15217 15215 406878 ReadFile 15215->15214 15215->15216 15216->15214 15216->15215 15218 4068f8 15217->15218 15219 406900 SetFilePointer 15218->15219 15218->15223 15220 40695a 15219->15220 15221 40690d ReadFile 15219->15221 15222 40ec2e codecvt 4 API calls 15220->15222 15221->15220 15221->15223 15222->15223 15223->15209 15225 406b8c GetLastError 15224->15225 15226 406a8f GetDiskFreeSpaceA 15224->15226 15228 406b86 15225->15228 15227 406ac5 15226->15227 15236 406ad7 15226->15236 15565 40eb0e 15227->15565 15228->15121 15232 406b56 CloseHandle 15232->15228 15235 406b65 GetLastError CloseHandle 15232->15235 15233 406b36 GetLastError CloseHandle 15234 406b7f DeleteFileA 15233->15234 15234->15228 15235->15234 15569 406987 15236->15569 15238 4099eb 15237->15238 15239 409a2f lstrcatA 15238->15239 15240 40ee2a 15239->15240 15241 409a4b lstrcatA 15240->15241 15242 406a60 13 API calls 15241->15242 15243 409a60 15242->15243 15243->15127 15243->15142 15243->15157 15579 401910 15244->15579 15247 40934a GetModuleHandleA GetModuleFileNameA 15249 40937f 15247->15249 15250 4093a4 15249->15250 15251 4093d9 15249->15251 15252 4093c3 wsprintfA 15250->15252 15253 409401 wsprintfA 15251->15253 15255 409415 15252->15255 15253->15255 15254 4094a0 15581 406edd 15254->15581 15255->15254 15258 406cc9 5 API calls 15255->15258 15257 4094ac 15259 40962f 15257->15259 15260 4094e8 RegOpenKeyExA 15257->15260 15264 409439 15258->15264 15265 409646 15259->15265 15602 401820 15259->15602 15262 409502 15260->15262 15263 4094fb 15260->15263 15268 40951f RegQueryValueExA 15262->15268 15263->15259 15267 40958a 15263->15267 15269 40ef1e lstrlenA 15264->15269 15274 4095d6 15265->15274 15608 4091eb 15265->15608 15267->15265 15270 409593 15267->15270 15271 409530 15268->15271 15272 409539 15268->15272 15273 409462 15269->15273 15270->15274 15589 40f0e4 15270->15589 15275 40956e RegCloseKey 15271->15275 15276 409556 RegQueryValueExA 15272->15276 15277 40947e wsprintfA 15273->15277 15274->15161 15274->15162 15275->15263 15276->15271 15276->15275 15277->15254 15279 4095bb 15279->15274 15596 4018e0 15279->15596 15282 402544 15281->15282 15283 40972d RegOpenKeyExA 15282->15283 15284 409740 15283->15284 15285 409765 15283->15285 15286 40974f RegDeleteValueA RegCloseKey 15284->15286 15285->15138 15286->15285 15288 402554 15287->15288 15288->15176 15288->15288 15290 402544 15289->15290 15291 40919e wsprintfA 15290->15291 15292 4091bb 15291->15292 15646 409064 GetTempPathA 15292->15646 15295 4091d5 ShellExecuteA 15296 4091e7 15295->15296 15296->15121 15653 40dd05 GetTickCount 15297->15653 15299 40e538 15660 40dbcf 15299->15660 15301 40e544 15302 40e555 GetFileSize 15301->15302 15303 40e5b8 15301->15303 15304 40e5b1 CloseHandle 15302->15304 15305 40e566 15302->15305 15679 40e3ca RegOpenKeyExA 15303->15679 15304->15303 15670 40db2e 15305->15670 15308 40e576 ReadFile 15308->15304 15309 40e58d 15308->15309 15674 40e332 15309->15674 15313 40e5f2 15314 40e3ca 19 API calls 15313->15314 15315 40e629 15313->15315 15314->15315 15315->15079 15317 40eabe 15316->15317 15319 40eaba 15316->15319 15318 40dd05 6 API calls 15317->15318 15317->15319 15318->15319 15319->15083 15321 40ee2a 15320->15321 15322 401db4 GetVersionExA 15321->15322 15323 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15322->15323 15325 401e24 15323->15325 15326 401e16 GetCurrentProcess 15323->15326 15732 40e819 15325->15732 15326->15325 15328 401e3d 15329 40e819 11 API calls 15328->15329 15330 401e4e 15329->15330 15331 401e77 15330->15331 15739 40df70 15330->15739 15748 40ea84 15331->15748 15334 401e6c 15337 40df70 12 API calls 15334->15337 15336 40e819 11 API calls 15338 401e93 15336->15338 15337->15331 15752 40199c inet_addr LoadLibraryA 15338->15752 15341 40e819 11 API calls 15342 401eb9 15341->15342 15343 401ed8 15342->15343 15344 40f04e 4 API calls 15342->15344 15345 40e819 11 API calls 15343->15345 15347 401ec9 15344->15347 15346 401eee 15345->15346 15348 401f0a 15346->15348 15765 401b71 15346->15765 15349 40ea84 30 API calls 15347->15349 15351 40e819 11 API calls 15348->15351 15349->15343 15353 401f23 15351->15353 15352 401efd 15354 40ea84 30 API calls 15352->15354 15355 401f3f 15353->15355 15769 401bdf 15353->15769 15354->15348 15357 40e819 11 API calls 15355->15357 15358 401f5e 15357->15358 15360 401f77 15358->15360 15362 40ea84 30 API calls 15358->15362 15776 4030b5 15360->15776 15361 40ea84 30 API calls 15361->15355 15362->15360 15366 406ec3 2 API calls 15367 401f8e GetTickCount 15366->15367 15367->15087 15369 406ec3 2 API calls 15368->15369 15370 4080eb 15369->15370 15371 4080f9 15370->15371 15372 4080ef 15370->15372 15374 40704c 16 API calls 15371->15374 15824 407ee6 15372->15824 15376 408110 15374->15376 15375 4080f4 15377 40675c 21 API calls 15375->15377 15386 408269 CreateThread 15375->15386 15376->15375 15378 408156 RegOpenKeyExA 15376->15378 15381 408244 15377->15381 15378->15375 15379 40816d RegQueryValueExA 15378->15379 15380 4081f7 15379->15380 15383 40818d 15379->15383 15382 40820d RegCloseKey 15380->15382 15385 40ec2e codecvt 4 API calls 15380->15385 15384 40ec2e codecvt 4 API calls 15381->15384 15381->15386 15382->15375 15383->15380 15387 40ebcc 4 API calls 15383->15387 15384->15386 15392 4081dd 15385->15392 15393 405e6c 15386->15393 16153 40877e 15386->16153 15388 4081a0 15387->15388 15388->15382 15389 4081aa RegQueryValueExA 15388->15389 15389->15380 15390 4081c4 15389->15390 15391 40ebcc 4 API calls 15390->15391 15391->15392 15392->15382 15892 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15393->15892 15395 405e71 15893 40e654 15395->15893 15397 405ec1 15398 403132 15397->15398 15399 40df70 12 API calls 15398->15399 15400 40313b 15399->15400 15401 40c125 15400->15401 15904 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15401->15904 15403 40c12d 15404 40e654 13 API calls 15403->15404 15405 40c2bd 15404->15405 15406 40e654 13 API calls 15405->15406 15407 40c2c9 15406->15407 15408 40e654 13 API calls 15407->15408 15409 40a47a 15408->15409 15410 408db1 15409->15410 15411 408dbc 15410->15411 15412 40e654 13 API calls 15411->15412 15413 408dec Sleep 15412->15413 15413->15123 15415 40c92f 15414->15415 15416 40c93c 15415->15416 15905 40c517 15415->15905 15418 40e819 11 API calls 15416->15418 15450 40ca2b 15416->15450 15419 40c96a 15418->15419 15420 40e819 11 API calls 15419->15420 15421 40c97d 15420->15421 15422 40e819 11 API calls 15421->15422 15423 40c990 15422->15423 15424 40c9aa 15423->15424 15425 40ebcc 4 API calls 15423->15425 15424->15450 15922 402684 15424->15922 15425->15424 15430 40ca26 15929 40c8aa 15430->15929 15433 40ca44 15434 40ca4b closesocket 15433->15434 15435 40ca83 15433->15435 15434->15430 15436 40ea84 30 API calls 15435->15436 15437 40caac 15436->15437 15438 40f04e 4 API calls 15437->15438 15439 40cab2 15438->15439 15440 40ea84 30 API calls 15439->15440 15441 40caca 15440->15441 15442 40ea84 30 API calls 15441->15442 15443 40cad9 15442->15443 15937 40c65c 15443->15937 15446 40cb60 closesocket 15446->15450 15448 40dad2 closesocket 15449 40e318 23 API calls 15448->15449 15449->15450 15450->15123 15451 40df4c 20 API calls 15510 40cb70 15451->15510 15456 40e654 13 API calls 15456->15510 15462 40d815 wsprintfA 15462->15510 15463 40cc1c GetTempPathA 15463->15510 15464 40ea84 30 API calls 15464->15510 15465 40d569 closesocket Sleep 15984 40e318 15465->15984 15467 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15467->15510 15468 40c517 23 API calls 15468->15510 15469 40d582 ExitProcess 15470 40e8a1 30 API calls 15470->15510 15471 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15471->15510 15472 40cfe3 GetSystemDirectoryA 15472->15510 15473 40675c 21 API calls 15473->15510 15474 40d027 GetSystemDirectoryA 15474->15510 15475 40cfad GetEnvironmentVariableA 15475->15510 15476 40d105 lstrcatA 15476->15510 15477 40ef1e lstrlenA 15477->15510 15478 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15478->15510 15479 40cc9f CreateFileA 15482 40ccc6 WriteFile 15479->15482 15479->15510 15480 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15480->15510 15481 40d15b CreateFileA 15485 40d182 WriteFile CloseHandle 15481->15485 15481->15510 15483 40cdcc CloseHandle 15482->15483 15484 40cced CloseHandle 15482->15484 15483->15510 15490 40cd2f 15484->15490 15485->15510 15486 40cd16 wsprintfA 15486->15490 15487 40d149 SetFileAttributesA 15487->15481 15488 40d36e GetEnvironmentVariableA 15488->15510 15489 40d1bf SetFileAttributesA 15489->15510 15490->15486 15966 407fcf 15490->15966 15491 407ead 6 API calls 15491->15510 15492 40d22d GetEnvironmentVariableA 15492->15510 15494 40d3af lstrcatA 15497 40d3f2 CreateFileA 15494->15497 15494->15510 15496 407fcf 64 API calls 15496->15510 15498 40d415 WriteFile CloseHandle 15497->15498 15497->15510 15498->15510 15499 40cd81 WaitForSingleObject CloseHandle CloseHandle 15501 40f04e 4 API calls 15499->15501 15500 40cda5 15502 407ee6 64 API calls 15500->15502 15501->15500 15504 40cdbd DeleteFileA 15502->15504 15503 40d26e lstrcatA 15507 40d2b1 CreateFileA 15503->15507 15503->15510 15504->15510 15505 40d4b1 CreateProcessA 15508 40d4e8 CloseHandle CloseHandle 15505->15508 15505->15510 15506 40d3e0 SetFileAttributesA 15506->15497 15507->15510 15511 40d2d8 WriteFile CloseHandle 15507->15511 15508->15510 15509 40d452 SetFileAttributesA 15509->15510 15510->15448 15510->15451 15510->15456 15510->15462 15510->15463 15510->15464 15510->15465 15510->15467 15510->15468 15510->15470 15510->15471 15510->15472 15510->15473 15510->15474 15510->15475 15510->15476 15510->15477 15510->15478 15510->15479 15510->15480 15510->15481 15510->15487 15510->15488 15510->15489 15510->15491 15510->15492 15510->15494 15510->15496 15510->15497 15510->15503 15510->15505 15510->15506 15510->15507 15510->15509 15512 407ee6 64 API calls 15510->15512 15513 40d29f SetFileAttributesA 15510->15513 15516 40d31d SetFileAttributesA 15510->15516 15945 40c75d 15510->15945 15957 407e2f 15510->15957 15979 407ead 15510->15979 15989 4031d0 15510->15989 16006 403c09 15510->16006 16016 403a00 15510->16016 16020 40e7b4 15510->16020 16023 40c06c 15510->16023 16029 406f5f GetUserNameA 15510->16029 16040 40e854 15510->16040 16050 407dd6 15510->16050 15511->15510 15512->15510 15513->15507 15516->15510 15518 40741b 15517->15518 15519 406dc2 6 API calls 15518->15519 15520 40743f 15519->15520 15521 407469 RegOpenKeyExA 15520->15521 15522 4077f9 15521->15522 15533 407487 ___ascii_stricmp 15521->15533 15522->15190 15523 407703 RegEnumKeyA 15524 407714 RegCloseKey 15523->15524 15523->15533 15524->15522 15525 40f1a5 lstrlenA 15525->15533 15526 4074d2 RegOpenKeyExA 15526->15533 15527 40772c 15529 407742 RegCloseKey 15527->15529 15530 40774b 15527->15530 15528 407521 RegQueryValueExA 15528->15533 15529->15530 15531 4077ec RegCloseKey 15530->15531 15531->15522 15532 4076e4 RegCloseKey 15532->15533 15533->15523 15533->15525 15533->15526 15533->15527 15533->15528 15533->15532 15535 40777e GetFileAttributesExA 15533->15535 15536 407769 15533->15536 15534 4077e3 RegCloseKey 15534->15531 15535->15536 15536->15534 15538 407073 15537->15538 15539 4070b9 RegOpenKeyExA 15538->15539 15540 4070d0 15539->15540 15554 4071b8 15539->15554 15541 406dc2 6 API calls 15540->15541 15544 4070d5 15541->15544 15542 40719b RegEnumValueA 15543 4071af RegCloseKey 15542->15543 15542->15544 15543->15554 15544->15542 15546 4071d0 15544->15546 15560 40f1a5 lstrlenA 15544->15560 15547 407205 RegCloseKey 15546->15547 15548 407227 15546->15548 15547->15554 15549 4072b8 ___ascii_stricmp 15548->15549 15550 40728e RegCloseKey 15548->15550 15551 4072cd RegCloseKey 15549->15551 15552 4072dd 15549->15552 15550->15554 15551->15554 15553 407311 RegCloseKey 15552->15553 15556 407335 15552->15556 15553->15554 15554->15194 15555 4073d5 RegCloseKey 15557 4073e4 15555->15557 15556->15555 15558 40737e GetFileAttributesExA 15556->15558 15559 407397 15556->15559 15558->15559 15559->15555 15561 40f1c3 15560->15561 15561->15544 15563 406e5f LookupAccountNameW 15562->15563 15564 406e97 15562->15564 15563->15564 15564->15196 15566 40eb17 15565->15566 15568 40eb21 15565->15568 15575 40eae4 15566->15575 15568->15236 15571 4069b9 WriteFile 15569->15571 15572 406a3c 15571->15572 15574 4069ff 15571->15574 15572->15232 15572->15233 15573 406a10 WriteFile 15573->15572 15573->15574 15574->15572 15574->15573 15576 40eb02 GetProcAddress 15575->15576 15577 40eaed LoadLibraryA 15575->15577 15576->15568 15577->15576 15578 40eb01 15577->15578 15578->15568 15580 401924 GetVersionExA 15579->15580 15580->15247 15582 406eef AllocateAndInitializeSid 15581->15582 15588 406f55 15581->15588 15583 406f1c CheckTokenMembership 15582->15583 15586 406f44 15582->15586 15584 406f3b FreeSid 15583->15584 15585 406f2e 15583->15585 15584->15586 15585->15584 15587 406e36 2 API calls 15586->15587 15586->15588 15587->15588 15588->15257 15590 40f0f1 15589->15590 15591 40f0ed 15589->15591 15592 40f119 15590->15592 15593 40f0fa lstrlenA SysAllocStringByteLen 15590->15593 15591->15279 15595 40f11c MultiByteToWideChar 15592->15595 15594 40f117 15593->15594 15593->15595 15594->15279 15595->15594 15597 401820 17 API calls 15596->15597 15598 4018f2 15597->15598 15599 4018f9 15598->15599 15613 401280 15598->15613 15599->15274 15601 401908 15601->15274 15625 401000 15602->15625 15604 401839 15605 401851 GetCurrentProcess 15604->15605 15606 40183d 15604->15606 15607 401864 15605->15607 15606->15265 15607->15265 15610 40920e 15608->15610 15612 409308 15608->15612 15609 4092f1 Sleep 15609->15610 15610->15609 15610->15610 15611 4092bf ShellExecuteA 15610->15611 15610->15612 15611->15610 15611->15612 15612->15274 15614 4012e1 15613->15614 15615 4016f9 GetLastError 15614->15615 15622 4013a8 15614->15622 15616 401699 15615->15616 15616->15601 15617 401570 lstrlenW 15617->15622 15618 4015be GetStartupInfoW 15618->15622 15619 4015ff CreateProcessWithLogonW 15620 4016bf GetLastError 15619->15620 15621 40163f WaitForSingleObject 15619->15621 15620->15616 15621->15622 15623 401659 CloseHandle 15621->15623 15622->15616 15622->15617 15622->15618 15622->15619 15624 401668 CloseHandle 15622->15624 15623->15622 15624->15622 15626 40100d LoadLibraryA 15625->15626 15639 401023 15625->15639 15627 401021 15626->15627 15626->15639 15627->15604 15628 4010b5 GetProcAddress 15629 4010d1 GetProcAddress 15628->15629 15630 40127b 15628->15630 15629->15630 15631 4010f0 GetProcAddress 15629->15631 15630->15604 15631->15630 15632 401110 GetProcAddress 15631->15632 15632->15630 15633 401130 GetProcAddress 15632->15633 15633->15630 15634 40114f GetProcAddress 15633->15634 15634->15630 15635 40116f GetProcAddress 15634->15635 15635->15630 15636 40118f GetProcAddress 15635->15636 15636->15630 15637 4011ae GetProcAddress 15636->15637 15637->15630 15638 4011ce GetProcAddress 15637->15638 15638->15630 15640 4011ee GetProcAddress 15638->15640 15639->15628 15645 4010ae 15639->15645 15640->15630 15641 401209 GetProcAddress 15640->15641 15641->15630 15642 401225 GetProcAddress 15641->15642 15642->15630 15643 401241 GetProcAddress 15642->15643 15643->15630 15644 40125c GetProcAddress 15643->15644 15644->15630 15645->15604 15647 40908d 15646->15647 15648 4090e2 wsprintfA 15647->15648 15649 40ee2a 15648->15649 15650 4090fd CreateFileA 15649->15650 15651 40911a lstrlenA WriteFile CloseHandle 15650->15651 15652 40913f 15650->15652 15651->15652 15652->15295 15652->15296 15654 40dd41 InterlockedExchange 15653->15654 15655 40dd20 GetCurrentThreadId 15654->15655 15659 40dd4a 15654->15659 15656 40dd53 GetCurrentThreadId 15655->15656 15657 40dd2e GetTickCount 15655->15657 15656->15299 15658 40dd39 Sleep 15657->15658 15657->15659 15658->15654 15659->15656 15661 40dbf0 15660->15661 15693 40db67 GetEnvironmentVariableA 15661->15693 15663 40dc19 15664 40dcda 15663->15664 15665 40db67 3 API calls 15663->15665 15664->15301 15666 40dc5c 15665->15666 15666->15664 15667 40db67 3 API calls 15666->15667 15668 40dc9b 15667->15668 15668->15664 15669 40db67 3 API calls 15668->15669 15669->15664 15671 40db55 15670->15671 15672 40db3a 15670->15672 15671->15304 15671->15308 15697 40ebed 15672->15697 15706 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15674->15706 15676 40e3be 15676->15304 15677 40e342 15677->15676 15709 40de24 15677->15709 15680 40e528 15679->15680 15681 40e3f4 15679->15681 15680->15313 15682 40e434 RegQueryValueExA 15681->15682 15683 40e458 15682->15683 15684 40e51d RegCloseKey 15682->15684 15685 40e46e RegQueryValueExA 15683->15685 15684->15680 15685->15683 15686 40e488 15685->15686 15686->15684 15687 40db2e 8 API calls 15686->15687 15688 40e499 15687->15688 15688->15684 15689 40e4b9 RegQueryValueExA 15688->15689 15690 40e4e8 15688->15690 15689->15688 15689->15690 15690->15684 15691 40e332 14 API calls 15690->15691 15692 40e513 15691->15692 15692->15684 15694 40db89 lstrcpyA CreateFileA 15693->15694 15695 40dbca 15693->15695 15694->15663 15695->15663 15698 40ec01 15697->15698 15699 40ebf6 15697->15699 15701 40eba0 codecvt 2 API calls 15698->15701 15700 40ebcc 4 API calls 15699->15700 15702 40ebfe 15700->15702 15703 40ec0a GetProcessHeap HeapReAlloc 15701->15703 15702->15671 15704 40eb74 2 API calls 15703->15704 15705 40ec28 15704->15705 15705->15671 15720 40eb41 15706->15720 15710 40de3a 15709->15710 15717 40de4e 15710->15717 15724 40dd84 15710->15724 15713 40de9e 15714 40ebed 8 API calls 15713->15714 15713->15717 15718 40def6 15714->15718 15715 40de76 15728 40ddcf 15715->15728 15717->15677 15718->15717 15719 40ddcf lstrcmpA 15718->15719 15719->15717 15721 40eb4a 15720->15721 15723 40eb54 15720->15723 15722 40eae4 2 API calls 15721->15722 15722->15723 15723->15677 15725 40ddc5 15724->15725 15726 40dd96 15724->15726 15725->15713 15725->15715 15726->15725 15727 40ddad lstrcmpiA 15726->15727 15727->15725 15727->15726 15729 40dddd 15728->15729 15731 40de20 15728->15731 15730 40ddfa lstrcmpA 15729->15730 15729->15731 15730->15729 15731->15717 15733 40dd05 6 API calls 15732->15733 15734 40e821 15733->15734 15735 40dd84 lstrcmpiA 15734->15735 15736 40e82c 15735->15736 15737 40e844 15736->15737 15780 402480 15736->15780 15737->15328 15740 40dd05 6 API calls 15739->15740 15741 40df7c 15740->15741 15742 40dd84 lstrcmpiA 15741->15742 15746 40df89 15742->15746 15743 40dfc4 15743->15334 15744 40ddcf lstrcmpA 15744->15746 15745 40ec2e codecvt 4 API calls 15745->15746 15746->15743 15746->15744 15746->15745 15747 40dd84 lstrcmpiA 15746->15747 15747->15746 15749 40ea98 15748->15749 15789 40e8a1 15749->15789 15751 401e84 15751->15336 15753 4019d5 GetProcAddress GetProcAddress GetProcAddress 15752->15753 15756 4019ce 15752->15756 15754 401ab3 FreeLibrary 15753->15754 15755 401a04 15753->15755 15754->15756 15755->15754 15757 401a14 GetProcessHeap 15755->15757 15756->15341 15757->15756 15759 401a2e HeapAlloc 15757->15759 15759->15756 15760 401a42 15759->15760 15761 401a52 HeapReAlloc 15760->15761 15763 401a62 15760->15763 15761->15763 15762 401aa1 FreeLibrary 15762->15756 15763->15762 15764 401a96 HeapFree 15763->15764 15764->15762 15817 401ac3 LoadLibraryA 15765->15817 15768 401bcf 15768->15352 15770 401ac3 12 API calls 15769->15770 15771 401c09 15770->15771 15772 401c0d GetComputerNameA 15771->15772 15775 401c41 15771->15775 15773 401c45 GetVolumeInformationA 15772->15773 15774 401c1f 15772->15774 15773->15775 15774->15773 15774->15775 15775->15361 15777 40ee2a 15776->15777 15778 4030d0 gethostname gethostbyname 15777->15778 15779 401f82 15778->15779 15779->15366 15779->15367 15783 402419 lstrlenA 15780->15783 15782 402491 15782->15737 15784 40243d lstrlenA 15783->15784 15787 402474 15783->15787 15785 402464 lstrlenA 15784->15785 15786 40244e lstrcmpiA 15784->15786 15785->15784 15785->15787 15786->15785 15788 40245c 15786->15788 15787->15782 15788->15785 15788->15787 15790 40dd05 6 API calls 15789->15790 15791 40e8b4 15790->15791 15792 40dd84 lstrcmpiA 15791->15792 15793 40e8c0 15792->15793 15794 40e8c8 lstrcpynA 15793->15794 15803 40e90a 15793->15803 15795 40e8f5 15794->15795 15810 40df4c 15795->15810 15796 402419 4 API calls 15797 40e926 lstrlenA lstrlenA 15796->15797 15799 40e94c lstrlenA 15797->15799 15801 40e96a 15797->15801 15799->15801 15800 40e901 15802 40dd84 lstrcmpiA 15800->15802 15804 40ebcc 4 API calls 15801->15804 15805 40ea27 15801->15805 15802->15803 15803->15796 15803->15805 15806 40e98f 15804->15806 15805->15751 15806->15805 15807 40df4c 20 API calls 15806->15807 15808 40ea1e 15807->15808 15809 40ec2e codecvt 4 API calls 15808->15809 15809->15805 15811 40dd05 6 API calls 15810->15811 15812 40df51 15811->15812 15813 40f04e 4 API calls 15812->15813 15814 40df58 15813->15814 15815 40de24 10 API calls 15814->15815 15816 40df63 15815->15816 15816->15800 15818 401ae2 GetProcAddress 15817->15818 15821 401b68 GetComputerNameA GetVolumeInformationA 15817->15821 15819 401af5 15818->15819 15818->15821 15820 40ebed 8 API calls 15819->15820 15822 401b29 15819->15822 15820->15819 15821->15768 15822->15821 15822->15822 15823 40ec2e codecvt 4 API calls 15822->15823 15823->15821 15825 406ec3 2 API calls 15824->15825 15826 407ef4 15825->15826 15827 4073ff 17 API calls 15826->15827 15836 407fc9 15826->15836 15828 407f16 15827->15828 15828->15836 15837 407809 GetUserNameA 15828->15837 15830 407f63 15831 40ef1e lstrlenA 15830->15831 15830->15836 15832 407fa6 15831->15832 15833 40ef1e lstrlenA 15832->15833 15834 407fb7 15833->15834 15861 407a95 RegOpenKeyExA 15834->15861 15836->15375 15838 40783d LookupAccountNameA 15837->15838 15844 407a8d 15837->15844 15839 407874 GetLengthSid GetFileSecurityA 15838->15839 15838->15844 15840 4078a8 GetSecurityDescriptorOwner 15839->15840 15839->15844 15841 4078c5 EqualSid 15840->15841 15842 40791d GetSecurityDescriptorDacl 15840->15842 15841->15842 15843 4078dc LocalAlloc 15841->15843 15842->15844 15855 407941 15842->15855 15843->15842 15845 4078ef InitializeSecurityDescriptor 15843->15845 15844->15830 15846 407916 LocalFree 15845->15846 15847 4078fb SetSecurityDescriptorOwner 15845->15847 15846->15842 15847->15846 15849 40790b SetFileSecurityA 15847->15849 15848 40795b GetAce 15848->15855 15849->15846 15850 407980 EqualSid 15850->15855 15851 407a3d 15851->15844 15854 407a43 LocalAlloc 15851->15854 15852 4079be EqualSid 15852->15855 15853 40799d DeleteAce 15853->15855 15854->15844 15856 407a56 InitializeSecurityDescriptor 15854->15856 15855->15844 15855->15848 15855->15850 15855->15851 15855->15852 15855->15853 15857 407a62 SetSecurityDescriptorDacl 15856->15857 15858 407a86 LocalFree 15856->15858 15857->15858 15859 407a73 SetFileSecurityA 15857->15859 15858->15844 15859->15858 15860 407a83 15859->15860 15860->15858 15862 407ac4 15861->15862 15863 407acb GetUserNameA 15861->15863 15862->15836 15864 407da7 RegCloseKey 15863->15864 15865 407aed LookupAccountNameA 15863->15865 15864->15862 15865->15864 15866 407b24 RegGetKeySecurity 15865->15866 15866->15864 15867 407b49 GetSecurityDescriptorOwner 15866->15867 15868 407b63 EqualSid 15867->15868 15869 407bb8 GetSecurityDescriptorDacl 15867->15869 15868->15869 15870 407b74 LocalAlloc 15868->15870 15871 407da6 15869->15871 15878 407bdc 15869->15878 15870->15869 15872 407b8a InitializeSecurityDescriptor 15870->15872 15871->15864 15873 407bb1 LocalFree 15872->15873 15874 407b96 SetSecurityDescriptorOwner 15872->15874 15873->15869 15874->15873 15876 407ba6 RegSetKeySecurity 15874->15876 15875 407bf8 GetAce 15875->15878 15876->15873 15877 407c1d EqualSid 15877->15878 15878->15871 15878->15875 15878->15877 15879 407cd9 15878->15879 15880 407c5f EqualSid 15878->15880 15881 407c3a DeleteAce 15878->15881 15879->15871 15882 407d5a LocalAlloc 15879->15882 15883 407cf2 RegOpenKeyExA 15879->15883 15880->15878 15881->15878 15882->15871 15884 407d70 InitializeSecurityDescriptor 15882->15884 15883->15882 15889 407d0f 15883->15889 15885 407d7c SetSecurityDescriptorDacl 15884->15885 15886 407d9f LocalFree 15884->15886 15885->15886 15887 407d8c RegSetKeySecurity 15885->15887 15886->15871 15887->15886 15888 407d9c 15887->15888 15888->15886 15890 407d43 RegSetValueExA 15889->15890 15890->15882 15891 407d54 15890->15891 15891->15882 15892->15395 15894 40dd05 6 API calls 15893->15894 15898 40e65f 15894->15898 15895 40e6a5 15896 40ebcc 4 API calls 15895->15896 15903 40e6f5 15895->15903 15897 40e6b0 15896->15897 15900 40e6b7 15897->15900 15902 40e6e0 lstrcpynA 15897->15902 15897->15903 15898->15895 15899 40e68c lstrcmpA 15898->15899 15899->15898 15900->15397 15901 40e71d lstrcmpA 15901->15903 15902->15903 15903->15900 15903->15901 15904->15403 15906 40c525 15905->15906 15907 40c532 15905->15907 15906->15907 15910 40ec2e codecvt 4 API calls 15906->15910 15908 40c548 15907->15908 16057 40e7ff 15907->16057 15911 40e7ff lstrcmpiA 15908->15911 15918 40c54f 15908->15918 15910->15907 15912 40c615 15911->15912 15913 40ebcc 4 API calls 15912->15913 15912->15918 15913->15918 15914 40c5d1 15917 40ebcc 4 API calls 15914->15917 15916 40e819 11 API calls 15919 40c5b7 15916->15919 15917->15918 15918->15416 15920 40f04e 4 API calls 15919->15920 15921 40c5bf 15920->15921 15921->15908 15921->15914 15923 402692 inet_addr 15922->15923 15924 40268e 15922->15924 15923->15924 15925 40269e gethostbyname 15923->15925 15926 40f428 15924->15926 15925->15924 16060 40f315 15926->16060 15931 40c8d2 15929->15931 15930 40c907 15930->15450 15931->15930 15932 40c517 23 API calls 15931->15932 15932->15930 15933 40f43e 15934 40f473 recv 15933->15934 15935 40f47c 15934->15935 15936 40f458 15934->15936 15935->15433 15936->15934 15936->15935 15938 40c670 15937->15938 15939 40c67d 15937->15939 15940 40ebcc 4 API calls 15938->15940 15941 40ebcc 4 API calls 15939->15941 15942 40c699 15939->15942 15940->15939 15941->15942 15943 40c6f3 15942->15943 15944 40c73c send 15942->15944 15943->15446 15943->15510 15944->15943 15946 40c770 15945->15946 15947 40c77d 15945->15947 15948 40ebcc 4 API calls 15946->15948 15949 40c799 15947->15949 15951 40ebcc 4 API calls 15947->15951 15948->15947 15950 40c7b5 15949->15950 15952 40ebcc 4 API calls 15949->15952 15953 40f43e recv 15950->15953 15951->15949 15952->15950 15954 40c7cb 15953->15954 15955 40f43e recv 15954->15955 15956 40c7d3 15954->15956 15955->15956 15956->15510 16073 407db7 15957->16073 15960 40f04e 4 API calls 15961 407e4c 15960->15961 15964 40f04e 4 API calls 15961->15964 15965 407e70 15961->15965 15962 40f04e 4 API calls 15963 407e96 15962->15963 15963->15510 15964->15965 15965->15962 15965->15963 15967 406ec3 2 API calls 15966->15967 15968 407fdd 15967->15968 15969 4073ff 17 API calls 15968->15969 15978 4080c2 CreateProcessA 15968->15978 15970 407fff 15969->15970 15971 407809 21 API calls 15970->15971 15970->15978 15972 40804d 15971->15972 15973 40ef1e lstrlenA 15972->15973 15972->15978 15974 40809e 15973->15974 15975 40ef1e lstrlenA 15974->15975 15976 4080af 15975->15976 15977 407a95 24 API calls 15976->15977 15977->15978 15978->15499 15978->15500 15980 407db7 2 API calls 15979->15980 15981 407eb8 15980->15981 15982 40f04e 4 API calls 15981->15982 15983 407ece DeleteFileA 15982->15983 15983->15510 15985 40dd05 6 API calls 15984->15985 15986 40e31d 15985->15986 16077 40e177 15986->16077 15988 40e326 15988->15469 15990 4031f3 15989->15990 16000 4031ec 15989->16000 15991 40ebcc 4 API calls 15990->15991 16005 4031fc 15991->16005 15992 40344b 15993 403459 15992->15993 15994 40349d 15992->15994 15996 40f04e 4 API calls 15993->15996 15995 40ec2e codecvt 4 API calls 15994->15995 15995->16000 15997 40345f 15996->15997 15998 4030fa 4 API calls 15997->15998 15998->16000 15999 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15999->16005 16000->15510 16001 40344d 16002 40ec2e codecvt 4 API calls 16001->16002 16002->15992 16004 403141 lstrcmpiA 16004->16005 16005->15992 16005->15999 16005->16000 16005->16001 16005->16004 16103 4030fa GetTickCount 16005->16103 16007 4030fa 4 API calls 16006->16007 16008 403c1a 16007->16008 16012 403ce6 16008->16012 16108 403a72 16008->16108 16011 403a72 9 API calls 16015 403c5e 16011->16015 16012->15510 16013 403a72 9 API calls 16013->16015 16014 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16014->16015 16015->16012 16015->16013 16015->16014 16017 403a10 16016->16017 16018 4030fa 4 API calls 16017->16018 16019 403a1a 16018->16019 16019->15510 16021 40dd05 6 API calls 16020->16021 16022 40e7be 16021->16022 16022->15510 16024 40c105 16023->16024 16025 40c07e wsprintfA 16023->16025 16024->15510 16117 40bfce GetTickCount wsprintfA 16025->16117 16027 40c0ef 16118 40bfce GetTickCount wsprintfA 16027->16118 16030 407047 16029->16030 16031 406f88 LookupAccountNameA 16029->16031 16030->15510 16033 407025 16031->16033 16034 406fcb 16031->16034 16035 406edd 5 API calls 16033->16035 16037 406fdb ConvertSidToStringSidA 16034->16037 16036 40702a wsprintfA 16035->16036 16036->16030 16037->16033 16038 406ff1 16037->16038 16039 407013 LocalFree 16038->16039 16039->16033 16041 40dd05 6 API calls 16040->16041 16042 40e85c 16041->16042 16043 40dd84 lstrcmpiA 16042->16043 16044 40e867 16043->16044 16045 40e885 lstrcpyA 16044->16045 16119 4024a5 16044->16119 16122 40dd69 16045->16122 16051 407db7 2 API calls 16050->16051 16053 407de1 16051->16053 16052 407e16 16052->15510 16053->16052 16054 40f04e 4 API calls 16053->16054 16055 407df2 16054->16055 16055->16052 16056 40f04e 4 API calls 16055->16056 16056->16052 16058 40dd84 lstrcmpiA 16057->16058 16059 40c58e 16058->16059 16059->15908 16059->15914 16059->15916 16061 40ca1d 16060->16061 16062 40f33b 16060->16062 16061->15430 16061->15933 16063 40f347 htons socket 16062->16063 16064 40f382 ioctlsocket 16063->16064 16065 40f374 closesocket 16063->16065 16066 40f3aa connect select 16064->16066 16067 40f39d 16064->16067 16065->16061 16066->16061 16069 40f3f2 __WSAFDIsSet 16066->16069 16068 40f39f closesocket 16067->16068 16068->16061 16069->16068 16070 40f403 ioctlsocket 16069->16070 16072 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16070->16072 16072->16061 16074 407dc8 InterlockedExchange 16073->16074 16075 407dc0 Sleep 16074->16075 16076 407dd4 16074->16076 16075->16074 16076->15960 16076->15965 16078 40e184 16077->16078 16079 40e2e4 16078->16079 16080 40e223 16078->16080 16093 40dfe2 16078->16093 16079->15988 16080->16079 16082 40dfe2 8 API calls 16080->16082 16087 40e23c 16082->16087 16083 40e1be 16083->16080 16084 40dbcf 3 API calls 16083->16084 16086 40e1d6 16084->16086 16085 40e21a CloseHandle 16085->16080 16086->16080 16086->16085 16088 40e1f9 WriteFile 16086->16088 16087->16079 16097 40e095 RegCreateKeyExA 16087->16097 16088->16085 16090 40e213 16088->16090 16090->16085 16091 40e2a3 16091->16079 16092 40e095 4 API calls 16091->16092 16092->16079 16094 40dffc 16093->16094 16096 40e024 16093->16096 16095 40db2e 8 API calls 16094->16095 16094->16096 16095->16096 16096->16083 16098 40e172 16097->16098 16101 40e0c0 16097->16101 16098->16091 16099 40e13d 16100 40e14e RegDeleteValueA RegCloseKey 16099->16100 16100->16098 16101->16099 16102 40e115 RegSetValueExA 16101->16102 16102->16099 16102->16101 16104 403122 InterlockedExchange 16103->16104 16105 40312e 16104->16105 16106 40310f GetTickCount 16104->16106 16105->16005 16106->16105 16107 40311a Sleep 16106->16107 16107->16104 16109 40f04e 4 API calls 16108->16109 16116 403a83 16109->16116 16110 403ac1 16110->16011 16110->16012 16111 403be6 16113 40ec2e codecvt 4 API calls 16111->16113 16112 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16114 403bc0 16112->16114 16113->16110 16114->16111 16114->16112 16115 403b66 lstrlenA 16115->16110 16115->16116 16116->16110 16116->16114 16116->16115 16117->16027 16118->16024 16120 402419 4 API calls 16119->16120 16121 4024b6 16120->16121 16121->16045 16123 40dd79 lstrlenA 16122->16123 16123->15510 16125 404084 16124->16125 16126 40407d 16124->16126 16127 403ecd 6 API calls 16125->16127 16128 40408f 16127->16128 16129 404000 3 API calls 16128->16129 16131 404095 16129->16131 16130 404130 16132 403ecd 6 API calls 16130->16132 16131->16130 16136 403f18 4 API calls 16131->16136 16133 404159 CreateNamedPipeA 16132->16133 16134 404167 Sleep 16133->16134 16135 404188 ConnectNamedPipe 16133->16135 16134->16130 16137 404176 CloseHandle 16134->16137 16139 404195 GetLastError 16135->16139 16147 4041ab 16135->16147 16138 4040da 16136->16138 16137->16135 16140 403f8c 4 API calls 16138->16140 16141 40425e DisconnectNamedPipe 16139->16141 16139->16147 16142 4040ec 16140->16142 16141->16135 16143 404127 CloseHandle 16142->16143 16144 404101 16142->16144 16143->16130 16146 403f18 4 API calls 16144->16146 16145 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16145->16147 16148 40411c ExitProcess 16146->16148 16147->16135 16147->16141 16147->16145 16149 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16147->16149 16150 40426a CloseHandle CloseHandle 16147->16150 16149->16147 16151 40e318 23 API calls 16150->16151 16152 40427b 16151->16152 16152->16152 16154 408791 16153->16154 16156 40879f 16153->16156 16155 40f04e 4 API calls 16154->16155 16155->16156 16157 40f04e 4 API calls 16156->16157 16160 4087bc 16156->16160 16157->16160 16158 40e819 11 API calls 16159 4087d7 16158->16159 16173 408803 16159->16173 16175 4026b2 gethostbyaddr 16159->16175 16160->16158 16163 4087eb 16165 40e8a1 30 API calls 16163->16165 16163->16173 16165->16173 16168 40e819 11 API calls 16168->16173 16169 4088a0 Sleep 16169->16173 16171 4026b2 2 API calls 16171->16173 16172 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16172->16173 16173->16168 16173->16169 16173->16171 16173->16172 16174 40e8a1 30 API calls 16173->16174 16180 408cee 16173->16180 16188 40c4d6 16173->16188 16191 40c4e2 16173->16191 16194 402011 16173->16194 16229 408328 16173->16229 16174->16173 16176 4026fb 16175->16176 16177 4026cd 16175->16177 16176->16163 16178 4026e1 inet_ntoa 16177->16178 16179 4026de 16177->16179 16178->16179 16179->16163 16181 408d02 GetTickCount 16180->16181 16182 408dae 16180->16182 16181->16182 16185 408d19 16181->16185 16182->16173 16183 408da1 GetTickCount 16183->16182 16185->16183 16187 408d89 16185->16187 16281 40a677 16185->16281 16284 40a688 16185->16284 16187->16183 16292 40c2dc 16188->16292 16192 40c2dc 142 API calls 16191->16192 16193 40c4ec 16192->16193 16193->16173 16195 402020 16194->16195 16196 40202e 16194->16196 16197 40f04e 4 API calls 16195->16197 16198 40204b 16196->16198 16200 40f04e 4 API calls 16196->16200 16197->16196 16199 40206e GetTickCount 16198->16199 16201 40f04e 4 API calls 16198->16201 16202 4020db GetTickCount 16199->16202 16212 402090 16199->16212 16200->16198 16204 402068 16201->16204 16203 402132 GetTickCount GetTickCount 16202->16203 16214 4020e7 16202->16214 16206 40f04e 4 API calls 16203->16206 16204->16199 16205 4020d4 GetTickCount 16205->16202 16208 402159 16206->16208 16207 40212b GetTickCount 16207->16203 16210 4021b4 16208->16210 16213 40e854 13 API calls 16208->16213 16209 402684 2 API calls 16209->16212 16215 40f04e 4 API calls 16210->16215 16212->16205 16212->16209 16219 4020ce 16212->16219 16621 401978 16212->16621 16216 40218e 16213->16216 16214->16207 16221 401978 15 API calls 16214->16221 16222 402125 16214->16222 16626 402ef8 16214->16626 16218 4021d1 16215->16218 16220 40e819 11 API calls 16216->16220 16223 4021f2 16218->16223 16224 40ea84 30 API calls 16218->16224 16219->16205 16225 40219c 16220->16225 16221->16214 16222->16207 16223->16173 16226 4021ec 16224->16226 16225->16210 16634 401c5f 16225->16634 16227 40f04e 4 API calls 16226->16227 16227->16223 16230 407dd6 6 API calls 16229->16230 16231 40833c 16230->16231 16232 406ec3 2 API calls 16231->16232 16241 408340 16231->16241 16233 40834f 16232->16233 16234 40835c 16233->16234 16236 40846b 16233->16236 16235 4073ff 17 API calls 16234->16235 16255 408373 16235->16255 16239 4084a7 RegOpenKeyExA 16236->16239 16270 408450 16236->16270 16237 408626 GetTempPathA 16266 408638 16237->16266 16238 40675c 21 API calls 16250 4085df 16238->16250 16242 4084c0 RegQueryValueExA 16239->16242 16243 40852f 16239->16243 16241->16173 16245 408521 RegCloseKey 16242->16245 16246 4084dd 16242->16246 16248 408564 RegOpenKeyExA 16243->16248 16260 4085a5 16243->16260 16244 4086ad 16247 408762 16244->16247 16249 407e2f 6 API calls 16244->16249 16245->16243 16246->16245 16252 40ebcc 4 API calls 16246->16252 16247->16241 16254 40ec2e codecvt 4 API calls 16247->16254 16251 408573 RegSetValueExA RegCloseKey 16248->16251 16248->16260 16261 4086bb 16249->16261 16250->16237 16250->16247 16250->16266 16251->16260 16257 4084f0 16252->16257 16253 40875b DeleteFileA 16253->16247 16254->16241 16255->16241 16258 4083ea RegOpenKeyExA 16255->16258 16255->16270 16257->16245 16259 4084f8 RegQueryValueExA 16257->16259 16262 4083fd RegQueryValueExA 16258->16262 16258->16270 16259->16245 16263 408515 16259->16263 16264 40ec2e codecvt 4 API calls 16260->16264 16260->16270 16261->16253 16265 4086e0 lstrcpyA lstrlenA 16261->16265 16267 40842d RegSetValueExA 16262->16267 16268 40841e 16262->16268 16269 40ec2e codecvt 4 API calls 16263->16269 16264->16270 16271 407fcf 64 API calls 16265->16271 16706 406ba7 IsBadCodePtr 16266->16706 16272 408447 RegCloseKey 16267->16272 16268->16267 16268->16272 16273 40851d 16269->16273 16270->16238 16270->16250 16274 408719 CreateProcessA 16271->16274 16272->16270 16273->16245 16275 40873d CloseHandle CloseHandle 16274->16275 16276 40874f 16274->16276 16275->16247 16277 407ee6 64 API calls 16276->16277 16278 408754 16277->16278 16279 407ead 6 API calls 16278->16279 16280 40875a 16279->16280 16280->16253 16287 40a63d 16281->16287 16283 40a685 16283->16185 16285 40a63d GetTickCount 16284->16285 16286 40a696 16285->16286 16286->16185 16288 40a645 16287->16288 16289 40a64d 16287->16289 16288->16283 16290 40a66e 16289->16290 16291 40a65e GetTickCount 16289->16291 16290->16283 16291->16290 16308 40a4c7 GetTickCount 16292->16308 16295 40c300 GetTickCount 16297 40c337 16295->16297 16296 40c326 16296->16297 16298 40c32b GetTickCount 16296->16298 16302 40c363 GetTickCount 16297->16302 16307 40c45e 16297->16307 16298->16297 16299 40c4d2 16299->16173 16300 40c4ab InterlockedIncrement CreateThread 16300->16299 16301 40c4cb CloseHandle 16300->16301 16313 40b535 16300->16313 16301->16299 16303 40c373 16302->16303 16302->16307 16304 40c378 GetTickCount 16303->16304 16305 40c37f 16303->16305 16304->16305 16306 40c43b GetTickCount 16305->16306 16306->16307 16307->16299 16307->16300 16309 40a4f7 InterlockedExchange 16308->16309 16310 40a500 16309->16310 16311 40a4e4 GetTickCount 16309->16311 16310->16295 16310->16296 16310->16307 16311->16310 16312 40a4ef Sleep 16311->16312 16312->16309 16314 40b566 16313->16314 16315 40ebcc 4 API calls 16314->16315 16316 40b587 16315->16316 16317 40ebcc 4 API calls 16316->16317 16367 40b590 16317->16367 16318 40bdcd InterlockedDecrement 16319 40bde2 16318->16319 16321 40ec2e codecvt 4 API calls 16319->16321 16322 40bdea 16321->16322 16324 40ec2e codecvt 4 API calls 16322->16324 16323 40bdb7 Sleep 16323->16367 16325 40bdf2 16324->16325 16327 40be05 16325->16327 16328 40ec2e codecvt 4 API calls 16325->16328 16326 40bdcc 16326->16318 16328->16327 16329 40ebed 8 API calls 16329->16367 16332 40b6b6 lstrlenA 16332->16367 16333 4030b5 2 API calls 16333->16367 16334 40e819 11 API calls 16334->16367 16335 40b6ed lstrcpyA 16388 405ce1 16335->16388 16338 40b731 lstrlenA 16338->16367 16339 40b71f lstrcmpA 16339->16338 16339->16367 16340 40b772 GetTickCount 16340->16367 16341 40bd49 InterlockedIncrement 16482 40a628 16341->16482 16344 40b7ce InterlockedIncrement 16398 40acd7 16344->16398 16345 40bc5b InterlockedIncrement 16345->16367 16348 40b912 GetTickCount 16348->16367 16349 40b826 InterlockedIncrement 16349->16340 16350 40b932 GetTickCount 16353 40bc6d InterlockedIncrement 16350->16353 16350->16367 16351 40bcdc closesocket 16351->16367 16352 405ce1 23 API calls 16352->16367 16353->16367 16354 4038f0 6 API calls 16354->16367 16357 40a7c1 22 API calls 16357->16367 16358 40bba6 InterlockedIncrement 16358->16367 16360 40bc4c closesocket 16360->16367 16362 40ab81 lstrcpynA InterlockedIncrement 16362->16367 16364 40ba71 wsprintfA 16416 40a7c1 16364->16416 16366 40ef1e lstrlenA 16366->16367 16367->16318 16367->16323 16367->16326 16367->16329 16367->16332 16367->16333 16367->16334 16367->16335 16367->16338 16367->16339 16367->16340 16367->16341 16367->16344 16367->16345 16367->16348 16367->16349 16367->16350 16367->16351 16367->16352 16367->16354 16367->16357 16367->16358 16367->16360 16367->16362 16367->16364 16367->16366 16368 405ded 12 API calls 16367->16368 16369 40a688 GetTickCount 16367->16369 16370 403e10 16367->16370 16373 403e4f 16367->16373 16376 40384f 16367->16376 16396 40a7a3 inet_ntoa 16367->16396 16403 40abee 16367->16403 16415 401feb GetTickCount 16367->16415 16436 403cfb 16367->16436 16439 40b3c5 16367->16439 16470 40ab81 16367->16470 16368->16367 16369->16367 16371 4030fa 4 API calls 16370->16371 16372 403e1d 16371->16372 16372->16367 16374 4030fa 4 API calls 16373->16374 16375 403e5c 16374->16375 16375->16367 16377 4030fa 4 API calls 16376->16377 16378 403863 16377->16378 16379 4038b9 16378->16379 16380 403889 16378->16380 16387 4038b2 16378->16387 16491 4035f9 16379->16491 16485 403718 16380->16485 16385 403718 6 API calls 16385->16387 16386 4035f9 6 API calls 16386->16387 16387->16367 16389 405cf4 16388->16389 16390 405cec 16388->16390 16392 404bd1 4 API calls 16389->16392 16497 404bd1 GetTickCount 16390->16497 16393 405d02 16392->16393 16502 405472 16393->16502 16397 40a7b9 16396->16397 16397->16367 16399 40f315 14 API calls 16398->16399 16400 40aceb 16399->16400 16401 40acff 16400->16401 16402 40f315 14 API calls 16400->16402 16401->16367 16402->16401 16404 40abfb 16403->16404 16407 40ac65 16404->16407 16567 402f22 16404->16567 16406 40f315 14 API calls 16406->16407 16407->16406 16408 40ac8a 16407->16408 16409 40ac6f 16407->16409 16408->16367 16411 40ab81 2 API calls 16409->16411 16410 40ac23 16410->16407 16413 402684 2 API calls 16410->16413 16412 40ac81 16411->16412 16575 4038f0 16412->16575 16413->16410 16415->16367 16417 40a87d lstrlenA send 16416->16417 16418 40a7df 16416->16418 16419 40a899 16417->16419 16420 40a8bf 16417->16420 16418->16417 16421 40a8f2 16418->16421 16426 40a7fa wsprintfA 16418->16426 16427 40a80a 16418->16427 16422 40a8a5 wsprintfA 16419->16422 16435 40a89e 16419->16435 16420->16421 16423 40a8c4 send 16420->16423 16424 40a978 recv 16421->16424 16428 40a9b0 wsprintfA 16421->16428 16429 40a982 16421->16429 16422->16435 16423->16421 16425 40a8d8 wsprintfA 16423->16425 16424->16421 16424->16429 16425->16435 16426->16427 16427->16417 16428->16435 16430 4030b5 2 API calls 16429->16430 16429->16435 16431 40ab05 16430->16431 16432 40e819 11 API calls 16431->16432 16433 40ab17 16432->16433 16434 40a7a3 inet_ntoa 16433->16434 16434->16435 16435->16367 16437 4030fa 4 API calls 16436->16437 16438 403d0b 16437->16438 16438->16367 16440 405ce1 23 API calls 16439->16440 16441 40b3e6 16440->16441 16442 405ce1 23 API calls 16441->16442 16444 40b404 16442->16444 16443 40b440 16446 40ef7c 3 API calls 16443->16446 16444->16443 16445 40ef7c 3 API calls 16444->16445 16447 40b42b 16445->16447 16448 40b458 wsprintfA 16446->16448 16450 40ef7c 3 API calls 16447->16450 16449 40ef7c 3 API calls 16448->16449 16451 40b480 16449->16451 16450->16443 16452 40ef7c 3 API calls 16451->16452 16453 40b493 16452->16453 16454 40ef7c 3 API calls 16453->16454 16455 40b4bb 16454->16455 16589 40ad89 GetLocalTime SystemTimeToFileTime 16455->16589 16459 40b4cc 16460 40ef7c 3 API calls 16459->16460 16461 40b4dd 16460->16461 16462 40b211 7 API calls 16461->16462 16463 40b4ec 16462->16463 16464 40ef7c 3 API calls 16463->16464 16465 40b4fd 16464->16465 16466 40b211 7 API calls 16465->16466 16467 40b509 16466->16467 16468 40ef7c 3 API calls 16467->16468 16469 40b51a 16468->16469 16469->16367 16471 40abe9 GetTickCount 16470->16471 16473 40ab8c 16470->16473 16475 40a51d 16471->16475 16472 40aba8 lstrcpynA 16472->16473 16473->16471 16473->16472 16474 40abe1 InterlockedIncrement 16473->16474 16474->16473 16476 40a4c7 4 API calls 16475->16476 16477 40a52c 16476->16477 16478 40a542 GetTickCount 16477->16478 16480 40a539 GetTickCount 16477->16480 16478->16480 16481 40a56c 16480->16481 16481->16367 16483 40a4c7 4 API calls 16482->16483 16484 40a633 16483->16484 16484->16367 16486 40f04e 4 API calls 16485->16486 16487 40372a 16486->16487 16488 403847 16487->16488 16489 4037b3 GetCurrentThreadId 16487->16489 16488->16385 16488->16387 16489->16487 16490 4037c8 GetCurrentThreadId 16489->16490 16490->16487 16492 40f04e 4 API calls 16491->16492 16496 40360c 16492->16496 16493 4036f1 16493->16386 16493->16387 16494 4036da GetCurrentThreadId 16494->16493 16495 4036e5 GetCurrentThreadId 16494->16495 16495->16493 16496->16493 16496->16494 16498 404bff InterlockedExchange 16497->16498 16499 404c08 16498->16499 16500 404bec GetTickCount 16498->16500 16499->16389 16500->16499 16501 404bf7 Sleep 16500->16501 16501->16498 16523 404763 16502->16523 16504 405b58 16533 404699 16504->16533 16507 404763 lstrlenA 16508 405b6e 16507->16508 16554 404f9f 16508->16554 16510 405b79 16510->16367 16512 405549 lstrlenA 16522 40548a 16512->16522 16514 40558d lstrcpynA 16514->16522 16515 405a9f lstrcpyA 16515->16522 16516 405472 13 API calls 16516->16522 16517 404ae6 8 API calls 16517->16522 16518 405935 lstrcpynA 16518->16522 16519 404ae6 8 API calls 16520 405643 LoadLibraryW 16519->16520 16520->16522 16521 4058e7 lstrcpyA 16521->16522 16522->16504 16522->16514 16522->16515 16522->16516 16522->16517 16522->16518 16522->16519 16522->16521 16527 404ae6 16522->16527 16531 40ef7c lstrlenA lstrlenA lstrlenA 16522->16531 16525 40477a 16523->16525 16524 404859 16524->16522 16525->16524 16526 40480d lstrlenA 16525->16526 16526->16525 16528 404af3 16527->16528 16530 404b03 16527->16530 16529 40ebed 8 API calls 16528->16529 16529->16530 16530->16512 16532 40efb4 16531->16532 16532->16522 16559 4045b3 16533->16559 16536 4045b3 7 API calls 16537 4046c6 16536->16537 16538 4045b3 7 API calls 16537->16538 16539 4046d8 16538->16539 16540 4045b3 7 API calls 16539->16540 16541 4046ea 16540->16541 16542 4045b3 7 API calls 16541->16542 16543 4046ff 16542->16543 16544 4045b3 7 API calls 16543->16544 16545 404711 16544->16545 16546 4045b3 7 API calls 16545->16546 16547 404723 16546->16547 16548 40ef7c 3 API calls 16547->16548 16549 404735 16548->16549 16550 40ef7c 3 API calls 16549->16550 16551 40474a 16550->16551 16552 40ef7c 3 API calls 16551->16552 16553 40475c 16552->16553 16553->16507 16555 404fac 16554->16555 16557 404fb0 16554->16557 16555->16510 16556 404ffd 16556->16510 16557->16556 16558 404fd5 IsBadCodePtr 16557->16558 16558->16557 16560 4045c1 16559->16560 16561 4045c8 16559->16561 16562 40ebcc 4 API calls 16560->16562 16563 40ebcc 4 API calls 16561->16563 16565 4045e1 16561->16565 16562->16561 16563->16565 16564 404691 16564->16536 16565->16564 16566 40ef7c 3 API calls 16565->16566 16566->16565 16582 402d21 GetModuleHandleA 16567->16582 16570 402fcf GetProcessHeap HeapFree 16574 402f44 16570->16574 16571 402f4f 16573 402f6b GetProcessHeap HeapFree 16571->16573 16572 402f85 16572->16570 16572->16572 16573->16574 16574->16410 16574->16574 16576 403900 16575->16576 16581 403980 16575->16581 16577 4030fa 4 API calls 16576->16577 16579 40390a 16577->16579 16578 40391b GetCurrentThreadId 16578->16579 16579->16578 16580 403939 GetCurrentThreadId 16579->16580 16579->16581 16580->16579 16581->16408 16583 402d46 LoadLibraryA 16582->16583 16584 402d5b GetProcAddress 16582->16584 16583->16584 16586 402d54 16583->16586 16584->16586 16588 402d6b 16584->16588 16585 402d97 GetProcessHeap HeapAlloc 16585->16586 16585->16588 16586->16571 16586->16572 16586->16574 16587 402db5 lstrcpynA 16587->16588 16588->16585 16588->16586 16588->16587 16590 40adbf 16589->16590 16614 40ad08 gethostname 16590->16614 16593 4030b5 2 API calls 16594 40add3 16593->16594 16595 40a7a3 inet_ntoa 16594->16595 16602 40ade4 16594->16602 16595->16602 16596 40ae85 wsprintfA 16597 40ef7c 3 API calls 16596->16597 16598 40aebb 16597->16598 16601 40ef7c 3 API calls 16598->16601 16599 40ae36 wsprintfA wsprintfA 16600 40ef7c 3 API calls 16599->16600 16600->16602 16603 40aed2 16601->16603 16602->16596 16602->16599 16604 40b211 16603->16604 16605 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16604->16605 16606 40b2af GetLocalTime 16604->16606 16607 40b2d2 16605->16607 16606->16607 16608 40b2d9 SystemTimeToFileTime 16607->16608 16609 40b31c GetTimeZoneInformation 16607->16609 16610 40b2ec 16608->16610 16611 40b33a wsprintfA 16609->16611 16612 40b312 FileTimeToSystemTime 16610->16612 16611->16459 16612->16609 16615 40ad71 16614->16615 16620 40ad26 lstrlenA 16614->16620 16617 40ad85 16615->16617 16618 40ad79 lstrcpyA 16615->16618 16617->16593 16618->16617 16619 40ad68 lstrlenA 16619->16615 16620->16615 16620->16619 16622 40f428 14 API calls 16621->16622 16623 40198a 16622->16623 16624 401990 closesocket 16623->16624 16625 401998 16623->16625 16624->16625 16625->16212 16627 402d21 6 API calls 16626->16627 16628 402f01 16627->16628 16629 402f0f 16628->16629 16642 402df2 GetModuleHandleA 16628->16642 16631 402684 2 API calls 16629->16631 16633 402f1f 16629->16633 16632 402f1d 16631->16632 16632->16214 16633->16214 16635 401c80 16634->16635 16636 401d1c 16635->16636 16637 401cc2 wsprintfA 16635->16637 16640 401d79 16635->16640 16636->16636 16639 401d47 wsprintfA 16636->16639 16638 402684 2 API calls 16637->16638 16638->16635 16641 402684 2 API calls 16639->16641 16640->16210 16641->16640 16643 402e10 LoadLibraryA 16642->16643 16644 402e0b 16642->16644 16645 402e17 16643->16645 16644->16643 16644->16645 16646 402ef1 16645->16646 16647 402e28 GetProcAddress 16645->16647 16646->16629 16647->16646 16648 402e3e GetProcessHeap HeapAlloc 16647->16648 16652 402e62 16648->16652 16649 402ede GetProcessHeap HeapFree 16649->16646 16650 402e7f htons inet_addr 16651 402ea5 gethostbyname 16650->16651 16650->16652 16651->16652 16652->16646 16652->16649 16652->16650 16652->16651 16654 402ceb 16652->16654 16655 402cf2 16654->16655 16657 402d1c 16655->16657 16658 402d0e Sleep 16655->16658 16659 402a62 GetProcessHeap HeapAlloc 16655->16659 16657->16652 16658->16655 16658->16657 16660 402a92 16659->16660 16661 402a99 socket 16659->16661 16660->16655 16662 402cd3 GetProcessHeap HeapFree 16661->16662 16663 402ab4 16661->16663 16662->16660 16663->16662 16667 402abd 16663->16667 16664 402adb htons 16679 4026ff 16664->16679 16666 402b04 select 16666->16667 16667->16664 16667->16666 16668 402ca4 16667->16668 16669 402cb3 GetProcessHeap HeapFree closesocket 16667->16669 16670 402b3f recv 16667->16670 16671 402b66 htons 16667->16671 16672 402b87 htons 16667->16672 16675 402bf3 GetProcessHeap HeapAlloc 16667->16675 16676 402c17 htons 16667->16676 16678 402c4d GetProcessHeap HeapFree 16667->16678 16686 402923 16667->16686 16698 402904 16667->16698 16668->16669 16669->16660 16670->16667 16671->16667 16671->16668 16672->16667 16672->16668 16675->16667 16694 402871 16676->16694 16678->16667 16680 40271d 16679->16680 16681 402717 16679->16681 16683 40272b GetTickCount htons 16680->16683 16682 40ebcc 4 API calls 16681->16682 16682->16680 16684 4027cc htons htons sendto 16683->16684 16685 40278a 16683->16685 16684->16667 16685->16684 16687 402944 16686->16687 16690 40293d 16686->16690 16702 402816 htons 16687->16702 16689 402950 16689->16690 16691 402871 htons 16689->16691 16692 4029bd htons htons htons 16689->16692 16690->16667 16691->16689 16692->16690 16693 4029f6 GetProcessHeap HeapAlloc 16692->16693 16693->16689 16693->16690 16695 4028e3 16694->16695 16697 402889 16694->16697 16695->16667 16696 4028c3 htons 16696->16695 16696->16697 16697->16695 16697->16696 16699 402921 16698->16699 16700 402908 16698->16700 16699->16667 16701 402909 GetProcessHeap HeapFree 16700->16701 16701->16699 16701->16701 16703 402836 16702->16703 16704 40286b 16702->16704 16703->16704 16705 40285c htons 16703->16705 16704->16689 16705->16703 16705->16704 16707 406bc0 16706->16707 16708 406bbc 16706->16708 16709 40ebcc 4 API calls 16707->16709 16711 406bd4 16707->16711 16708->16244 16710 406be4 16709->16710 16710->16711 16712 406c07 CreateFileA 16710->16712 16713 406bfc 16710->16713 16711->16244 16715 406c34 WriteFile 16712->16715 16716 406c2a 16712->16716 16714 40ec2e codecvt 4 API calls 16713->16714 16714->16711 16718 406c49 CloseHandle DeleteFileA 16715->16718 16719 406c5a CloseHandle 16715->16719 16717 40ec2e codecvt 4 API calls 16716->16717 16717->16711 16718->16716 16720 40ec2e codecvt 4 API calls 16719->16720 16720->16711 15068 780920 TerminateProcess 16736 780005 16741 78092b GetPEB 16736->16741 16738 780030 16743 78003c 16738->16743 16742 780972 16741->16742 16742->16738 16744 780049 16743->16744 16758 780e0f SetErrorMode SetErrorMode 16744->16758 16749 780265 16750 7802ce VirtualProtect 16749->16750 16752 78030b 16750->16752 16751 780439 VirtualFree 16756 7805f4 LoadLibraryA 16751->16756 16757 7804be 16751->16757 16752->16751 16753 7804e3 LoadLibraryA 16753->16757 16755 7808c7 16756->16755 16757->16753 16757->16756 16759 780223 16758->16759 16760 780d90 16759->16760 16761 780dad 16760->16761 16762 780dbb GetPEB 16761->16762 16763 780238 VirtualAlloc 16761->16763 16762->16763 16763->16749 16721 842c48 16722 842c57 16721->16722 16725 8433e8 16722->16725 16726 843403 16725->16726 16727 84340c CreateToolhelp32Snapshot 16726->16727 16728 843428 Module32First 16726->16728 16727->16726 16727->16728 16729 843437 16728->16729 16730 842c60 16728->16730 16732 8430a7 16729->16732 16733 8430d2 16732->16733 16734 8430e3 VirtualAlloc 16733->16734 16735 84311b 16733->16735 16734->16735 16735->16735 15037 407a95 RegOpenKeyExA 15038 407ac4 15037->15038 15039 407acb GetUserNameA 15037->15039 15040 407da7 RegCloseKey 15039->15040 15041 407aed LookupAccountNameA 15039->15041 15040->15038 15041->15040 15042 407b24 RegGetKeySecurity 15041->15042 15042->15040 15043 407b49 GetSecurityDescriptorOwner 15042->15043 15044 407b63 EqualSid 15043->15044 15045 407bb8 GetSecurityDescriptorDacl 15043->15045 15044->15045 15046 407b74 LocalAlloc 15044->15046 15047 407da6 15045->15047 15054 407bdc 15045->15054 15046->15045 15048 407b8a InitializeSecurityDescriptor 15046->15048 15047->15040 15049 407bb1 LocalFree 15048->15049 15050 407b96 SetSecurityDescriptorOwner 15048->15050 15049->15045 15050->15049 15052 407ba6 RegSetKeySecurity 15050->15052 15051 407bf8 GetAce 15051->15054 15052->15049 15053 407c1d EqualSid 15053->15054 15054->15047 15054->15051 15054->15053 15055 407cd9 15054->15055 15056 407c5f EqualSid 15054->15056 15057 407c3a DeleteAce 15054->15057 15055->15047 15058 407d5a LocalAlloc 15055->15058 15059 407cf2 RegOpenKeyExA 15055->15059 15056->15054 15057->15054 15058->15047 15060 407d70 InitializeSecurityDescriptor 15058->15060 15059->15058 15065 407d0f 15059->15065 15061 407d7c SetSecurityDescriptorDacl 15060->15061 15062 407d9f LocalFree 15060->15062 15061->15062 15063 407d8c RegSetKeySecurity 15061->15063 15062->15047 15063->15062 15064 407d9c 15063->15064 15064->15062 15066 407d43 RegSetValueExA 15065->15066 15066->15058 15067 407d54 15066->15067 15067->15058
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                          • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                          • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                          • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                        • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                        • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                        • ExitProcess.KERNEL32 ref: 00409C06
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                        • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                        • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                        • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                        • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                        • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                        • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                        • wsprintfA.USER32 ref: 0040A0B6
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                        • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                        • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                        • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                          • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                        • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                        • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                        • DeleteFileA.KERNEL32(C:\Users\user\Desktop\UUJycuNA6D.exe), ref: 0040A407
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                        • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                        • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                        • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                        • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                        • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\UUJycuNA6D.exe$C:\Windows\SysWOW64\tizvpcy\oxdombt.exe$D$P$\$tizvpcy
                                                                                        • API String ID: 2089075347-2489362217
                                                                                        • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                        • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                        • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                        • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 574 40637c-406384 575 406386-406389 574->575 576 40638a-4063b4 GetModuleHandleA VirtualAlloc 574->576 577 4063f5-4063f7 576->577 578 4063b6-4063d4 call 40ee08 VirtualAllocEx 576->578 579 40640b-40640f 577->579 578->577 582 4063d6-4063f3 call 4062b7 WriteProcessMemory 578->582 582->577 585 4063f9-40640a 582->585 585->579
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                        • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                        • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                        • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                        • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 264 407a95-407ac2 RegOpenKeyExA 265 407ac4-407ac6 264->265 266 407acb-407ae7 GetUserNameA 264->266 267 407db4-407db6 265->267 268 407da7-407db3 RegCloseKey 266->268 269 407aed-407b1e LookupAccountNameA 266->269 268->267 269->268 270 407b24-407b43 RegGetKeySecurity 269->270 270->268 271 407b49-407b61 GetSecurityDescriptorOwner 270->271 272 407b63-407b72 EqualSid 271->272 273 407bb8-407bd6 GetSecurityDescriptorDacl 271->273 272->273 274 407b74-407b88 LocalAlloc 272->274 275 407da6 273->275 276 407bdc-407be1 273->276 274->273 277 407b8a-407b94 InitializeSecurityDescriptor 274->277 275->268 276->275 278 407be7-407bf2 276->278 279 407bb1-407bb2 LocalFree 277->279 280 407b96-407ba4 SetSecurityDescriptorOwner 277->280 278->275 281 407bf8-407c08 GetAce 278->281 279->273 280->279 282 407ba6-407bab RegSetKeySecurity 280->282 283 407cc6 281->283 284 407c0e-407c1b 281->284 282->279 287 407cc9-407cd3 283->287 285 407c1d-407c2f EqualSid 284->285 286 407c4f-407c52 284->286 289 407c31-407c34 285->289 290 407c36-407c38 285->290 291 407c54-407c5e 286->291 292 407c5f-407c71 EqualSid 286->292 287->281 288 407cd9-407cdc 287->288 288->275 293 407ce2-407ce8 288->293 289->285 289->290 290->286 294 407c3a-407c4d DeleteAce 290->294 291->292 295 407c73-407c84 292->295 296 407c86 292->296 297 407d5a-407d6e LocalAlloc 293->297 298 407cea-407cf0 293->298 294->287 299 407c8b-407c8e 295->299 296->299 297->275 303 407d70-407d7a InitializeSecurityDescriptor 297->303 298->297 300 407cf2-407d0d RegOpenKeyExA 298->300 301 407c90-407c96 299->301 302 407c9d-407c9f 299->302 300->297 304 407d0f-407d16 300->304 301->302 305 407ca1-407ca5 302->305 306 407ca7-407cc3 302->306 307 407d7c-407d8a SetSecurityDescriptorDacl 303->307 308 407d9f-407da0 LocalFree 303->308 309 407d19-407d1e 304->309 305->283 305->306 306->283 307->308 310 407d8c-407d9a RegSetKeySecurity 307->310 308->275 309->309 311 407d20-407d52 call 402544 RegSetValueExA 309->311 310->308 312 407d9c 310->312 311->297 315 407d54 311->315 312->308 315->297
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                        • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                        • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                        • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe$D
                                                                                        • API String ID: 2976863881-81543814
                                                                                        • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                        • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                        • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 316 4073ff-407419 317 40741b 316->317 318 40741d-407422 316->318 317->318 319 407424 318->319 320 407426-40742b 318->320 319->320 321 407430-407435 320->321 322 40742d 320->322 323 407437 321->323 324 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 321->324 322->321 323->324 329 407487-40749d call 40ee2a 324->329 330 4077f9-4077fe call 40ee2a 324->330 336 407703-40770e RegEnumKeyA 329->336 335 407801 330->335 337 407804-407808 335->337 338 4074a2-4074b1 call 406cad 336->338 339 407714-40771d RegCloseKey 336->339 342 4074b7-4074cc call 40f1a5 338->342 343 4076ed-407700 338->343 339->335 342->343 346 4074d2-4074f8 RegOpenKeyExA 342->346 343->336 347 407727-40772a 346->347 348 4074fe-407530 call 402544 RegQueryValueExA 346->348 349 407755-407764 call 40ee2a 347->349 350 40772c-407740 call 40ef00 347->350 348->347 356 407536-40753c 348->356 361 4076df-4076e2 349->361 358 407742-407745 RegCloseKey 350->358 359 40774b-40774e 350->359 360 40753f-407544 356->360 358->359 363 4077ec-4077f7 RegCloseKey 359->363 360->360 362 407546-40754b 360->362 361->343 364 4076e4-4076e7 RegCloseKey 361->364 362->349 365 407551-40756b call 40ee95 362->365 363->337 364->343 365->349 368 407571-407593 call 402544 call 40ee95 365->368 373 407753 368->373 374 407599-4075a0 368->374 373->349 375 4075a2-4075c6 call 40ef00 call 40ed03 374->375 376 4075c8-4075d7 call 40ed03 374->376 382 4075d8-4075da 375->382 376->382 384 4075dc 382->384 385 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 382->385 384->385 394 407626-40762b 385->394 394->394 395 40762d-407634 394->395 396 407637-40763c 395->396 396->396 397 40763e-407642 396->397 398 407644-407656 call 40ed77 397->398 399 40765c-407673 call 40ed23 397->399 398->399 404 407769-40777c call 40ef00 398->404 405 407680 399->405 406 407675-40767e 399->406 412 4077e3-4077e6 RegCloseKey 404->412 408 407683-40768e call 406cad 405->408 406->408 413 407722-407725 408->413 414 407694-4076bf call 40f1a5 call 406c96 408->414 412->363 415 4076dd 413->415 420 4076c1-4076c7 414->420 421 4076d8 414->421 415->361 420->421 422 4076c9-4076d2 420->422 421->415 422->421 423 40777e-407797 GetFileAttributesExA 422->423 424 407799 423->424 425 40779a-40779f 423->425 424->425 426 4077a1 425->426 427 4077a3-4077a8 425->427 426->427 428 4077c4-4077c8 427->428 429 4077aa-4077c0 call 40ee08 427->429 431 4077d7-4077dc 428->431 432 4077ca-4077d6 call 40ef00 428->432 429->428 435 4077e0-4077e2 431->435 436 4077de 431->436 432->431 435->412 436->435
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                        • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                        • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "
                                                                                        • API String ID: 3433985886-123907689
                                                                                        • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                        • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                        • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                        • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 438 78003c-780047 439 780049 438->439 440 78004c-780263 call 780a3f call 780e0f call 780d90 VirtualAlloc 438->440 439->440 455 78028b-780292 440->455 456 780265-780289 call 780a69 440->456 458 7802a1-7802b0 455->458 459 7802ce-7803c2 VirtualProtect call 780cce call 780ce7 456->459 458->459 460 7802b2-7802cc 458->460 467 7803d1-7803e0 459->467 460->458 468 780439-7804b8 VirtualFree 467->468 469 7803e2-780437 call 780ce7 467->469 471 7804be-7804cd 468->471 472 7805f4-7805fe 468->472 469->467 476 7804d3-7804dd 471->476 473 78077f-780789 472->473 474 780604-78060d 472->474 479 78078b-7807a3 473->479 480 7807a6-7807b0 473->480 474->473 477 780613-780637 474->477 476->472 481 7804e3-780505 LoadLibraryA 476->481 486 78063e-780648 477->486 479->480 482 78086e-7808be LoadLibraryA 480->482 483 7807b6-7807cb 480->483 484 780517-780520 481->484 485 780507-780515 481->485 494 7808c7-7808f9 482->494 487 7807d2-7807d5 483->487 488 780526-780547 484->488 485->488 486->473 489 78064e-78065a 486->489 490 780824-780833 487->490 491 7807d7-7807e0 487->491 492 78054d-780550 488->492 489->473 493 780660-78066a 489->493 500 780839-78083c 490->500 495 7807e2 491->495 496 7807e4-780822 491->496 497 7805e0-7805ef 492->497 498 780556-78056b 492->498 499 78067a-780689 493->499 501 7808fb-780901 494->501 502 780902-78091d 494->502 495->490 496->487 497->476 503 78056d 498->503 504 78056f-78057a 498->504 505 78068f-7806b2 499->505 506 780750-78077a 499->506 500->482 507 78083e-780847 500->507 501->502 503->497 509 78059b-7805bb 504->509 510 78057c-780599 504->510 511 7806ef-7806fc 505->511 512 7806b4-7806ed 505->512 506->486 513 780849 507->513 514 78084b-78086c 507->514 521 7805bd-7805db 509->521 510->521 515 78074b 511->515 516 7806fe-780748 511->516 512->511 513->482 514->500 515->499 516->515 521->492
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0078024D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID: cess$kernel32.dll
                                                                                        • API String ID: 4275171209-1230238691
                                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                        • Instruction ID: 11e41495bae7d7e4d724454cbfe7a509fbcdab37b2827ee2bc84ff87f4a961b5
                                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                        • Instruction Fuzzy Hash: 19527974A01229DFDBA4CF58C984BA8BBB1BF09304F1480D9E50DAB351DB34AE99DF54

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 522 40977c-4097b9 call 40ee2a CreateProcessA 525 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 522->525 526 4097bb-4097bd 522->526 530 409801-40981c call 40637c 525->530 531 4097f5 525->531 527 409864-409866 526->527 532 4097f6-4097ff TerminateProcess 530->532 535 40981e-409839 WriteProcessMemory 530->535 531->532 532->526 535->531 536 40983b-409856 Wow64SetThreadContext 535->536 536->531 537 409858-409863 ResumeThread 536->537 537->527
                                                                                        APIs
                                                                                        • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                        • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                        • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                        • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D
                                                                                        • API String ID: 2098669666-2746444292
                                                                                        • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                        • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                        • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                        • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                        • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$CreateEvent
                                                                                        • String ID:
                                                                                        • API String ID: 1371578007-0
                                                                                        • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                        • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                        • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                        • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 586 404000-404008 587 40400b-40402a CreateFileA 586->587 588 404057 587->588 589 40402c-404035 GetLastError 587->589 590 404059-40405c 588->590 591 404052 589->591 592 404037-40403a 589->592 593 404054-404056 590->593 591->593 592->591 594 40403c-40403f 592->594 594->590 595 404041-404050 Sleep 594->595 595->587 595->591
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                        • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                        • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLastSleep
                                                                                        • String ID:
                                                                                        • API String ID: 408151869-0
                                                                                        • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                        • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                        • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                        • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$CountFileInformationSystemTickVolume
                                                                                        • String ID:
                                                                                        • API String ID: 1209300637-0
                                                                                        • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                        • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                        • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 614 406dc2-406dd5 615 406e33-406e35 614->615 616 406dd7-406df1 call 406cc9 call 40ef00 614->616 621 406df4-406df9 616->621 621->621 622 406dfb-406e00 621->622 623 406e02-406e22 GetVolumeInformationA 622->623 624 406e24 622->624 623->624 625 406e2e 623->625 624->625 625->615
                                                                                        APIs
                                                                                          • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                          • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                          • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                          • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                        • String ID: /{Q
                                                                                        • API String ID: 1823874839-485955984
                                                                                        • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                        • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                        • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                        • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 626 406e36-406e5d GetUserNameW 627 406ebe-406ec2 626->627 628 406e5f-406e95 LookupAccountNameW 626->628 628->627 629 406e97-406e9b 628->629 630 406ebb-406ebd 629->630 631 406e9d-406ea3 629->631 630->627 631->630 632 406ea5-406eaa 631->632 633 406eb7-406eb9 632->633 634 406eac-406eb0 632->634 633->627 634->630 635 406eb2-406eb5 634->635 635->630 635->633
                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                        • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountLookupUser
                                                                                        • String ID:
                                                                                        • API String ID: 2370142434-0
                                                                                        • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                        • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 636 8433e8-843401 637 843403-843405 636->637 638 843407 637->638 639 84340c-843418 CreateToolhelp32Snapshot 637->639 638->639 640 843428-843435 Module32First 639->640 641 84341a-843420 639->641 642 843437-843438 call 8430a7 640->642 643 84343e-843446 640->643 641->640 646 843422-843426 641->646 647 84343d 642->647 646->637 646->640 647->643
                                                                                        APIs
                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00843410
                                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 00843430
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090230631.0000000000833000.00000040.00000020.00020000.00000000.sdmp, Offset: 00833000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_833000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                        • String ID:
                                                                                        • API String ID: 3833638111-0
                                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                        • Instruction ID: 29a8dd20895dc2f437255c9d69c72db45bcd4c08867fa1d81ff96a020fbf7ceb
                                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                        • Instruction Fuzzy Hash: 97F0F6322007187BD7213BF9A88CBAE76E8FF68720F100128E642E10C0DB70ED454665

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 649 780e0f-780e24 SetErrorMode * 2 650 780e2b-780e2c 649->650 651 780e26 649->651 651->650
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,00780223,?,?), ref: 00780E19
                                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,00780223,?,?), ref: 00780E1E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorMode
                                                                                        • String ID:
                                                                                        • API String ID: 2340568224-0
                                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                        • Instruction ID: c37cf524c63f5757edd935c017db940ef546b67fe649cc31a07347fd0354d86c
                                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                        • Instruction Fuzzy Hash: 77D0123114512877D7403A94DC09BCE7B1CDF05B62F008411FB0DD9080C774994047E5

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 652 409892-4098c0 653 4098c2-4098c5 652->653 654 4098d9 652->654 653->654 655 4098c7-4098d7 653->655 656 4098e0-4098f1 SetServiceStatus 654->656 655->656
                                                                                        APIs
                                                                                        • SetServiceStatus.ADVAPI32(00413394), ref: 004098EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ServiceStatus
                                                                                        • String ID:
                                                                                        • API String ID: 3969395364-0
                                                                                        • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                        • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                        • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                        • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 657 780920-780929 TerminateProcess
                                                                                        APIs
                                                                                        • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00780929
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 560597551-0
                                                                                        • Opcode ID: ed1fa5443604d132978e6c58f8cc4a5f1646693310c318f56ccf6213ab4b7ad9
                                                                                        • Instruction ID: 46c7c7c6dcd93c711cbd188b681eb9ae36fa97d9339837816e323f92b9b16bc3
                                                                                        • Opcode Fuzzy Hash: ed1fa5443604d132978e6c58f8cc4a5f1646693310c318f56ccf6213ab4b7ad9
                                                                                        • Instruction Fuzzy Hash: 9F90043034437511DC3035DC0C01F4500133741734F7047307533DD1D0C54157004117
                                                                                        APIs
                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 008430F8
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090230631.0000000000833000.00000040.00000020.00020000.00000000.sdmp, Offset: 00833000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_833000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                        • Instruction ID: 4d79c328333711fd27ea7589ab14ec2189d9742f884c59ddf7e4df47047335a4
                                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                        • Instruction Fuzzy Hash: FB113C79A00208EFDB01DF98C985E98BBF5EF08350F158095F948AB362D771EA50DF80
                                                                                        APIs
                                                                                          • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                        • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3100162736-0
                                                                                        • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                        • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                        • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                        • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 007865F6
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00786610
                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00786631
                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00786652
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                        • Instruction ID: 9e22945f9bed584e372acad72256f75da19f8ea1f3e967655bd5b861a3def70b
                                                                                        • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                        • Instruction Fuzzy Hash: 4E11A3B1740258BFDB21AF65DC0AF9B3FA8EB047A5F104024F908E7251E7B5DD0087A4
                                                                                        APIs
                                                                                        • ExitProcess.KERNEL32 ref: 00789E6D
                                                                                        • lstrcpy.KERNEL32(?,00000000), ref: 00789FE1
                                                                                        • lstrcat.KERNEL32(?,?), ref: 00789FF2
                                                                                        • lstrcat.KERNEL32(?,0041070C), ref: 0078A004
                                                                                        • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0078A054
                                                                                        • DeleteFileA.KERNEL32(?), ref: 0078A09F
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0078A0D6
                                                                                        • lstrcpy.KERNEL32 ref: 0078A12F
                                                                                        • lstrlen.KERNEL32(00000022), ref: 0078A13C
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 00789F13
                                                                                          • Part of subcall function 00787029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00787081
                                                                                          • Part of subcall function 00786F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\dsjfzmi,00787043), ref: 00786F4E
                                                                                          • Part of subcall function 00786F30: GetProcAddress.KERNEL32(00000000), ref: 00786F55
                                                                                          • Part of subcall function 00786F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00786F7B
                                                                                          • Part of subcall function 00786F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00786F92
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0078A1A2
                                                                                        • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0078A1C5
                                                                                        • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0078A214
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0078A21B
                                                                                        • GetDriveTypeA.KERNEL32(?), ref: 0078A265
                                                                                        • lstrcat.KERNEL32(?,00000000), ref: 0078A29F
                                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 0078A2C5
                                                                                        • lstrcat.KERNEL32(?,00000022), ref: 0078A2D9
                                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 0078A2F4
                                                                                        • wsprintfA.USER32 ref: 0078A31D
                                                                                        • lstrcat.KERNEL32(?,00000000), ref: 0078A345
                                                                                        • lstrcat.KERNEL32(?,?), ref: 0078A364
                                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0078A387
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0078A398
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0078A1D1
                                                                                          • Part of subcall function 00789966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0078999D
                                                                                          • Part of subcall function 00789966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 007899BD
                                                                                          • Part of subcall function 00789966: RegCloseKey.ADVAPI32(?), ref: 007899C6
                                                                                        • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0078A3DB
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0078A3E2
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 0078A41D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                        • String ID: "$"$"$D$P$\
                                                                                        • API String ID: 1653845638-2605685093
                                                                                        • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                        • Instruction ID: fcd6cfc1229646f162688ada09cd9548fc519c1614a6a490e657c959ea0a90b0
                                                                                        • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                        • Instruction Fuzzy Hash: F1F112B1D80259FFDF11EBA09C49EEF7BBCAB08300F1444A6F605E2141E7799A858F65
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                        • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                        • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                        • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                        • API String ID: 2238633743-3228201535
                                                                                        • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                        • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                        • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                        • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                        • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                        • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                        • wsprintfA.USER32 ref: 0040B3B7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                        • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                        • API String ID: 766114626-2976066047
                                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00787D21
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 00787D46
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00787D7D
                                                                                        • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00787DA2
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00787DC0
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 00787DD1
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00787DE5
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00787DF3
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00787E03
                                                                                        • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00787E12
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00787E19
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00787E35
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe$D
                                                                                        • API String ID: 2976863881-81543814
                                                                                        • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                        • Instruction ID: 5d765d5f1e80701d1017c59c09a3c21054aebdb72f923c3248f286917c5cb4fc
                                                                                        • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                        • Instruction Fuzzy Hash: B1A15C71940219AFDB11DFA1DD88FEEBBB9FB08300F148069F616E2150DB79CA85CB64
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                        • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                        • API String ID: 2400214276-165278494
                                                                                        • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                        • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                        • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                        • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040A7FB
                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                        • wsprintfA.USER32 ref: 0040A8AF
                                                                                        • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                        • wsprintfA.USER32 ref: 0040A8E2
                                                                                        • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                        • wsprintfA.USER32 ref: 0040A9B9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$send$lstrlenrecv
                                                                                        • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                        • API String ID: 3650048968-2394369944
                                                                                        • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                        • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                        • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                        • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 00787A96
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00787ACD
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00787ADF
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00787B01
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00787B1F
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 00787B39
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00787B4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00787B58
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00787B68
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00787B77
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00787B7E
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00787B9A
                                                                                        • GetAce.ADVAPI32(?,?,?), ref: 00787BCA
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 00787BF1
                                                                                        • DeleteAce.ADVAPI32(?,?), ref: 00787C0A
                                                                                        • EqualSid.ADVAPI32(?,?), ref: 00787C2C
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00787CB1
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00787CBF
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00787CD0
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00787CE0
                                                                                        • LocalFree.KERNEL32(00000000), ref: 00787CEE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction ID: e90db8605f24c7f4b8cdea20a8669ae03bab4930f35680131aa2d7c0f7e4d63d
                                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                        • Instruction Fuzzy Hash: A1815C71944219AFDB11DFA4DD88FEEBBBCAF08340F24806AE506E7150D779CA41CB64
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                        • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                        • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                        • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe$localcfg
                                                                                        • API String ID: 237177642-1360186656
                                                                                        • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                        • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                        • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                        • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                        • API String ID: 1628651668-3716895483
                                                                                        • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                        • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                        • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                        • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                          • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                        • API String ID: 4207808166-1381319158
                                                                                        • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                        • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                        • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                        • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                        • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                        • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                        • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                        • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                        • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                        • API String ID: 835516345-270533642
                                                                                        • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                        • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                        • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0078865A
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0078867B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 007886A8
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 007886B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: "$C:\Windows\SysWOW64\tizvpcy\oxdombt.exe
                                                                                        • API String ID: 237177642-3729381524
                                                                                        • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                        • Instruction ID: e7fd308d00a54076d95c34a6a741fe4ef1c2517d2ffb4fe337ea5a89d3a2103d
                                                                                        • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                        • Instruction Fuzzy Hash: 13C1A0B1980108FEEB51BBA4DD89EEF7BBDEB04300F544076F605E6051EB784E948B66
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                        • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                        • htons.WS2_32(00000000), ref: 00402ADB
                                                                                        • select.WS2_32 ref: 00402B28
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                        • htons.WS2_32(?), ref: 00402B71
                                                                                        • htons.WS2_32(?), ref: 00402B8C
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 1639031587-0
                                                                                        • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                        • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                        • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 00781601
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 007817D8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $<$@$D
                                                                                        • API String ID: 1628651668-1974347203
                                                                                        • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                        • Instruction ID: 56effd8c578fc6a756252e3c3c41c79e8ba6b0f8186d24e4f90db8795d4cfe5d
                                                                                        • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                        • Instruction Fuzzy Hash: 2AF19EB15483419FD720EF64C888BABB7E8FB88300F90892DF596D7290D7B8D945CB56
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 007876D9
                                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00787757
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0078778F
                                                                                        • ___ascii_stricmp.LIBCMT ref: 007878B4
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0078794E
                                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0078796D
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0078797E
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 007879AC
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00787A56
                                                                                          • Part of subcall function 0078F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,0078772A,?), ref: 0078F414
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 007879F6
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00787A4D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "
                                                                                        • API String ID: 3433985886-123907689
                                                                                        • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                        • Instruction ID: 052c9d4e6bbc6744200fa5f9b792f86a5469912d2ebfa4157b534f51d5ec58c3
                                                                                        • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                        • Instruction Fuzzy Hash: EFC1C172984209EFDB15ABA4DC49FEE7BB9EF45310F2040A1F505E6191EB79DA80CB60
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                        • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                        • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                        • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                        • String ID: $"
                                                                                        • API String ID: 4293430545-3817095088
                                                                                        • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                        • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                        • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                        • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00782CED
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 00782D07
                                                                                        • htons.WS2_32(00000000), ref: 00782D42
                                                                                        • select.WS2_32 ref: 00782D8F
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 00782DB1
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00782E62
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 127016686-0
                                                                                        • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                        • Instruction ID: e9ea1ebc2f37348c9937cc14dcfa3e73d43684d78d6910b0c3dceb79edd0491d
                                                                                        • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                        • Instruction Fuzzy Hash: 2C61C071544305AFC720BF64DC0CB6BBBF8EB48752F144819F98497152D7B9D882CBAA
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                          • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                          • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                          • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                          • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                        • wsprintfA.USER32 ref: 0040AEA5
                                                                                          • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                        • wsprintfA.USER32 ref: 0040AE4F
                                                                                        • wsprintfA.USER32 ref: 0040AE5E
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                        • API String ID: 3631595830-1816598006
                                                                                        • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                        • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                        • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                        • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                        • htons.WS2_32(00000035), ref: 00402E88
                                                                                        • inet_addr.WS2_32(?), ref: 00402E93
                                                                                        • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: GetNetworkParams$iphlpapi.dll
                                                                                        • API String ID: 929413710-2099955842
                                                                                        • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                        • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                        • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                        • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                        • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                        • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                        • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                        • CloseHandle.KERNEL32(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 2622201749-0
                                                                                        • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                        • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                        • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                        • wsprintfA.USER32 ref: 004093CE
                                                                                        • wsprintfA.USER32 ref: 0040940C
                                                                                        • wsprintfA.USER32 ref: 0040948D
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID: runas
                                                                                        • API String ID: 3696105349-4000483414
                                                                                        • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                        • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                        • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                        • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 0040B467
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$wsprintf
                                                                                        • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                        • API String ID: 1220175532-2340906255
                                                                                        • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                        • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                        • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 0078202D
                                                                                        • GetSystemInfo.KERNEL32(?), ref: 0078204F
                                                                                        • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0078206A
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00782071
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 00782082
                                                                                        • GetTickCount.KERNEL32 ref: 00782230
                                                                                          • Part of subcall function 00781E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 00781E7C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                        • API String ID: 4207808166-1391650218
                                                                                        • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                        • Instruction ID: d5b8558eb34075505483270bd57c79bd25e7b725cbd892d881ef42fa46da7711
                                                                                        • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                        • Instruction Fuzzy Hash: D351B3B0980348AFE330BF758C8AF67BAECEB55704F00492DF99682143D7BDA9458765
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00402078
                                                                                        • GetTickCount.KERNEL32 ref: 004020D4
                                                                                        • GetTickCount.KERNEL32 ref: 004020DB
                                                                                        • GetTickCount.KERNEL32 ref: 0040212B
                                                                                        • GetTickCount.KERNEL32 ref: 00402132
                                                                                        • GetTickCount.KERNEL32 ref: 00402142
                                                                                          • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                          • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                          • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                          • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                          • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                        • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                        • API String ID: 3976553417-1522128867
                                                                                        • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                        • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                        • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                        APIs
                                                                                        • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                        • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                        • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                        • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                        • ExitProcess.KERNEL32 ref: 00404121
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventExitProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2404124870-0
                                                                                        • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                        • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                        • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                        APIs
                                                                                          • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                          • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                        • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                        • GetTickCount.KERNEL32 ref: 0040C363
                                                                                        • GetTickCount.KERNEL32 ref: 0040C378
                                                                                        • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                        • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                        • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1553760989-1857712256
                                                                                        • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                        • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                        • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00783068
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00783078
                                                                                        • GetProcAddress.KERNEL32(00000000,00410408), ref: 00783095
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 007830B6
                                                                                        • htons.WS2_32(00000035), ref: 007830EF
                                                                                        • inet_addr.WS2_32(?), ref: 007830FA
                                                                                        • gethostbyname.WS2_32(?), ref: 0078310D
                                                                                        • HeapFree.KERNEL32(00000000), ref: 0078314D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: iphlpapi.dll
                                                                                        • API String ID: 2869546040-3565520932
                                                                                        • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                        • Instruction ID: 3bab4b7665f45b89bfc39abb1b2f357255c2d1f5fbfa5cb918e228851aa91b29
                                                                                        • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                        • Instruction Fuzzy Hash: 31318731E4060AABDB11ABBCDC4CAAE7778AF04F61F144125E518E7290DB7CDE418B54
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?), ref: 007895A7
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007895D5
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 007895DC
                                                                                        • wsprintfA.USER32 ref: 00789635
                                                                                        • wsprintfA.USER32 ref: 00789673
                                                                                        • wsprintfA.USER32 ref: 007896F4
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00789758
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0078978D
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 007897D8
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID:
                                                                                        • API String ID: 3696105349-0
                                                                                        • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                        • Instruction ID: 42de77b672943b115824066a523765a322ec8d48bec6b8c15357696fcfb44a13
                                                                                        • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                        • Instruction Fuzzy Hash: 3BA182B198020CEFEB11EFA1CC49FEA3BACEB04741F144026FA15D6152E779D984CBA4
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                        • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                        • String ID: DnsQuery_A$dnsapi.dll
                                                                                        • API String ID: 3560063639-3847274415
                                                                                        • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                        • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                        • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                        • API String ID: 1586166983-1625972887
                                                                                        • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                        • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                        • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                        • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                        • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                        • String ID:
                                                                                        • API String ID: 3188212458-0
                                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                        APIs
                                                                                        • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 007867C3
                                                                                        • htonl.WS2_32(?), ref: 007867DF
                                                                                        • htonl.WS2_32(?), ref: 007867EE
                                                                                        • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 007868F1
                                                                                        • ExitProcess.KERNEL32 ref: 007869BC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Processhtonl$CurrentExitHugeRead
                                                                                        • String ID: except_info$localcfg
                                                                                        • API String ID: 1150517154-3605449297
                                                                                        • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                        • Instruction ID: e23bd7f508c8abb35fba742c0d6c65c3467317decb6e1f62545f3f6089b4f3d8
                                                                                        • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                        • Instruction Fuzzy Hash: EC615071940208EFDB60AFB4DC45FEA77E9FB08300F148069F96DD2161DB7599948F54
                                                                                        APIs
                                                                                        • htons.WS2_32(0078CC84), ref: 0078F5B4
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 0078F5CE
                                                                                        • closesocket.WS2_32(00000000), ref: 0078F5DC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                        • Instruction ID: 601d0fa4c20371f1001b25fb6555c543218af509c7ea1819fd7a83ef71eb4bb1
                                                                                        • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                        • Instruction Fuzzy Hash: F6315A72A40118ABDB10EFA5DC89DEE7BBCEF88310F104566F915E3150E7749A818BA4
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                        • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                        • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                        • wsprintfA.USER32 ref: 00407036
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                        • String ID: /%d$|
                                                                                        • API String ID: 676856371-4124749705
                                                                                        • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                        • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                        • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(?), ref: 00782FA1
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00782FB1
                                                                                        • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00782FC8
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00783000
                                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00783007
                                                                                        • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00783032
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                        • String ID: dnsapi.dll
                                                                                        • API String ID: 1242400761-3175542204
                                                                                        • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                        • Instruction ID: 6bd1a1b5ec82ea021da7d592a4b532bfc52a074098fa33ec8d8d825599d49567
                                                                                        • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                        • Instruction Fuzzy Hash: 6021A471980625BBCB21AB98DC489EEBBBDEF08B11F104421F901E7141D7B89E81C7D4
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                        • API String ID: 1082366364-3395550214
                                                                                        • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                        • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                        • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00789A18
                                                                                        • GetThreadContext.KERNEL32(?,?), ref: 00789A52
                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 00789A60
                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00789A98
                                                                                        • SetThreadContext.KERNEL32(?,00010002), ref: 00789AB5
                                                                                        • ResumeThread.KERNEL32(?), ref: 00789AC2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D
                                                                                        • API String ID: 2981417381-2746444292
                                                                                        • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                        • Instruction ID: b15de8dc03c43e32fa077fe81270d95784aaea7327ae09b2603fa0f470c7e840
                                                                                        • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                        • Instruction Fuzzy Hash: FB213BB1A41219BBDB11ABA1DC09EEF7BBCEF04750F448061FA19E1150E7798A44CBA5
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(004102D8), ref: 00781C18
                                                                                        • LoadLibraryA.KERNEL32(004102C8), ref: 00781C26
                                                                                        • GetProcessHeap.KERNEL32 ref: 00781C84
                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00781C9D
                                                                                        • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00781CC1
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000), ref: 00781D02
                                                                                        • FreeLibrary.KERNEL32(?), ref: 00781D0B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                        • String ID:
                                                                                        • API String ID: 2324436984-0
                                                                                        • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                        • Instruction ID: ad3110e32fe948610cd97040d80640b7f0850246609407a004ae0c5a5fe2ee87
                                                                                        • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                        • Instruction Fuzzy Hash: 8C314F32E40219BFCB11AFE4DC889FEBBB9EB45711B64447AE501A2110D7B94E81DBA4
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00786CE4
                                                                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00786D22
                                                                                        • GetLastError.KERNEL32 ref: 00786DA7
                                                                                        • CloseHandle.KERNEL32(?), ref: 00786DB5
                                                                                        • GetLastError.KERNEL32 ref: 00786DD6
                                                                                        • DeleteFileA.KERNEL32(?), ref: 00786DE7
                                                                                        • GetLastError.KERNEL32 ref: 00786DFD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                        • String ID:
                                                                                        • API String ID: 3873183294-0
                                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction ID: 63c244b3ab6a512c6fa3a06b18b7d64518628dcb37c5937cf447235420ea8759
                                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                        • Instruction Fuzzy Hash: 2331FE76A40249BFCF01EFA49D48ADEBFB9EB48300F148466E211E3212D7748A858B61
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\dsjfzmi,00787043), ref: 00786F4E
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00786F55
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00786F7B
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00786F92
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$\\.\pipe\dsjfzmi
                                                                                        • API String ID: 1082366364-1537005808
                                                                                        • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                        • Instruction ID: 12a4025699fa090bce9363291915759317fb4ead2325f3cccc56c05a67a05c0c
                                                                                        • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                        • Instruction Fuzzy Hash: 5A21C2617C5344B9F7227331AC8DFBB2A4C8B52711F2840A5F644A5192DADDC8D6C36D
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen
                                                                                        • String ID: $localcfg
                                                                                        • API String ID: 1659193697-2018645984
                                                                                        • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                        • Instruction ID: 8d1d207496ef616f35eceff2fca501376c02336d8d0640fbf19d9aaf779e6c9f
                                                                                        • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                        • Instruction Fuzzy Hash: 3D7109B1AC4304BAFF21BB54DC85FEE3B699B00715F244077F904E6091DA6E9D848767
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                        • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                        • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                        • String ID: flags_upd$localcfg
                                                                                        • API String ID: 204374128-3505511081
                                                                                        • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                        • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                        • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                        APIs
                                                                                          • Part of subcall function 0078DF6C: GetCurrentThreadId.KERNEL32 ref: 0078DFBA
                                                                                        • lstrcmp.KERNEL32(00410178,00000000), ref: 0078E8FA
                                                                                        • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00786128), ref: 0078E950
                                                                                        • lstrcmp.KERNEL32(?,00000008), ref: 0078E989
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 2920362961-1846390581
                                                                                        • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                        • Instruction ID: f3a78f06b441fe478f93ed133a6f2ae6492b7247684b4874492198e029fca0dd
                                                                                        • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                        • Instruction Fuzzy Hash: 05319031640705DBDB71AF24C888BAA7BE8EB15720F10852AE55587551D3B8FC80CB82
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID:
                                                                                        • API String ID: 3609698214-0
                                                                                        • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                        • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                        • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID:
                                                                                        • API String ID: 3609698214-0
                                                                                        • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                        • Instruction ID: ad91502c918df71d043ef53d816e9cc1f178552f3268e5d244bc5e88c32108aa
                                                                                        • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                        • Instruction Fuzzy Hash: A5213876244219FFEB10ABA4EC49EDF3EADEB49760B208425F602D1091EB789A409774
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                        • wsprintfA.USER32 ref: 004090E9
                                                                                        • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                        • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 2439722600-0
                                                                                        • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                        • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                        • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?), ref: 007892E2
                                                                                        • wsprintfA.USER32 ref: 00789350
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00789375
                                                                                        • lstrlen.KERNEL32(?,?,00000000), ref: 00789389
                                                                                        • WriteFile.KERNEL32(00000000,?,00000000), ref: 00789394
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0078939B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 2439722600-0
                                                                                        • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                        • Instruction ID: a677a98da3d9aee16c71f691049b3079da5b76deedd8fde0d690a343223b0933
                                                                                        • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                        • Instruction Fuzzy Hash: 071157B5780114BBE7607772EC0EFEF3A6DDBC5B11F008065BB09E5091EBB84A558764
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                        • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                        • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                        • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3819781495-0
                                                                                        • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                        • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                        • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0078C6B4
                                                                                        • InterlockedIncrement.KERNEL32(0078C74B), ref: 0078C715
                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0078C747), ref: 0078C728
                                                                                        • CloseHandle.KERNEL32(00000000,?,0078C747,00413588,00788A77), ref: 0078C733
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1026198776-1857712256
                                                                                        • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                        • Instruction ID: 1e6f1576e2e50f53fadbf419bc5d0a0ece3ed34da1cb4f80c9286cd8a0785033
                                                                                        • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                        • Instruction Fuzzy Hash: FE5151B1A41B418FD7359F69C5C5526BBE9FB48300B50593EE18BC7A90E778F844CB20
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                          • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                          • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                          • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                        • String ID: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe
                                                                                        • API String ID: 124786226-1823783247
                                                                                        • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                        • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                        • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                        • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,0078E50A,00000000,00000000,00000000,00020106,00000000,0078E50A,00000000,000000E4), ref: 0078E319
                                                                                        • RegSetValueExA.ADVAPI32(0078E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0078E38E
                                                                                        • RegDeleteValueA.ADVAPI32(0078E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dx), ref: 0078E3BF
                                                                                        • RegCloseKey.ADVAPI32(0078E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dx,0078E50A), ref: 0078E3C8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID: Dx
                                                                                        • API String ID: 2667537340-788195219
                                                                                        • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                        • Instruction ID: b9a742336527e5f60ba28222633e1201b5f99b874b97378a97f56ae149f20ed2
                                                                                        • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                        • Instruction Fuzzy Hash: CE213C71A4021DBBDF20AFA5EC89EEE7F79EF08750F048061F904E6161E7758A54D7A0
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 007871E1
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00787228
                                                                                        • LocalFree.KERNEL32(?,?,?), ref: 00787286
                                                                                        • wsprintfA.USER32 ref: 0078729D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                        • String ID: |
                                                                                        • API String ID: 2539190677-2343686810
                                                                                        • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                        • Instruction ID: 69799ed38631098953583dc070a86043a87f163e39c50755d062a3815318b6fd
                                                                                        • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                        • Instruction Fuzzy Hash: 32311C72944208FFDB01EFA4DC49ADA7BBCEF04314F148066F959DB101EA79D648CB94
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                        • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$gethostnamelstrcpy
                                                                                        • String ID: LocalHost
                                                                                        • API String ID: 3695455745-3154191806
                                                                                        • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                        • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                        • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                        • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: QueryValue$CloseOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1586453840-0
                                                                                        • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                        • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                        • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0078B51A
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0078B529
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0078B548
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 0078B590
                                                                                        • wsprintfA.USER32 ref: 0078B61E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 4026320513-0
                                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction ID: 335107ad3a58f150b19d811438a85d641bde38f5779872bf26dfccb59482764b
                                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                        • Instruction Fuzzy Hash: 3F5100B1D4021DAACF14DFD5D8895EEBBB9BF48304F10816AF505B6150E7B84AC9CF98
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                        • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                        • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2438460464-0
                                                                                        • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                        • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                        • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                        APIs
                                                                                        • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00786303
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 0078632A
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 007863B1
                                                                                        • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00786405
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: HugeRead$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 3498078134-0
                                                                                        • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                        • Instruction ID: 0c689eb95139ecdefd35ad0e3403977c96828d2c5fd596ff35aa5357045fabaf
                                                                                        • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                        • Instruction Fuzzy Hash: A64168B1A40209FFDB14EF58C884AADB7B8FF04314F288069E909D7690E739EE40CB50
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                        • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                        • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                        APIs
                                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                        • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                        • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                        • String ID: A$ A
                                                                                        • API String ID: 3343386518-686259309
                                                                                        • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                        • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                        • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040272E
                                                                                        • htons.WS2_32(00000001), ref: 00402752
                                                                                        • htons.WS2_32(0000000F), ref: 004027D5
                                                                                        • htons.WS2_32(00000001), ref: 004027E3
                                                                                        • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                          • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                          • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                        • String ID:
                                                                                        • API String ID: 1802437671-0
                                                                                        • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                        • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                        • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                        APIs
                                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: setsockopt
                                                                                        • String ID:
                                                                                        • API String ID: 3981526788-0
                                                                                        • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                        • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                        • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                        • CharToOemA.USER32(?,?), ref: 00409174
                                                                                        • wsprintfA.USER32 ref: 004091A9
                                                                                          • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                          • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                          • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                          • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                          • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                          • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3857584221-0
                                                                                        • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                        • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                        • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007893C6
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 007893CD
                                                                                        • CharToOemA.USER32(?,?), ref: 007893DB
                                                                                        • wsprintfA.USER32 ref: 00789410
                                                                                          • Part of subcall function 007892CB: GetTempPathA.KERNEL32(00000400,?), ref: 007892E2
                                                                                          • Part of subcall function 007892CB: wsprintfA.USER32 ref: 00789350
                                                                                          • Part of subcall function 007892CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00789375
                                                                                          • Part of subcall function 007892CB: lstrlen.KERNEL32(?,?,00000000), ref: 00789389
                                                                                          • Part of subcall function 007892CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00789394
                                                                                          • Part of subcall function 007892CB: CloseHandle.KERNEL32(00000000), ref: 0078939B
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00789448
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3857584221-0
                                                                                        • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                        • Instruction ID: cf521343015178553c3a1d2a393e6272c0b3de614ed31637e5ba322bc01a90f9
                                                                                        • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                        • Instruction Fuzzy Hash: B80152F6940158BBD721A7619D4DEDF377CDB95701F0040A1BB49E2080DAB897C58F75
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$lstrcmpi
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1808961391-1857712256
                                                                                        • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                        • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                        • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                        • API String ID: 2574300362-1087626847
                                                                                        • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                        • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                        • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: hi_id$localcfg
                                                                                        • API String ID: 2777991786-2393279970
                                                                                        • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                        • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                        • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                        APIs
                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                        • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                        • String ID: *p@
                                                                                        • API String ID: 3429775523-2474123842
                                                                                        • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                        • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                        • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg$u6A
                                                                                        • API String ID: 1594361348-1940331995
                                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction ID: f54e17db91bb3e2e18ff366680972cfd35442e7a55dfa0556563681848d8bc3e
                                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction Fuzzy Hash: 9BE0C2306041119FCB00AB2CF848AC537E4EF0A331F008180F040D31A1C738DCC29740
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 007869E5
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 00786A26
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000), ref: 00786A3A
                                                                                        • CloseHandle.KERNEL32(000000FF), ref: 00786BD8
                                                                                          • Part of subcall function 0078EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00781DCF,?), ref: 0078EEA8
                                                                                          • Part of subcall function 0078EE95: HeapFree.KERNEL32(00000000), ref: 0078EEAF
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 3384756699-0
                                                                                        • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                        • Instruction ID: 98284cedbb5e0bdd830b2312c414fc7784c5483ff006d889c06aaf1529bf7221
                                                                                        • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                        • Instruction Fuzzy Hash: 167136B194021DFFDB10AFA4CC85AEEBBB9FB04314F20456AE515E6190D7389E92DB60
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf
                                                                                        • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                        • API String ID: 2111968516-120809033
                                                                                        • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                        • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                        • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                        • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                        • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                        • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID:
                                                                                        • API String ID: 2667537340-0
                                                                                        • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                        • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                        • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                        • GetLastError.KERNEL32 ref: 00403F4E
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                        • GetLastError.KERNEL32 ref: 00403FC2
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 007841AB
                                                                                        • GetLastError.KERNEL32 ref: 007841B5
                                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 007841C6
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 007841D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction ID: 0e4109f3f68f01feb6924853711e7862713e3c47d7cb17c4899ed68bdf49b805
                                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                        • Instruction Fuzzy Hash: A001A97691110EABDF01EF91ED88BEE7B6CEB18355F104061F901E2050D7B49A948BB9
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0078421F
                                                                                        • GetLastError.KERNEL32 ref: 00784229
                                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 0078423A
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0078424D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction ID: 349961e146e23fbe600ff5eecd25aa1a6ec98d1e63e6c483878e9f51718b02eb
                                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                        • Instruction Fuzzy Hash: 5A01A57255510AABDF01EF90ED84BEE7BACFB08355F108461F901E2050D7B49A549BB6
                                                                                        APIs
                                                                                        • lstrcmp.KERNEL32(?,80000009), ref: 0078E066
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp
                                                                                        • String ID: A$ A$ A
                                                                                        • API String ID: 1534048567-1846390581
                                                                                        • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction ID: 0c6a11cff764635da061b8444645764357d3c6bfcf441a47ddffcdc2cfb15445
                                                                                        • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                        • Instruction Fuzzy Hash: ADF06D322007169BCB20DF65DC84A92B7E9FB09321B648A2AE158D3060D3B9E898CB55
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                        • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                        • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                        • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                        • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                        • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                        • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                        • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                        • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                        • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                        • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                        • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                        • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00403103
                                                                                        • GetTickCount.KERNEL32 ref: 0040310F
                                                                                        • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                        • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                        • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000001,Dx,00000000,00000000,00000000), ref: 0078E470
                                                                                        • CloseHandle.KERNEL32(00000001,00000003), ref: 0078E484
                                                                                          • Part of subcall function 0078E2FC: RegCreateKeyExA.ADVAPI32(80000001,0078E50A,00000000,00000000,00000000,00020106,00000000,0078E50A,00000000,000000E4), ref: 0078E319
                                                                                          • Part of subcall function 0078E2FC: RegSetValueExA.ADVAPI32(0078E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0078E38E
                                                                                          • Part of subcall function 0078E2FC: RegDeleteValueA.ADVAPI32(0078E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dx), ref: 0078E3BF
                                                                                          • Part of subcall function 0078E2FC: RegCloseKey.ADVAPI32(0078E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dx,0078E50A), ref: 0078E3C8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                        • String ID: Dx
                                                                                        • API String ID: 4151426672-788195219
                                                                                        • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                        • Instruction ID: 62fbe1fc4a2e4788591fbd1af2e110fab4b62fc7066f466e4188aaaa918b071b
                                                                                        • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                        • Instruction Fuzzy Hash: 9F4198B1980214FAEB207B528C4AFEB3B6CEB14765F148035FE0D94192E7B98A50D7B5
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 007883C6
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00788477
                                                                                          • Part of subcall function 007869C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 007869E5
                                                                                          • Part of subcall function 007869C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00786A26
                                                                                          • Part of subcall function 007869C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00786A3A
                                                                                          • Part of subcall function 0078EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00781DCF,?), ref: 0078EEA8
                                                                                          • Part of subcall function 0078EE95: HeapFree.KERNEL32(00000000), ref: 0078EEAF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                        • String ID: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe
                                                                                        • API String ID: 359188348-1823783247
                                                                                        • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                        • Instruction ID: c9cf97f7ebe9aef36ac5b16251964888eef20f1adb5550a99368ffa7c3806934
                                                                                        • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                        • Instruction Fuzzy Hash: 4E4172B298014EBFEB50FFA09D85DFF776CEB04340F5444AAF509D6011FAB85A948B61
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 0078AFFF
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0078B00D
                                                                                          • Part of subcall function 0078AF6F: gethostname.WS2_32(?,00000080), ref: 0078AF83
                                                                                          • Part of subcall function 0078AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0078AFE6
                                                                                          • Part of subcall function 0078331C: gethostname.WS2_32(?,00000080), ref: 0078333F
                                                                                          • Part of subcall function 0078331C: gethostbyname.WS2_32(?), ref: 00783349
                                                                                          • Part of subcall function 0078AA0A: inet_ntoa.WS2_32(00000000), ref: 0078AA10
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %OUTLOOK_BND_
                                                                                        • API String ID: 1981676241-3684217054
                                                                                        • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                        • Instruction ID: a5081ab1866e201947f4913d7becc379667e44a1ac24d862e467f7019fe34b7f
                                                                                        • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                        • Instruction Fuzzy Hash: D041007294024CEBDB25EFA0DC4AEEF3B6CFB08304F144426F92592152EB79D6548B55
                                                                                        APIs
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00789536
                                                                                        • Sleep.KERNEL32(000001F4), ref: 0078955D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShellSleep
                                                                                        • String ID:
                                                                                        • API String ID: 4194306370-3916222277
                                                                                        • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                        • Instruction ID: 1c6550bddf4d4fdf82d514ccb3f21c13f3bb6e3bcb39c457d093c96d3ab24ce8
                                                                                        • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                        • Instruction Fuzzy Hash: 604109B19843846EEB77BB64D88C7F63BE49B02310F2C01A5D686971E2E67C4D918711
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                        • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID: ,k@
                                                                                        • API String ID: 3934441357-1053005162
                                                                                        • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                        • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                        • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 0078B9D9
                                                                                        • InterlockedIncrement.KERNEL32(00413648), ref: 0078BA3A
                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 0078BA94
                                                                                        • GetTickCount.KERNEL32 ref: 0078BB79
                                                                                        • GetTickCount.KERNEL32 ref: 0078BB99
                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 0078BE15
                                                                                        • closesocket.WS2_32(00000000), ref: 0078BEB4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountIncrementInterlockedTick$closesocket
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 1869671989-2903620461
                                                                                        • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                        • Instruction ID: 7c4d418ef009b8906e25c177d85b854f1ef8557d33eca62f119affb04f18dcf2
                                                                                        • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                        • Instruction Fuzzy Hash: E5317F71580248EFDF25EFA4DC89AEE77B8EB48700F204056FA2492161EB79DA85CF54
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 536389180-1857712256
                                                                                        • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                        • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                        • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                        • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                        APIs
                                                                                        Strings
                                                                                        • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTickwsprintf
                                                                                        • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                        • API String ID: 2424974917-1012700906
                                                                                        • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                        • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                        • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                        APIs
                                                                                          • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                          • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 3716169038-2903620461
                                                                                        • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                        • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                        • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 007870BC
                                                                                        • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 007870F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountLookupUser
                                                                                        • String ID: |
                                                                                        • API String ID: 2370142434-2343686810
                                                                                        • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction ID: 07a87876702d130a63a1f1e3756ed7e6a6f820ffd8e55d68b8fb3d18a6f09ab7
                                                                                        • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                        • Instruction Fuzzy Hash: 2F113C72D4411CEBDF55DFD4DC88ADEB7BCAB44301F2441A6E512E6090E674DB88CBA0
                                                                                        APIs
                                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2777991786-1857712256
                                                                                        • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                        • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                        • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                        APIs
                                                                                        • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                        • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: IncrementInterlockedlstrcpyn
                                                                                        • String ID: %FROM_EMAIL
                                                                                        • API String ID: 224340156-2903620461
                                                                                        • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                        • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                        • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                        APIs
                                                                                        • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                        • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbyaddrinet_ntoa
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2112563974-1857712256
                                                                                        • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                        • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                        • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                        • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 1594361348-2401304539
                                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                        • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: ntdll.dll
                                                                                        • API String ID: 2574300362-2227199552
                                                                                        • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                        • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                        • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                        APIs
                                                                                          • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                          • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2089883711.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_400000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                        • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                        • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                        APIs
                                                                                          • Part of subcall function 00782F88: GetModuleHandleA.KERNEL32(?), ref: 00782FA1
                                                                                          • Part of subcall function 00782F88: LoadLibraryA.KERNEL32(?), ref: 00782FB1
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007831DA
                                                                                        • HeapFree.KERNEL32(00000000), ref: 007831E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000C.00000002.2090133094.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_12_2_780000_oxdombt.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                        • Instruction ID: b1b0c1146997e16d652d6cf526e355ffa6fc717f626ca4eab37d9ecdda0bd4a0
                                                                                        • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                        • Instruction Fuzzy Hash: 4D519A3194020AEFCF01AF68D8889FAB775FF15705F244169EC96C7211E73ADA19CB90

                                                                                        Execution Graph

                                                                                        Execution Coverage:15%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:0.7%
                                                                                        Total number of Nodes:1806
                                                                                        Total number of Limit Nodes:18
                                                                                        execution_graph 7903 2a15e21 7904 2a15e36 7903->7904 7905 2a15e29 7903->7905 7907 2a150dc 7905->7907 7908 2a14bd1 4 API calls 7907->7908 7909 2a150f2 7908->7909 7910 2a14ae6 8 API calls 7909->7910 7916 2a150ff 7910->7916 7911 2a15130 7913 2a14ae6 8 API calls 7911->7913 7912 2a14ae6 8 API calls 7914 2a15110 lstrcmpA 7912->7914 7915 2a15138 7913->7915 7914->7911 7914->7916 7918 2a1516e 7915->7918 7919 2a14ae6 8 API calls 7915->7919 7949 2a1513e 7915->7949 7916->7911 7916->7912 7917 2a14ae6 8 API calls 7916->7917 7917->7916 7921 2a14ae6 8 API calls 7918->7921 7918->7949 7920 2a1515e 7919->7920 7920->7918 7923 2a14ae6 8 API calls 7920->7923 7922 2a151b6 7921->7922 7950 2a14a3d 7922->7950 7923->7918 7926 2a14ae6 8 API calls 7927 2a151c7 7926->7927 7928 2a14ae6 8 API calls 7927->7928 7929 2a151d7 7928->7929 7930 2a14ae6 8 API calls 7929->7930 7931 2a151e7 7930->7931 7932 2a14ae6 8 API calls 7931->7932 7931->7949 7933 2a15219 7932->7933 7934 2a14ae6 8 API calls 7933->7934 7935 2a15227 7934->7935 7936 2a14ae6 8 API calls 7935->7936 7937 2a1524f lstrcpyA 7936->7937 7938 2a14ae6 8 API calls 7937->7938 7941 2a15263 7938->7941 7939 2a14ae6 8 API calls 7940 2a15315 7939->7940 7942 2a14ae6 8 API calls 7940->7942 7941->7939 7943 2a15323 7942->7943 7944 2a14ae6 8 API calls 7943->7944 7946 2a15331 7944->7946 7945 2a14ae6 8 API calls 7945->7946 7946->7945 7947 2a14ae6 8 API calls 7946->7947 7946->7949 7948 2a15351 lstrcmpA 7947->7948 7948->7946 7948->7949 7949->7904 7951 2a14a53 7950->7951 7952 2a14a4a 7950->7952 7954 2a14a78 7951->7954 7955 2a1ebed 8 API calls 7951->7955 7953 2a1ebed 8 API calls 7952->7953 7953->7951 7956 2a14aa3 7954->7956 7957 2a14a8e 7954->7957 7955->7954 7958 2a14a9b 7956->7958 7960 2a1ebed 8 API calls 7956->7960 7957->7958 7959 2a1ec2e codecvt 4 API calls 7957->7959 7958->7926 7959->7958 7960->7958 8087 2a14861 IsBadWritePtr 8088 2a14876 8087->8088 8089 2a19961 RegisterServiceCtrlHandlerA 8090 2a1997d 8089->8090 8091 2a199cb 8089->8091 8099 2a19892 8090->8099 8093 2a1999a 8094 2a199ba 8093->8094 8095 2a19892 SetServiceStatus 8093->8095 8094->8091 8096 2a19892 SetServiceStatus 8094->8096 8097 2a199aa 8095->8097 8096->8091 8097->8094 8098 2a198f2 41 API calls 8097->8098 8098->8094 8100 2a198c2 SetServiceStatus 8099->8100 8100->8093 8102 2a14960 8103 2a1496d 8102->8103 8105 2a1497d 8102->8105 8104 2a1ebed 8 API calls 8103->8104 8104->8105 7961 2a135a5 7962 2a130fa 4 API calls 7961->7962 7964 2a135b3 7962->7964 7963 2a135ea 7964->7963 7968 2a1355d 7964->7968 7966 2a135da 7966->7963 7967 2a1355d 4 API calls 7966->7967 7967->7963 7969 2a1f04e 4 API calls 7968->7969 7970 2a1356a 7969->7970 7970->7966 7971 2a15029 7976 2a14a02 7971->7976 7977 2a14a12 7976->7977 7979 2a14a18 7976->7979 7978 2a1ec2e codecvt 4 API calls 7977->7978 7978->7979 7980 2a14a26 7979->7980 7981 2a1ec2e codecvt 4 API calls 7979->7981 7982 2a14a34 7980->7982 7983 2a1ec2e codecvt 4 API calls 7980->7983 7981->7980 7983->7982 6131 2a19a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6247 2a1ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6131->6247 6133 2a19a95 6134 2a19aa3 GetModuleHandleA GetModuleFileNameA 6133->6134 6140 2a1a3cc 6133->6140 6147 2a19ac4 6134->6147 6135 2a1a41c CreateThread WSAStartup 6248 2a1e52e 6135->6248 7300 2a1405e CreateEventA 6135->7300 6136 2a19afd GetCommandLineA 6139 2a19b22 6136->6139 6137 2a1a406 DeleteFileA 6137->6140 6141 2a1a40d 6137->6141 6152 2a19c0c 6139->6152 6158 2a19b47 6139->6158 6140->6135 6140->6137 6140->6141 6143 2a1a3ed GetLastError 6140->6143 6141->6135 6142 2a1a445 6267 2a1eaaf 6142->6267 6143->6141 6145 2a1a3f8 Sleep 6143->6145 6145->6137 6146 2a1a44d 6271 2a11d96 6146->6271 6147->6136 6149 2a1a457 6319 2a180c9 6149->6319 6511 2a196aa 6152->6511 6162 2a19b96 lstrlenA 6158->6162 6164 2a19b58 6158->6164 6159 2a1a1d2 6165 2a1a1e3 GetCommandLineA 6159->6165 6160 2a19c39 6163 2a1a167 GetModuleHandleA GetModuleFileNameA 6160->6163 6517 2a14280 CreateEventA 6160->6517 6162->6164 6167 2a19c05 ExitProcess 6163->6167 6168 2a1a189 6163->6168 6164->6167 6470 2a1675c 6164->6470 6191 2a1a205 6165->6191 6168->6167 6176 2a1a1b2 GetDriveTypeA 6168->6176 6176->6167 6178 2a1a1c5 6176->6178 6177 2a1675c 21 API calls 6179 2a19c79 6177->6179 6618 2a19145 GetModuleHandleA GetModuleFileNameA CharToOemA 6178->6618 6179->6163 6186 2a19ca0 GetTempPathA 6179->6186 6187 2a19e3e 6179->6187 6181 2a19bff 6181->6167 6183 2a1a49f GetTickCount 6184 2a1a491 6183->6184 6188 2a1a4be Sleep 6183->6188 6184->6183 6184->6188 6190 2a1a4b7 GetTickCount 6184->6190 6366 2a1c913 6184->6366 6186->6187 6189 2a19cba 6186->6189 6197 2a19e6b GetEnvironmentVariableA 6187->6197 6198 2a19e04 6187->6198 6188->6184 6543 2a199d2 lstrcpyA 6189->6543 6190->6188 6194 2a1a285 lstrlenA 6191->6194 6207 2a1a239 6191->6207 6194->6207 6197->6198 6199 2a19e7d 6197->6199 6613 2a1ec2e 6198->6613 6200 2a199d2 16 API calls 6199->6200 6201 2a19e9d 6200->6201 6201->6198 6206 2a19eb0 lstrcpyA lstrlenA 6201->6206 6204 2a19d5f 6557 2a16cc9 6204->6557 6205 2a1a3c2 6630 2a198f2 6205->6630 6208 2a19ef4 6206->6208 6626 2a16ec3 6207->6626 6211 2a16dc2 6 API calls 6208->6211 6215 2a19f03 6208->6215 6211->6215 6212 2a1a39d StartServiceCtrlDispatcherA 6212->6205 6213 2a19d72 lstrcpyA lstrcatA lstrcatA 6217 2a19cf6 6213->6217 6214 2a1a3c7 6214->6140 6216 2a19f32 RegOpenKeyExA 6215->6216 6219 2a19f48 RegSetValueExA RegCloseKey 6216->6219 6222 2a19f70 6216->6222 6566 2a19326 6217->6566 6218 2a1a35f 6218->6205 6218->6212 6219->6222 6227 2a19f9d GetModuleHandleA GetModuleFileNameA 6222->6227 6223 2a19e0c DeleteFileA 6223->6187 6224 2a19dde GetFileAttributesExA 6224->6223 6225 2a19df7 6224->6225 6225->6198 6603 2a196ff 6225->6603 6229 2a19fc2 6227->6229 6230 2a1a093 6227->6230 6229->6230 6236 2a19ff1 GetDriveTypeA 6229->6236 6231 2a1a103 CreateProcessA 6230->6231 6232 2a1a0a4 wsprintfA 6230->6232 6233 2a1a13a 6231->6233 6234 2a1a12a DeleteFileA 6231->6234 6609 2a12544 6232->6609 6233->6198 6239 2a196ff 3 API calls 6233->6239 6234->6233 6236->6230 6238 2a1a00d 6236->6238 6237 2a1a0d3 lstrcatA 6611 2a1ee2a 6237->6611 6242 2a1a02d lstrcatA 6238->6242 6239->6198 6243 2a1a046 6242->6243 6244 2a1a052 lstrcatA 6243->6244 6245 2a1a064 lstrcatA 6243->6245 6244->6245 6245->6230 6246 2a1a081 lstrcatA 6245->6246 6246->6230 6247->6133 6637 2a1dd05 GetTickCount 6248->6637 6250 2a1e538 6645 2a1dbcf 6250->6645 6252 2a1e544 6253 2a1e555 GetFileSize 6252->6253 6257 2a1e5b8 6252->6257 6254 2a1e5b1 CloseHandle 6253->6254 6255 2a1e566 6253->6255 6254->6257 6669 2a1db2e 6255->6669 6655 2a1e3ca RegOpenKeyExA 6257->6655 6259 2a1e576 ReadFile 6259->6254 6260 2a1e58d 6259->6260 6673 2a1e332 6260->6673 6264 2a1e5f2 6265 2a1e3ca 19 API calls 6264->6265 6266 2a1e629 6264->6266 6265->6266 6266->6142 6268 2a1eabe 6267->6268 6270 2a1eaba 6267->6270 6269 2a1dd05 6 API calls 6268->6269 6268->6270 6269->6270 6270->6146 6272 2a1ee2a 6271->6272 6273 2a11db4 GetVersionExA 6272->6273 6274 2a11dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6273->6274 6276 2a11e24 6274->6276 6277 2a11e16 GetCurrentProcess 6274->6277 6731 2a1e819 6276->6731 6277->6276 6279 2a11e3d 6280 2a1e819 11 API calls 6279->6280 6281 2a11e4e 6280->6281 6282 2a11e77 6281->6282 6772 2a1df70 6281->6772 6738 2a1ea84 6282->6738 6286 2a11e6c 6288 2a1df70 12 API calls 6286->6288 6287 2a1e819 11 API calls 6289 2a11e93 6287->6289 6288->6282 6742 2a1199c inet_addr LoadLibraryA 6289->6742 6292 2a1e819 11 API calls 6293 2a11eb9 6292->6293 6294 2a11ed8 6293->6294 6296 2a1f04e 4 API calls 6293->6296 6295 2a1e819 11 API calls 6294->6295 6297 2a11eee 6295->6297 6298 2a11ec9 6296->6298 6300 2a11f0a 6297->6300 6756 2a11b71 6297->6756 6299 2a1ea84 30 API calls 6298->6299 6299->6294 6302 2a1e819 11 API calls 6300->6302 6304 2a11f23 6302->6304 6303 2a11efd 6305 2a1ea84 30 API calls 6303->6305 6306 2a11f3f 6304->6306 6760 2a11bdf 6304->6760 6305->6300 6307 2a1e819 11 API calls 6306->6307 6309 2a11f5e 6307->6309 6312 2a11f77 6309->6312 6313 2a1ea84 30 API calls 6309->6313 6311 2a1ea84 30 API calls 6311->6306 6768 2a130b5 6312->6768 6313->6312 6317 2a16ec3 2 API calls 6318 2a11f8e GetTickCount 6317->6318 6318->6149 6320 2a16ec3 2 API calls 6319->6320 6321 2a180eb 6320->6321 6322 2a180f9 6321->6322 6323 2a180ef 6321->6323 6839 2a1704c 6322->6839 6826 2a17ee6 6323->6826 6326 2a18269 CreateThread 6345 2a15e6c 6326->6345 7330 2a1877e 6326->7330 6327 2a180f4 6327->6326 6329 2a1675c 21 API calls 6327->6329 6328 2a18110 6328->6327 6330 2a18156 RegOpenKeyExA 6328->6330 6335 2a18244 6329->6335 6331 2a18216 6330->6331 6332 2a1816d RegQueryValueExA 6330->6332 6331->6327 6333 2a181f7 6332->6333 6334 2a1818d 6332->6334 6336 2a1820d RegCloseKey 6333->6336 6338 2a1ec2e codecvt 4 API calls 6333->6338 6334->6333 6339 2a1ebcc 4 API calls 6334->6339 6335->6326 6337 2a1ec2e codecvt 4 API calls 6335->6337 6336->6331 6337->6326 6344 2a181dd 6338->6344 6340 2a181a0 6339->6340 6340->6336 6341 2a181aa RegQueryValueExA 6340->6341 6341->6333 6342 2a181c4 6341->6342 6343 2a1ebcc 4 API calls 6342->6343 6343->6344 6344->6336 6941 2a1ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6345->6941 6347 2a15e71 6942 2a1e654 6347->6942 6349 2a15ec1 6350 2a13132 6349->6350 6351 2a1df70 12 API calls 6350->6351 6352 2a1313b 6351->6352 6353 2a1c125 6352->6353 6953 2a1ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6353->6953 6355 2a1c12d 6356 2a1e654 13 API calls 6355->6356 6357 2a1c2bd 6356->6357 6358 2a1e654 13 API calls 6357->6358 6359 2a1c2c9 6358->6359 6360 2a1e654 13 API calls 6359->6360 6361 2a1a47a 6360->6361 6362 2a18db1 6361->6362 6363 2a18dbc 6362->6363 6364 2a1e654 13 API calls 6363->6364 6365 2a18dec Sleep 6364->6365 6365->6184 6367 2a1c92f 6366->6367 6368 2a1c93c 6367->6368 6965 2a1c517 6367->6965 6370 2a1ca2b 6368->6370 6371 2a1e819 11 API calls 6368->6371 6370->6184 6372 2a1c96a 6371->6372 6373 2a1e819 11 API calls 6372->6373 6374 2a1c97d 6373->6374 6375 2a1e819 11 API calls 6374->6375 6376 2a1c990 6375->6376 6377 2a1c9aa 6376->6377 6378 2a1ebcc 4 API calls 6376->6378 6377->6370 6954 2a12684 6377->6954 6378->6377 6383 2a1ca26 6982 2a1c8aa 6383->6982 6386 2a1ca44 6387 2a1ca4b closesocket 6386->6387 6388 2a1ca83 6386->6388 6387->6383 6389 2a1ea84 30 API calls 6388->6389 6390 2a1caac 6389->6390 6391 2a1f04e 4 API calls 6390->6391 6392 2a1cab2 6391->6392 6393 2a1ea84 30 API calls 6392->6393 6394 2a1caca 6393->6394 6395 2a1ea84 30 API calls 6394->6395 6396 2a1cad9 6395->6396 6986 2a1c65c 6396->6986 6399 2a1cb60 closesocket 6399->6370 6401 2a1dad2 closesocket 6402 2a1e318 23 API calls 6401->6402 6403 2a1dae0 6402->6403 6403->6370 6404 2a1df4c 20 API calls 6463 2a1cb70 6404->6463 6409 2a1e654 13 API calls 6409->6463 6415 2a1ea84 30 API calls 6415->6463 6416 2a1d569 closesocket Sleep 7033 2a1e318 6416->7033 6417 2a1d815 wsprintfA 6417->6463 6418 2a1cc1c GetTempPathA 6418->6463 6419 2a1c517 23 API calls 6419->6463 6421 2a1f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6421->6463 6422 2a1d582 ExitProcess 6423 2a1e8a1 30 API calls 6423->6463 6424 2a1c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6424->6463 6425 2a1cfe3 GetSystemDirectoryA 6425->6463 6426 2a1cfad GetEnvironmentVariableA 6426->6463 6427 2a1675c 21 API calls 6427->6463 6428 2a1d027 GetSystemDirectoryA 6428->6463 6429 2a1d105 lstrcatA 6429->6463 6430 2a1ef1e lstrlenA 6430->6463 6431 2a1cc9f CreateFileA 6433 2a1ccc6 WriteFile 6431->6433 6431->6463 6432 2a1ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6432->6463 6435 2a1cced CloseHandle 6433->6435 6436 2a1cdcc CloseHandle 6433->6436 6434 2a1d15b CreateFileA 6437 2a1d182 WriteFile CloseHandle 6434->6437 6434->6463 6443 2a1cd2f 6435->6443 6436->6463 6437->6463 6438 2a1cd16 wsprintfA 6438->6443 6439 2a1d149 SetFileAttributesA 6439->6434 6440 2a1d36e GetEnvironmentVariableA 6440->6463 6441 2a1d1bf SetFileAttributesA 6441->6463 6442 2a18e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6442->6463 6443->6438 7015 2a17fcf 6443->7015 6444 2a1d22d GetEnvironmentVariableA 6444->6463 6445 2a17ead 6 API calls 6445->6463 6447 2a1d3af lstrcatA 6450 2a1d3f2 CreateFileA 6447->6450 6447->6463 6449 2a17fcf 64 API calls 6449->6463 6451 2a1d415 WriteFile CloseHandle 6450->6451 6450->6463 6451->6463 6452 2a1cd81 WaitForSingleObject CloseHandle CloseHandle 6454 2a1f04e 4 API calls 6452->6454 6453 2a1cda5 6455 2a17ee6 64 API calls 6453->6455 6454->6453 6458 2a1cdbd DeleteFileA 6455->6458 6456 2a1d3e0 SetFileAttributesA 6456->6450 6457 2a1d26e lstrcatA 6460 2a1d2b1 CreateFileA 6457->6460 6457->6463 6458->6463 6459 2a1d4b1 CreateProcessA 6461 2a1d4e8 CloseHandle CloseHandle 6459->6461 6459->6463 6460->6463 6464 2a1d2d8 WriteFile CloseHandle 6460->6464 6461->6463 6462 2a1d452 SetFileAttributesA 6462->6463 6463->6401 6463->6404 6463->6409 6463->6415 6463->6416 6463->6417 6463->6418 6463->6419 6463->6421 6463->6423 6463->6424 6463->6425 6463->6426 6463->6427 6463->6428 6463->6429 6463->6430 6463->6431 6463->6432 6463->6434 6463->6439 6463->6440 6463->6441 6463->6442 6463->6444 6463->6445 6463->6447 6463->6449 6463->6450 6463->6456 6463->6457 6463->6459 6463->6460 6463->6462 6465 2a17ee6 64 API calls 6463->6465 6466 2a1d29f SetFileAttributesA 6463->6466 6469 2a1d31d SetFileAttributesA 6463->6469 6994 2a1c75d 6463->6994 7006 2a17e2f 6463->7006 7028 2a17ead 6463->7028 7038 2a131d0 6463->7038 7055 2a13c09 6463->7055 7065 2a13a00 6463->7065 7069 2a1e7b4 6463->7069 7072 2a1c06c 6463->7072 7078 2a16f5f GetUserNameA 6463->7078 7089 2a1e854 6463->7089 7099 2a17dd6 6463->7099 6464->6463 6465->6463 6466->6460 6469->6463 6471 2a16784 CreateFileA 6470->6471 6472 2a1677a SetFileAttributesA 6470->6472 6473 2a167b5 6471->6473 6474 2a167a4 CreateFileA 6471->6474 6472->6471 6475 2a167c5 6473->6475 6476 2a167ba SetFileAttributesA 6473->6476 6474->6473 6477 2a16977 6475->6477 6478 2a167cf GetFileSize 6475->6478 6476->6475 6477->6167 6498 2a16a60 CreateFileA 6477->6498 6479 2a167e5 6478->6479 6497 2a16965 6478->6497 6480 2a167ed ReadFile 6479->6480 6479->6497 6482 2a16811 SetFilePointer 6480->6482 6480->6497 6481 2a1696e FindCloseChangeNotification 6481->6477 6483 2a1682a ReadFile 6482->6483 6482->6497 6484 2a16848 SetFilePointer 6483->6484 6483->6497 6485 2a16867 6484->6485 6484->6497 6486 2a168d5 6485->6486 6487 2a16878 ReadFile 6485->6487 6486->6481 6489 2a1ebcc 4 API calls 6486->6489 6488 2a168d0 6487->6488 6491 2a16891 6487->6491 6488->6486 6490 2a168f8 6489->6490 6492 2a16900 SetFilePointer 6490->6492 6490->6497 6491->6487 6491->6488 6493 2a1695a 6492->6493 6494 2a1690d ReadFile 6492->6494 6496 2a1ec2e codecvt 4 API calls 6493->6496 6494->6493 6495 2a16922 6494->6495 6495->6481 6496->6497 6497->6481 6499 2a16b8c GetLastError 6498->6499 6500 2a16a8f GetDiskFreeSpaceA 6498->6500 6509 2a16b86 6499->6509 6501 2a16ac5 6500->6501 6510 2a16ad7 6500->6510 7184 2a1eb0e 6501->7184 6505 2a16b56 CloseHandle 6508 2a16b65 GetLastError CloseHandle 6505->6508 6505->6509 6506 2a16b36 GetLastError CloseHandle 6507 2a16b7f DeleteFileA 6506->6507 6507->6509 6508->6507 6509->6181 7188 2a16987 6510->7188 6512 2a196b9 6511->6512 6513 2a173ff 17 API calls 6512->6513 6514 2a196e2 6513->6514 6515 2a196f7 6514->6515 6516 2a1704c 16 API calls 6514->6516 6515->6159 6515->6160 6516->6515 6518 2a142a5 6517->6518 6523 2a1429d 6517->6523 7194 2a13ecd 6518->7194 6520 2a142b0 7198 2a14000 6520->7198 6522 2a143c1 CloseHandle 6522->6523 6523->6163 6523->6177 6524 2a142b6 6524->6522 6524->6523 7204 2a13f18 WriteFile 6524->7204 6529 2a143ba CloseHandle 6529->6522 6530 2a14318 6531 2a13f18 4 API calls 6530->6531 6532 2a14331 6531->6532 6533 2a13f18 4 API calls 6532->6533 6534 2a1434a 6533->6534 6535 2a1ebcc 4 API calls 6534->6535 6536 2a14350 6535->6536 6537 2a13f18 4 API calls 6536->6537 6538 2a14389 6537->6538 6539 2a1ec2e codecvt 4 API calls 6538->6539 6540 2a1438f 6539->6540 6541 2a13f8c 4 API calls 6540->6541 6542 2a1439f CloseHandle CloseHandle 6541->6542 6542->6523 6544 2a199eb 6543->6544 6545 2a19a2f lstrcatA 6544->6545 6546 2a1ee2a 6545->6546 6547 2a19a4b lstrcatA 6546->6547 6548 2a16a60 13 API calls 6547->6548 6549 2a19a60 6548->6549 6549->6187 6549->6217 6550 2a16dc2 6549->6550 6551 2a16e33 6550->6551 6552 2a16dd7 6550->6552 6551->6204 6553 2a16cc9 5 API calls 6552->6553 6554 2a16ddc 6553->6554 6554->6554 6555 2a16e02 GetVolumeInformationA 6554->6555 6556 2a16e24 6554->6556 6555->6556 6556->6551 6558 2a16cdc GetModuleHandleA GetProcAddress 6557->6558 6563 2a16d8b 6557->6563 6559 2a16d12 GetSystemDirectoryA 6558->6559 6560 2a16cfd 6558->6560 6561 2a16d27 GetWindowsDirectoryA 6559->6561 6562 2a16d1e 6559->6562 6560->6559 6560->6563 6565 2a16d42 6561->6565 6562->6561 6562->6563 6563->6213 6564 2a1ef1e lstrlenA 6564->6563 6565->6564 7212 2a11910 6566->7212 6569 2a1934a GetModuleHandleA GetModuleFileNameA 6571 2a1937f 6569->6571 6572 2a193a4 6571->6572 6573 2a193d9 6571->6573 6574 2a193c3 wsprintfA 6572->6574 6575 2a19401 wsprintfA 6573->6575 6577 2a19415 6574->6577 6575->6577 6576 2a194a0 6578 2a16edd 5 API calls 6576->6578 6577->6576 6580 2a16cc9 5 API calls 6577->6580 6579 2a194ac 6578->6579 6581 2a1962f 6579->6581 6582 2a194e8 RegOpenKeyExA 6579->6582 6586 2a19439 6580->6586 6587 2a19646 6581->6587 7227 2a11820 6581->7227 6584 2a19502 6582->6584 6585 2a194fb 6582->6585 6590 2a1951f RegQueryValueExA 6584->6590 6585->6581 6589 2a1958a 6585->6589 6591 2a1ef1e lstrlenA 6586->6591 6596 2a195d6 6587->6596 7233 2a191eb 6587->7233 6589->6587 6592 2a19593 6589->6592 6593 2a19530 6590->6593 6594 2a19539 6590->6594 6595 2a19462 6591->6595 6592->6596 7214 2a1f0e4 6592->7214 6597 2a1956e RegCloseKey 6593->6597 6598 2a19556 RegQueryValueExA 6594->6598 6599 2a1947e wsprintfA 6595->6599 6596->6223 6596->6224 6597->6585 6598->6593 6598->6597 6599->6576 6601 2a195bb 6601->6596 7221 2a118e0 6601->7221 6604 2a12544 6603->6604 6605 2a1972d RegOpenKeyExA 6604->6605 6606 2a19765 6605->6606 6607 2a19740 6605->6607 6606->6198 6608 2a1974f RegDeleteValueA RegCloseKey 6607->6608 6608->6606 6610 2a12554 6609->6610 6610->6237 6610->6610 6612 2a1a0ec lstrcatA 6611->6612 6612->6231 6614 2a1ec37 6613->6614 6615 2a1a15d 6613->6615 6616 2a1eba0 codecvt 2 API calls 6614->6616 6615->6163 6615->6167 6617 2a1ec3d GetProcessHeap RtlFreeHeap 6616->6617 6617->6615 6619 2a12544 6618->6619 6620 2a1919e wsprintfA 6619->6620 6621 2a191bb 6620->6621 7271 2a19064 GetTempPathA 6621->7271 6624 2a191d5 ShellExecuteA 6625 2a191e7 6624->6625 6625->6181 6627 2a16ed5 6626->6627 6628 2a16ecc 6626->6628 6627->6218 6629 2a16e36 2 API calls 6628->6629 6629->6627 6631 2a198f6 6630->6631 6632 2a14280 30 API calls 6631->6632 6633 2a19904 Sleep 6631->6633 6635 2a19915 6631->6635 6632->6631 6633->6631 6633->6635 6634 2a19947 6634->6214 6635->6634 7278 2a1977c 6635->7278 6638 2a1dd41 InterlockedExchange 6637->6638 6639 2a1dd20 GetCurrentThreadId 6638->6639 6640 2a1dd4a 6638->6640 6641 2a1dd53 GetCurrentThreadId 6639->6641 6642 2a1dd2e GetTickCount 6639->6642 6640->6641 6641->6250 6643 2a1dd39 Sleep 6642->6643 6644 2a1dd4c 6642->6644 6643->6638 6644->6641 6646 2a1dbf0 6645->6646 6678 2a1db67 GetEnvironmentVariableA 6646->6678 6648 2a1dc19 6649 2a1dcda 6648->6649 6650 2a1db67 3 API calls 6648->6650 6649->6252 6651 2a1dc5c 6650->6651 6651->6649 6652 2a1db67 3 API calls 6651->6652 6653 2a1dc9b 6652->6653 6653->6649 6654 2a1db67 3 API calls 6653->6654 6654->6649 6656 2a1e528 6655->6656 6657 2a1e3f4 6655->6657 6656->6264 6658 2a1e434 RegQueryValueExA 6657->6658 6659 2a1e458 6658->6659 6660 2a1e51d RegCloseKey 6658->6660 6661 2a1e46e RegQueryValueExA 6659->6661 6660->6656 6661->6659 6662 2a1e488 6661->6662 6662->6660 6663 2a1db2e 8 API calls 6662->6663 6664 2a1e499 6663->6664 6664->6660 6665 2a1e4b9 RegQueryValueExA 6664->6665 6666 2a1e4e8 6664->6666 6665->6664 6665->6666 6666->6660 6667 2a1e332 14 API calls 6666->6667 6668 2a1e513 6667->6668 6668->6660 6670 2a1db55 6669->6670 6671 2a1db3a 6669->6671 6670->6254 6670->6259 6682 2a1ebed 6671->6682 6700 2a1f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6673->6700 6675 2a1e3be 6675->6254 6676 2a1e342 6676->6675 6703 2a1de24 6676->6703 6679 2a1db89 lstrcpyA CreateFileA 6678->6679 6680 2a1dbca 6678->6680 6679->6648 6680->6648 6683 2a1ec01 6682->6683 6684 2a1ebf6 6682->6684 6694 2a1eba0 6683->6694 6691 2a1ebcc GetProcessHeap RtlAllocateHeap 6684->6691 6692 2a1eb74 2 API calls 6691->6692 6693 2a1ebe8 6692->6693 6693->6670 6695 2a1eba7 GetProcessHeap HeapSize 6694->6695 6696 2a1ebbf GetProcessHeap RtlReAllocateHeap 6694->6696 6695->6696 6697 2a1eb74 6696->6697 6698 2a1eb7b GetProcessHeap HeapSize 6697->6698 6699 2a1eb93 6697->6699 6698->6699 6699->6670 6714 2a1eb41 6700->6714 6702 2a1f0b7 6702->6676 6704 2a1de3a 6703->6704 6707 2a1de4e 6704->6707 6723 2a1dd84 6704->6723 6707->6676 6708 2a1de9e 6708->6707 6709 2a1ebed 8 API calls 6708->6709 6710 2a1def6 6709->6710 6710->6707 6713 2a1ddcf lstrcmpA 6710->6713 6711 2a1de76 6727 2a1ddcf 6711->6727 6713->6707 6715 2a1eb61 6714->6715 6716 2a1eb4a 6714->6716 6715->6702 6719 2a1eae4 6716->6719 6718 2a1eb54 6718->6702 6718->6715 6720 2a1eb02 GetProcAddress 6719->6720 6721 2a1eaed LoadLibraryA 6719->6721 6720->6718 6721->6720 6722 2a1eb01 6721->6722 6722->6718 6724 2a1ddc5 6723->6724 6725 2a1dd96 6723->6725 6724->6708 6724->6711 6725->6724 6726 2a1ddad lstrcmpiA 6725->6726 6726->6724 6726->6725 6728 2a1de20 6727->6728 6729 2a1dddd 6727->6729 6728->6707 6729->6728 6730 2a1ddfa lstrcmpA 6729->6730 6730->6729 6732 2a1dd05 6 API calls 6731->6732 6733 2a1e821 6732->6733 6734 2a1dd84 lstrcmpiA 6733->6734 6735 2a1e82c 6734->6735 6736 2a1e844 6735->6736 6781 2a12480 6735->6781 6736->6279 6739 2a1ea98 6738->6739 6790 2a1e8a1 6739->6790 6741 2a11e84 6741->6287 6743 2a119d5 GetProcAddress GetProcAddress GetProcAddress 6742->6743 6744 2a119ce 6742->6744 6745 2a11ab3 FreeLibrary 6743->6745 6746 2a11a04 6743->6746 6744->6292 6745->6744 6746->6745 6747 2a11a14 GetBestInterface GetProcessHeap 6746->6747 6747->6744 6748 2a11a2e HeapAlloc 6747->6748 6748->6744 6749 2a11a42 GetAdaptersInfo 6748->6749 6750 2a11a62 6749->6750 6751 2a11a52 HeapReAlloc 6749->6751 6752 2a11aa1 FreeLibrary 6750->6752 6753 2a11a69 GetAdaptersInfo 6750->6753 6751->6750 6752->6744 6753->6752 6754 2a11a75 HeapFree 6753->6754 6754->6752 6818 2a11ac3 LoadLibraryA 6756->6818 6759 2a11bcf 6759->6303 6761 2a11ac3 13 API calls 6760->6761 6762 2a11c09 6761->6762 6763 2a11c5a 6762->6763 6764 2a11c0d GetComputerNameA 6762->6764 6763->6311 6765 2a11c45 GetVolumeInformationA 6764->6765 6766 2a11c1f 6764->6766 6765->6763 6766->6765 6767 2a11c41 6766->6767 6767->6763 6769 2a1ee2a 6768->6769 6770 2a130d0 gethostname gethostbyname 6769->6770 6771 2a11f82 6770->6771 6771->6317 6771->6318 6773 2a1dd05 6 API calls 6772->6773 6774 2a1df7c 6773->6774 6775 2a1dd84 lstrcmpiA 6774->6775 6779 2a1df89 6775->6779 6776 2a1dfc4 6776->6286 6777 2a1ddcf lstrcmpA 6777->6779 6778 2a1ec2e codecvt 4 API calls 6778->6779 6779->6776 6779->6777 6779->6778 6780 2a1dd84 lstrcmpiA 6779->6780 6780->6779 6784 2a12419 lstrlenA 6781->6784 6783 2a12491 6783->6736 6785 2a1243d lstrlenA 6784->6785 6789 2a12474 6784->6789 6786 2a12464 lstrlenA 6785->6786 6787 2a1244e lstrcmpiA 6785->6787 6786->6785 6786->6789 6787->6786 6788 2a1245c 6787->6788 6788->6786 6788->6789 6789->6783 6791 2a1dd05 6 API calls 6790->6791 6792 2a1e8b4 6791->6792 6793 2a1dd84 lstrcmpiA 6792->6793 6794 2a1e8c0 6793->6794 6795 2a1e90a 6794->6795 6796 2a1e8c8 lstrcpynA 6794->6796 6798 2a12419 4 API calls 6795->6798 6806 2a1ea27 6795->6806 6797 2a1e8f5 6796->6797 6811 2a1df4c 6797->6811 6799 2a1e926 lstrlenA lstrlenA 6798->6799 6801 2a1e96a 6799->6801 6802 2a1e94c lstrlenA 6799->6802 6805 2a1ebcc 4 API calls 6801->6805 6801->6806 6802->6801 6803 2a1e901 6804 2a1dd84 lstrcmpiA 6803->6804 6804->6795 6807 2a1e98f 6805->6807 6806->6741 6807->6806 6808 2a1df4c 20 API calls 6807->6808 6809 2a1ea1e 6808->6809 6810 2a1ec2e codecvt 4 API calls 6809->6810 6810->6806 6812 2a1dd05 6 API calls 6811->6812 6813 2a1df51 6812->6813 6814 2a1f04e 4 API calls 6813->6814 6815 2a1df58 6814->6815 6816 2a1de24 10 API calls 6815->6816 6817 2a1df63 6816->6817 6817->6803 6819 2a11ae2 GetProcAddress 6818->6819 6825 2a11b68 GetComputerNameA GetVolumeInformationA 6818->6825 6822 2a11af5 6819->6822 6819->6825 6820 2a11b1c GetAdaptersAddresses 6820->6822 6823 2a11b29 6820->6823 6821 2a1ebed 8 API calls 6821->6822 6822->6820 6822->6821 6822->6823 6823->6823 6824 2a1ec2e codecvt 4 API calls 6823->6824 6823->6825 6824->6825 6825->6759 6827 2a16ec3 2 API calls 6826->6827 6828 2a17ef4 6827->6828 6838 2a17fc9 6828->6838 6862 2a173ff 6828->6862 6830 2a17f16 6830->6838 6882 2a17809 GetUserNameA 6830->6882 6832 2a17f63 6832->6838 6906 2a1ef1e lstrlenA 6832->6906 6835 2a1ef1e lstrlenA 6836 2a17fb7 6835->6836 6908 2a17a95 RegOpenKeyExA 6836->6908 6838->6327 6840 2a17073 6839->6840 6841 2a170b9 RegOpenKeyExA 6840->6841 6842 2a170d0 6841->6842 6856 2a171b8 6841->6856 6843 2a16dc2 6 API calls 6842->6843 6846 2a170d5 6843->6846 6844 2a1719b RegEnumValueA 6845 2a171af RegCloseKey 6844->6845 6844->6846 6845->6856 6846->6844 6848 2a171d0 6846->6848 6939 2a1f1a5 lstrlenA 6846->6939 6849 2a17205 RegCloseKey 6848->6849 6850 2a17227 6848->6850 6849->6856 6851 2a172b8 ___ascii_stricmp 6850->6851 6852 2a1728e RegCloseKey 6850->6852 6853 2a172cd RegCloseKey 6851->6853 6854 2a172dd 6851->6854 6852->6856 6853->6856 6855 2a17311 RegCloseKey 6854->6855 6858 2a17335 6854->6858 6855->6856 6856->6328 6857 2a173d5 RegCloseKey 6859 2a173e4 6857->6859 6858->6857 6860 2a1737e GetFileAttributesExA 6858->6860 6861 2a17397 6858->6861 6860->6861 6861->6857 6863 2a1741b 6862->6863 6864 2a16dc2 6 API calls 6863->6864 6865 2a1743f 6864->6865 6866 2a17469 RegOpenKeyExA 6865->6866 6868 2a177f9 6866->6868 6878 2a17487 ___ascii_stricmp 6866->6878 6867 2a17703 RegEnumKeyA 6869 2a17714 RegCloseKey 6867->6869 6867->6878 6868->6830 6869->6868 6870 2a1f1a5 lstrlenA 6870->6878 6871 2a174d2 RegOpenKeyExA 6871->6878 6872 2a1772c 6874 2a17742 RegCloseKey 6872->6874 6875 2a1774b 6872->6875 6873 2a17521 RegQueryValueExA 6873->6878 6874->6875 6876 2a177ec RegCloseKey 6875->6876 6876->6868 6877 2a176e4 RegCloseKey 6877->6878 6878->6867 6878->6870 6878->6871 6878->6872 6878->6873 6878->6877 6880 2a1777e GetFileAttributesExA 6878->6880 6881 2a17769 6878->6881 6879 2a177e3 RegCloseKey 6879->6876 6880->6881 6881->6879 6883 2a1783d LookupAccountNameA 6882->6883 6889 2a17a8d 6882->6889 6884 2a17874 GetLengthSid GetFileSecurityA 6883->6884 6883->6889 6885 2a178a8 GetSecurityDescriptorOwner 6884->6885 6884->6889 6886 2a178c5 EqualSid 6885->6886 6887 2a1791d GetSecurityDescriptorDacl 6885->6887 6886->6887 6888 2a178dc LocalAlloc 6886->6888 6887->6889 6896 2a17941 6887->6896 6888->6887 6890 2a178ef InitializeSecurityDescriptor 6888->6890 6889->6832 6891 2a17916 LocalFree 6890->6891 6892 2a178fb SetSecurityDescriptorOwner 6890->6892 6891->6887 6892->6891 6894 2a1790b SetFileSecurityA 6892->6894 6893 2a1795b GetAce 6893->6896 6894->6891 6895 2a17980 EqualSid 6895->6896 6896->6889 6896->6893 6896->6895 6897 2a17a3d 6896->6897 6898 2a179be EqualSid 6896->6898 6899 2a1799d DeleteAce 6896->6899 6897->6889 6900 2a17a43 LocalAlloc 6897->6900 6898->6896 6899->6896 6900->6889 6901 2a17a56 InitializeSecurityDescriptor 6900->6901 6902 2a17a62 SetSecurityDescriptorDacl 6901->6902 6903 2a17a86 LocalFree 6901->6903 6902->6903 6904 2a17a73 SetFileSecurityA 6902->6904 6903->6889 6904->6903 6905 2a17a83 6904->6905 6905->6903 6907 2a17fa6 6906->6907 6907->6835 6909 2a17ac4 6908->6909 6910 2a17acb GetUserNameA 6908->6910 6909->6838 6911 2a17da7 RegCloseKey 6910->6911 6912 2a17aed LookupAccountNameA 6910->6912 6911->6909 6912->6911 6913 2a17b24 RegGetKeySecurity 6912->6913 6913->6911 6914 2a17b49 GetSecurityDescriptorOwner 6913->6914 6915 2a17b63 EqualSid 6914->6915 6916 2a17bb8 GetSecurityDescriptorDacl 6914->6916 6915->6916 6917 2a17b74 LocalAlloc 6915->6917 6918 2a17da6 6916->6918 6925 2a17bdc 6916->6925 6917->6916 6919 2a17b8a InitializeSecurityDescriptor 6917->6919 6918->6911 6920 2a17bb1 LocalFree 6919->6920 6921 2a17b96 SetSecurityDescriptorOwner 6919->6921 6920->6916 6921->6920 6923 2a17ba6 RegSetKeySecurity 6921->6923 6922 2a17bf8 GetAce 6922->6925 6923->6920 6924 2a17c1d EqualSid 6924->6925 6925->6918 6925->6922 6925->6924 6926 2a17cd9 6925->6926 6927 2a17c5f EqualSid 6925->6927 6928 2a17c3a DeleteAce 6925->6928 6926->6918 6929 2a17d5a LocalAlloc 6926->6929 6930 2a17cf2 RegOpenKeyExA 6926->6930 6927->6925 6928->6925 6929->6918 6931 2a17d70 InitializeSecurityDescriptor 6929->6931 6930->6929 6936 2a17d0f 6930->6936 6932 2a17d7c SetSecurityDescriptorDacl 6931->6932 6933 2a17d9f LocalFree 6931->6933 6932->6933 6934 2a17d8c RegSetKeySecurity 6932->6934 6933->6918 6934->6933 6935 2a17d9c 6934->6935 6935->6933 6937 2a17d43 RegSetValueExA 6936->6937 6937->6929 6938 2a17d54 6937->6938 6938->6929 6940 2a1f1c3 6939->6940 6940->6846 6941->6347 6943 2a1dd05 6 API calls 6942->6943 6946 2a1e65f 6943->6946 6944 2a1e6a5 6945 2a1ebcc 4 API calls 6944->6945 6951 2a1e6f5 6944->6951 6948 2a1e6b0 6945->6948 6946->6944 6947 2a1e68c lstrcmpA 6946->6947 6947->6946 6949 2a1e6e0 lstrcpynA 6948->6949 6948->6951 6952 2a1e6b7 6948->6952 6949->6951 6950 2a1e71d lstrcmpA 6950->6951 6951->6950 6951->6952 6952->6349 6953->6355 6955 2a12692 inet_addr 6954->6955 6956 2a1268e 6954->6956 6955->6956 6957 2a1269e gethostbyname 6955->6957 6958 2a1f428 6956->6958 6957->6956 7106 2a1f315 6958->7106 6961 2a1f43e 6962 2a1f473 recv 6961->6962 6963 2a1f458 6962->6963 6964 2a1f47c 6962->6964 6963->6962 6963->6964 6964->6386 6966 2a1c525 6965->6966 6970 2a1c532 6965->6970 6967 2a1ec2e codecvt 4 API calls 6966->6967 6966->6970 6967->6970 6968 2a1c548 6971 2a1e7ff lstrcmpiA 6968->6971 6979 2a1c54f 6968->6979 6970->6968 7119 2a1e7ff 6970->7119 6972 2a1c615 6971->6972 6973 2a1ebcc 4 API calls 6972->6973 6972->6979 6973->6979 6974 2a1c5d1 6977 2a1ebcc 4 API calls 6974->6977 6976 2a1e819 11 API calls 6978 2a1c5b7 6976->6978 6977->6979 6980 2a1f04e 4 API calls 6978->6980 6979->6368 6981 2a1c5bf 6980->6981 6981->6968 6981->6974 6984 2a1c8d2 6982->6984 6983 2a1c907 6983->6370 6984->6983 6985 2a1c517 23 API calls 6984->6985 6985->6983 6987 2a1c670 6986->6987 6988 2a1c67d 6986->6988 6989 2a1ebcc 4 API calls 6987->6989 6990 2a1ebcc 4 API calls 6988->6990 6991 2a1c699 6988->6991 6989->6988 6990->6991 6992 2a1c6f3 6991->6992 6993 2a1c73c send 6991->6993 6992->6399 6992->6463 6993->6992 6995 2a1c770 6994->6995 6996 2a1c77d 6994->6996 6997 2a1ebcc 4 API calls 6995->6997 6998 2a1c799 6996->6998 7000 2a1ebcc 4 API calls 6996->7000 6997->6996 6999 2a1c7b5 6998->6999 7001 2a1ebcc 4 API calls 6998->7001 7002 2a1f43e recv 6999->7002 7000->6998 7001->6999 7003 2a1c7cb 7002->7003 7004 2a1f43e recv 7003->7004 7005 2a1c7d3 7003->7005 7004->7005 7005->6463 7122 2a17db7 7006->7122 7009 2a17e96 7009->6463 7010 2a1f04e 4 API calls 7012 2a17e4c 7010->7012 7011 2a1f04e 4 API calls 7011->7009 7013 2a1f04e 4 API calls 7012->7013 7014 2a17e70 7012->7014 7013->7014 7014->7009 7014->7011 7016 2a16ec3 2 API calls 7015->7016 7017 2a17fdd 7016->7017 7018 2a173ff 17 API calls 7017->7018 7027 2a180c2 CreateProcessA 7017->7027 7019 2a17fff 7018->7019 7020 2a17809 21 API calls 7019->7020 7019->7027 7021 2a1804d 7020->7021 7022 2a1ef1e lstrlenA 7021->7022 7021->7027 7023 2a1809e 7022->7023 7024 2a1ef1e lstrlenA 7023->7024 7025 2a180af 7024->7025 7026 2a17a95 24 API calls 7025->7026 7026->7027 7027->6452 7027->6453 7029 2a17db7 2 API calls 7028->7029 7030 2a17eb8 7029->7030 7031 2a1f04e 4 API calls 7030->7031 7032 2a17ece DeleteFileA 7031->7032 7032->6463 7034 2a1dd05 6 API calls 7033->7034 7035 2a1e31d 7034->7035 7126 2a1e177 7035->7126 7037 2a1e326 7037->6422 7039 2a131f3 7038->7039 7049 2a131ec 7038->7049 7040 2a1ebcc 4 API calls 7039->7040 7054 2a131fc 7040->7054 7041 2a1344b 7042 2a13459 7041->7042 7043 2a1349d 7041->7043 7045 2a1f04e 4 API calls 7042->7045 7044 2a1ec2e codecvt 4 API calls 7043->7044 7044->7049 7046 2a1345f 7045->7046 7048 2a130fa 4 API calls 7046->7048 7047 2a1ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7047->7054 7048->7049 7049->6463 7050 2a1344d 7051 2a1ec2e codecvt 4 API calls 7050->7051 7051->7041 7053 2a13141 lstrcmpiA 7053->7054 7054->7041 7054->7047 7054->7049 7054->7050 7054->7053 7152 2a130fa GetTickCount 7054->7152 7056 2a130fa 4 API calls 7055->7056 7057 2a13c1a 7056->7057 7058 2a13ce6 7057->7058 7157 2a13a72 7057->7157 7058->6463 7061 2a13a72 9 API calls 7063 2a13c5e 7061->7063 7062 2a13a72 9 API calls 7062->7063 7063->7058 7063->7062 7064 2a1ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7063->7064 7064->7063 7066 2a13a10 7065->7066 7067 2a130fa 4 API calls 7066->7067 7068 2a13a1a 7067->7068 7068->6463 7070 2a1dd05 6 API calls 7069->7070 7071 2a1e7be 7070->7071 7071->6463 7073 2a1c07e wsprintfA 7072->7073 7077 2a1c105 7072->7077 7166 2a1bfce GetTickCount wsprintfA 7073->7166 7075 2a1c0ef 7167 2a1bfce GetTickCount wsprintfA 7075->7167 7077->6463 7079 2a17047 7078->7079 7080 2a16f88 LookupAccountNameA 7078->7080 7079->6463 7082 2a17025 7080->7082 7083 2a16fcb 7080->7083 7168 2a16edd 7082->7168 7085 2a16fdb ConvertSidToStringSidA 7083->7085 7085->7082 7087 2a16ff1 7085->7087 7088 2a17013 LocalFree 7087->7088 7088->7082 7090 2a1dd05 6 API calls 7089->7090 7091 2a1e85c 7090->7091 7092 2a1dd84 lstrcmpiA 7091->7092 7093 2a1e867 7092->7093 7094 2a1e885 lstrcpyA 7093->7094 7179 2a124a5 7093->7179 7182 2a1dd69 7094->7182 7100 2a17db7 2 API calls 7099->7100 7101 2a17de1 7100->7101 7102 2a17e16 7101->7102 7103 2a1f04e 4 API calls 7101->7103 7102->6463 7104 2a17df2 7103->7104 7104->7102 7105 2a1f04e 4 API calls 7104->7105 7105->7102 7107 2a1ca1d 7106->7107 7108 2a1f33b 7106->7108 7107->6383 7107->6961 7109 2a1f347 htons socket 7108->7109 7110 2a1f382 ioctlsocket 7109->7110 7111 2a1f374 closesocket 7109->7111 7112 2a1f3aa connect select 7110->7112 7113 2a1f39d 7110->7113 7111->7107 7112->7107 7115 2a1f3f2 __WSAFDIsSet 7112->7115 7114 2a1f39f closesocket 7113->7114 7114->7107 7115->7114 7116 2a1f403 ioctlsocket 7115->7116 7118 2a1f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7116->7118 7118->7107 7120 2a1dd84 lstrcmpiA 7119->7120 7121 2a1c58e 7120->7121 7121->6968 7121->6974 7121->6976 7123 2a17dc8 InterlockedExchange 7122->7123 7124 2a17dc0 Sleep 7123->7124 7125 2a17dd4 7123->7125 7124->7123 7125->7010 7125->7014 7127 2a1e184 7126->7127 7128 2a1e2e4 7127->7128 7129 2a1e223 7127->7129 7142 2a1dfe2 7127->7142 7128->7037 7129->7128 7131 2a1dfe2 8 API calls 7129->7131 7136 2a1e23c 7131->7136 7132 2a1e1be 7132->7129 7133 2a1dbcf 3 API calls 7132->7133 7135 2a1e1d6 7133->7135 7134 2a1e21a CloseHandle 7134->7129 7135->7129 7135->7134 7137 2a1e1f9 WriteFile 7135->7137 7136->7128 7146 2a1e095 RegCreateKeyExA 7136->7146 7137->7134 7139 2a1e213 7137->7139 7139->7134 7140 2a1e2a3 7140->7128 7141 2a1e095 4 API calls 7140->7141 7141->7128 7143 2a1dffc 7142->7143 7145 2a1e024 7142->7145 7144 2a1db2e 8 API calls 7143->7144 7143->7145 7144->7145 7145->7132 7147 2a1e172 7146->7147 7150 2a1e0c0 7146->7150 7147->7140 7148 2a1e13d 7149 2a1e14e RegDeleteValueA RegCloseKey 7148->7149 7149->7147 7150->7148 7151 2a1e115 RegSetValueExA 7150->7151 7151->7148 7151->7150 7153 2a13122 InterlockedExchange 7152->7153 7154 2a1310f GetTickCount 7153->7154 7155 2a1312e 7153->7155 7154->7155 7156 2a1311a Sleep 7154->7156 7155->7054 7156->7153 7158 2a1f04e 4 API calls 7157->7158 7161 2a13a83 7158->7161 7159 2a13ac1 7159->7058 7159->7061 7160 2a13be6 7164 2a1ec2e codecvt 4 API calls 7160->7164 7161->7159 7163 2a13bc0 7161->7163 7165 2a13b66 lstrlenA 7161->7165 7162 2a1ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7162->7163 7163->7160 7163->7162 7164->7159 7165->7159 7165->7161 7166->7075 7167->7077 7169 2a16eef AllocateAndInitializeSid 7168->7169 7175 2a16f55 wsprintfA 7168->7175 7170 2a16f1c CheckTokenMembership 7169->7170 7173 2a16f44 7169->7173 7171 2a16f3b FreeSid 7170->7171 7172 2a16f2e 7170->7172 7171->7173 7172->7171 7173->7175 7176 2a16e36 GetUserNameW 7173->7176 7175->7079 7177 2a16e5f LookupAccountNameW 7176->7177 7178 2a16e97 7176->7178 7177->7178 7178->7175 7180 2a12419 4 API calls 7179->7180 7181 2a124b6 7180->7181 7181->7094 7183 2a1dd79 lstrlenA 7182->7183 7183->6463 7185 2a1eb17 7184->7185 7186 2a1eb21 7184->7186 7187 2a1eae4 2 API calls 7185->7187 7186->6510 7187->7186 7190 2a169b9 WriteFile 7188->7190 7191 2a16a3c 7190->7191 7193 2a169ff 7190->7193 7191->6505 7191->6506 7192 2a16a10 WriteFile 7192->7191 7192->7193 7193->7191 7193->7192 7195 2a13edc 7194->7195 7197 2a13ee2 7194->7197 7196 2a16dc2 6 API calls 7195->7196 7196->7197 7197->6520 7199 2a1400b CreateFileA 7198->7199 7200 2a1402c GetLastError 7199->7200 7201 2a14052 7199->7201 7200->7201 7202 2a14037 7200->7202 7201->6524 7202->7201 7203 2a14041 Sleep 7202->7203 7203->7199 7203->7201 7205 2a13f7c 7204->7205 7206 2a13f4e GetLastError 7204->7206 7208 2a13f8c ReadFile 7205->7208 7206->7205 7207 2a13f5b WaitForSingleObject GetOverlappedResult 7206->7207 7207->7205 7209 2a13ff0 7208->7209 7210 2a13fc2 GetLastError 7208->7210 7209->6529 7209->6530 7210->7209 7211 2a13fcf WaitForSingleObject GetOverlappedResult 7210->7211 7211->7209 7213 2a11924 GetVersionExA 7212->7213 7213->6569 7215 2a1f0f1 7214->7215 7216 2a1f0ed 7214->7216 7217 2a1f119 7215->7217 7218 2a1f0fa lstrlenA SysAllocStringByteLen 7215->7218 7216->6601 7219 2a1f11c MultiByteToWideChar 7217->7219 7218->7219 7220 2a1f117 7218->7220 7219->7220 7220->6601 7222 2a11820 17 API calls 7221->7222 7223 2a118f2 7222->7223 7224 2a118f9 7223->7224 7238 2a11280 7223->7238 7224->6596 7226 2a11908 7226->6596 7250 2a11000 7227->7250 7229 2a11839 7230 2a11851 GetCurrentProcess 7229->7230 7231 2a1183d 7229->7231 7232 2a11864 7230->7232 7231->6587 7232->6587 7234 2a19308 7233->7234 7236 2a1920e 7233->7236 7234->6596 7235 2a192f1 Sleep 7235->7236 7236->7234 7236->7235 7237 2a192bf ShellExecuteA 7236->7237 7237->7234 7237->7236 7239 2a112e1 7238->7239 7240 2a116f9 GetLastError 7239->7240 7247 2a113a8 7239->7247 7241 2a11699 7240->7241 7241->7226 7242 2a11570 lstrlenW 7242->7247 7243 2a115be GetStartupInfoW 7243->7247 7244 2a115ff CreateProcessWithLogonW 7245 2a116bf GetLastError 7244->7245 7246 2a1163f WaitForSingleObject 7244->7246 7245->7241 7246->7247 7248 2a11659 CloseHandle 7246->7248 7247->7241 7247->7242 7247->7243 7247->7244 7249 2a11668 CloseHandle 7247->7249 7248->7247 7249->7247 7251 2a1100d LoadLibraryA 7250->7251 7255 2a11023 7250->7255 7253 2a11021 7251->7253 7251->7255 7252 2a110b5 GetProcAddress 7254 2a110d1 GetProcAddress 7252->7254 7256 2a1127b 7252->7256 7253->7229 7254->7256 7257 2a110f0 GetProcAddress 7254->7257 7255->7252 7270 2a110ae 7255->7270 7256->7229 7257->7256 7258 2a11110 GetProcAddress 7257->7258 7258->7256 7259 2a11130 GetProcAddress 7258->7259 7259->7256 7260 2a1114f GetProcAddress 7259->7260 7260->7256 7261 2a1116f GetProcAddress 7260->7261 7261->7256 7262 2a1118f GetProcAddress 7261->7262 7262->7256 7263 2a111ae GetProcAddress 7262->7263 7263->7256 7264 2a111ce GetProcAddress 7263->7264 7264->7256 7265 2a111ee GetProcAddress 7264->7265 7265->7256 7266 2a11209 GetProcAddress 7265->7266 7266->7256 7267 2a11225 GetProcAddress 7266->7267 7267->7256 7268 2a11241 GetProcAddress 7267->7268 7268->7256 7269 2a1125c GetProcAddress 7268->7269 7269->7256 7270->7229 7272 2a1908d 7271->7272 7273 2a190e2 wsprintfA 7272->7273 7274 2a1ee2a 7273->7274 7275 2a190fd CreateFileA 7274->7275 7276 2a1911a lstrlenA WriteFile CloseHandle 7275->7276 7277 2a1913f 7275->7277 7276->7277 7277->6624 7277->6625 7279 2a1ee2a 7278->7279 7280 2a19794 CreateProcessA 7279->7280 7281 2a197c2 7280->7281 7282 2a197bb 7280->7282 7283 2a197d4 GetThreadContext 7281->7283 7282->6634 7284 2a19801 7283->7284 7285 2a197f5 7283->7285 7292 2a1637c 7284->7292 7286 2a197f6 TerminateProcess 7285->7286 7286->7282 7288 2a19816 7288->7286 7289 2a1981e WriteProcessMemory 7288->7289 7289->7285 7290 2a1983b SetThreadContext 7289->7290 7290->7285 7291 2a19858 ResumeThread 7290->7291 7291->7282 7293 2a16386 7292->7293 7294 2a1638a GetModuleHandleA VirtualAlloc 7292->7294 7293->7288 7295 2a163b6 7294->7295 7299 2a163f5 7294->7299 7296 2a163be VirtualAllocEx 7295->7296 7297 2a163d6 7296->7297 7296->7299 7298 2a163df WriteProcessMemory 7297->7298 7298->7299 7299->7288 7301 2a14084 7300->7301 7302 2a1407d 7300->7302 7303 2a13ecd 6 API calls 7301->7303 7304 2a1408f 7303->7304 7305 2a14000 3 API calls 7304->7305 7306 2a14095 7305->7306 7307 2a14130 7306->7307 7308 2a140c0 7306->7308 7309 2a13ecd 6 API calls 7307->7309 7313 2a13f18 4 API calls 7308->7313 7310 2a14159 CreateNamedPipeA 7309->7310 7311 2a14167 Sleep 7310->7311 7312 2a14188 ConnectNamedPipe 7310->7312 7311->7307 7314 2a14176 CloseHandle 7311->7314 7316 2a14195 GetLastError 7312->7316 7325 2a141ab 7312->7325 7315 2a140da 7313->7315 7314->7312 7317 2a13f8c 4 API calls 7315->7317 7318 2a1425e DisconnectNamedPipe 7316->7318 7316->7325 7319 2a140ec 7317->7319 7318->7312 7320 2a14127 CloseHandle 7319->7320 7321 2a14101 7319->7321 7320->7307 7322 2a13f18 4 API calls 7321->7322 7323 2a1411c ExitProcess 7322->7323 7324 2a13f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7324->7325 7325->7312 7325->7318 7325->7324 7326 2a13f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7325->7326 7327 2a1426a CloseHandle CloseHandle 7325->7327 7326->7325 7328 2a1e318 23 API calls 7327->7328 7329 2a1427b 7328->7329 7329->7329 7331 2a18791 7330->7331 7332 2a1879f 7330->7332 7334 2a1f04e 4 API calls 7331->7334 7333 2a187bc 7332->7333 7335 2a1f04e 4 API calls 7332->7335 7336 2a1e819 11 API calls 7333->7336 7334->7332 7335->7333 7337 2a187d7 7336->7337 7344 2a18803 7337->7344 7455 2a126b2 gethostbyaddr 7337->7455 7340 2a187eb 7342 2a1e8a1 30 API calls 7340->7342 7340->7344 7342->7344 7346 2a1e819 11 API calls 7344->7346 7347 2a188a0 Sleep 7344->7347 7349 2a126b2 2 API calls 7344->7349 7350 2a1f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7344->7350 7351 2a1e8a1 30 API calls 7344->7351 7352 2a18cee 7344->7352 7360 2a1c4d6 7344->7360 7363 2a1c4e2 7344->7363 7366 2a12011 7344->7366 7401 2a18328 7344->7401 7346->7344 7347->7344 7349->7344 7350->7344 7351->7344 7353 2a18d02 GetTickCount 7352->7353 7354 2a18dae 7352->7354 7353->7354 7358 2a18d19 7353->7358 7354->7344 7355 2a18da1 GetTickCount 7355->7354 7358->7355 7359 2a18d89 7358->7359 7460 2a1a677 7358->7460 7463 2a1a688 7358->7463 7359->7355 7471 2a1c2dc 7360->7471 7364 2a1c2dc 142 API calls 7363->7364 7365 2a1c4ec 7364->7365 7365->7344 7367 2a12020 7366->7367 7368 2a1202e 7366->7368 7370 2a1f04e 4 API calls 7367->7370 7369 2a1204b 7368->7369 7371 2a1f04e 4 API calls 7368->7371 7372 2a1206e GetTickCount 7369->7372 7373 2a1f04e 4 API calls 7369->7373 7370->7368 7371->7369 7374 2a120db GetTickCount 7372->7374 7384 2a12090 7372->7384 7376 2a12068 7373->7376 7375 2a12132 GetTickCount GetTickCount 7374->7375 7387 2a120e7 7374->7387 7378 2a1f04e 4 API calls 7375->7378 7376->7372 7377 2a120d4 GetTickCount 7377->7374 7380 2a12159 7378->7380 7379 2a1212b GetTickCount 7379->7375 7382 2a121b4 7380->7382 7386 2a1e854 13 API calls 7380->7386 7381 2a12684 2 API calls 7381->7384 7385 2a1f04e 4 API calls 7382->7385 7384->7377 7384->7381 7390 2a120ce 7384->7390 7811 2a11978 7384->7811 7389 2a121d1 7385->7389 7391 2a1218e 7386->7391 7387->7379 7392 2a12125 7387->7392 7395 2a11978 15 API calls 7387->7395 7801 2a12ef8 7387->7801 7393 2a121f2 7389->7393 7396 2a1ea84 30 API calls 7389->7396 7390->7377 7394 2a1e819 11 API calls 7391->7394 7392->7379 7393->7344 7397 2a1219c 7394->7397 7395->7387 7398 2a121ec 7396->7398 7397->7382 7816 2a11c5f 7397->7816 7399 2a1f04e 4 API calls 7398->7399 7399->7393 7402 2a17dd6 6 API calls 7401->7402 7403 2a1833c 7402->7403 7404 2a18340 7403->7404 7405 2a16ec3 2 API calls 7403->7405 7404->7344 7406 2a1834f 7405->7406 7407 2a1835c 7406->7407 7410 2a1846b 7406->7410 7408 2a173ff 17 API calls 7407->7408 7409 2a18373 7408->7409 7409->7404 7432 2a183ea RegOpenKeyExA 7409->7432 7443 2a18450 7409->7443 7414 2a184a7 RegOpenKeyExA 7410->7414 7410->7443 7411 2a18626 GetTempPathA 7429 2a18638 7411->7429 7412 2a1675c 21 API calls 7413 2a185df 7412->7413 7413->7411 7424 2a18768 7413->7424 7445 2a18671 7413->7445 7416 2a184c0 RegQueryValueExA 7414->7416 7417 2a1852f 7414->7417 7418 2a18521 RegCloseKey 7416->7418 7419 2a184dd 7416->7419 7422 2a18564 RegOpenKeyExA 7417->7422 7434 2a185a5 7417->7434 7418->7417 7419->7418 7426 2a1ebcc 4 API calls 7419->7426 7420 2a18762 7420->7424 7421 2a186ad 7421->7420 7423 2a17e2f 6 API calls 7421->7423 7425 2a18573 RegSetValueExA RegCloseKey 7422->7425 7422->7434 7435 2a186bb 7423->7435 7424->7404 7428 2a1ec2e codecvt 4 API calls 7424->7428 7425->7434 7431 2a184f0 7426->7431 7427 2a1875b DeleteFileA 7427->7420 7428->7404 7429->7445 7431->7418 7433 2a184f8 RegQueryValueExA 7431->7433 7436 2a183fd RegQueryValueExA 7432->7436 7432->7443 7433->7418 7437 2a18515 7433->7437 7438 2a1ec2e codecvt 4 API calls 7434->7438 7434->7443 7435->7427 7439 2a186e0 lstrcpyA lstrlenA 7435->7439 7440 2a1842d RegSetValueExA 7436->7440 7441 2a1841e 7436->7441 7442 2a1ec2e codecvt 4 API calls 7437->7442 7438->7443 7444 2a17fcf 64 API calls 7439->7444 7446 2a18447 RegCloseKey 7440->7446 7441->7440 7441->7446 7447 2a1851d 7442->7447 7443->7412 7443->7413 7448 2a18719 CreateProcessA 7444->7448 7888 2a16ba7 IsBadCodePtr 7445->7888 7446->7443 7447->7418 7449 2a1873d CloseHandle CloseHandle 7448->7449 7450 2a1874f 7448->7450 7449->7424 7451 2a17ee6 64 API calls 7450->7451 7452 2a18754 7451->7452 7453 2a17ead 6 API calls 7452->7453 7454 2a1875a 7453->7454 7454->7427 7456 2a126fb 7455->7456 7457 2a126cd 7455->7457 7456->7340 7458 2a126e1 inet_ntoa 7457->7458 7459 2a126de 7457->7459 7458->7459 7459->7340 7466 2a1a63d 7460->7466 7462 2a1a685 7462->7358 7464 2a1a63d GetTickCount 7463->7464 7465 2a1a696 7464->7465 7465->7358 7467 2a1a645 7466->7467 7468 2a1a64d 7466->7468 7467->7462 7469 2a1a66e 7468->7469 7470 2a1a65e GetTickCount 7468->7470 7469->7462 7470->7469 7488 2a1a4c7 GetTickCount 7471->7488 7474 2a1c47a 7479 2a1c4d2 7474->7479 7480 2a1c4ab InterlockedIncrement CreateThread 7474->7480 7475 2a1c300 GetTickCount 7477 2a1c337 7475->7477 7476 2a1c326 7476->7477 7478 2a1c32b GetTickCount 7476->7478 7477->7474 7481 2a1c363 GetTickCount 7477->7481 7478->7477 7479->7344 7480->7479 7482 2a1c4cb CloseHandle 7480->7482 7493 2a1b535 7480->7493 7481->7474 7483 2a1c373 7481->7483 7482->7479 7484 2a1c378 GetTickCount 7483->7484 7485 2a1c37f 7483->7485 7484->7485 7486 2a1c43b GetTickCount 7485->7486 7487 2a1c45e 7486->7487 7487->7474 7489 2a1a4f7 InterlockedExchange 7488->7489 7490 2a1a500 7489->7490 7491 2a1a4e4 GetTickCount 7489->7491 7490->7474 7490->7475 7490->7476 7491->7490 7492 2a1a4ef Sleep 7491->7492 7492->7489 7494 2a1b566 7493->7494 7495 2a1ebcc 4 API calls 7494->7495 7496 2a1b587 7495->7496 7497 2a1ebcc 4 API calls 7496->7497 7547 2a1b590 7497->7547 7498 2a1bdcd InterlockedDecrement 7499 2a1bde2 7498->7499 7501 2a1ec2e codecvt 4 API calls 7499->7501 7502 2a1bdea 7501->7502 7504 2a1ec2e codecvt 4 API calls 7502->7504 7503 2a1bdb7 Sleep 7503->7547 7505 2a1bdf2 7504->7505 7506 2a1be05 7505->7506 7508 2a1ec2e codecvt 4 API calls 7505->7508 7507 2a1bdcc 7507->7498 7508->7506 7509 2a1ebed 8 API calls 7509->7547 7512 2a1b6b6 lstrlenA 7512->7547 7513 2a130b5 2 API calls 7513->7547 7514 2a1e819 11 API calls 7514->7547 7515 2a1b6ed lstrcpyA 7568 2a15ce1 7515->7568 7518 2a1b731 lstrlenA 7518->7547 7519 2a1b71f lstrcmpA 7519->7518 7519->7547 7520 2a1b772 GetTickCount 7520->7547 7521 2a1bd49 InterlockedIncrement 7662 2a1a628 7521->7662 7524 2a1b7ce InterlockedIncrement 7578 2a1acd7 7524->7578 7525 2a1bc5b InterlockedIncrement 7525->7547 7528 2a1b912 GetTickCount 7528->7547 7529 2a1b932 GetTickCount 7532 2a1bc6d InterlockedIncrement 7529->7532 7529->7547 7530 2a1bcdc closesocket 7530->7547 7531 2a1b826 InterlockedIncrement 7531->7520 7532->7547 7533 2a138f0 6 API calls 7533->7547 7535 2a1bba6 InterlockedIncrement 7535->7547 7538 2a1bc4c closesocket 7538->7547 7540 2a1ba71 wsprintfA 7596 2a1a7c1 7540->7596 7541 2a15ded 12 API calls 7541->7547 7542 2a1a7c1 22 API calls 7542->7547 7543 2a1ab81 lstrcpynA InterlockedIncrement 7543->7547 7545 2a15ce1 22 API calls 7545->7547 7547->7498 7547->7503 7547->7507 7547->7509 7547->7512 7547->7513 7547->7514 7547->7515 7547->7518 7547->7519 7547->7520 7547->7521 7547->7524 7547->7525 7547->7528 7547->7529 7547->7530 7547->7531 7547->7533 7547->7535 7547->7538 7547->7540 7547->7541 7547->7542 7547->7543 7547->7545 7548 2a1ef1e lstrlenA 7547->7548 7549 2a1a688 GetTickCount 7547->7549 7550 2a13e10 7547->7550 7553 2a13e4f 7547->7553 7556 2a1384f 7547->7556 7576 2a1a7a3 inet_ntoa 7547->7576 7583 2a1abee 7547->7583 7595 2a11feb GetTickCount 7547->7595 7616 2a13cfb 7547->7616 7619 2a1b3c5 7547->7619 7650 2a1ab81 7547->7650 7548->7547 7549->7547 7551 2a130fa 4 API calls 7550->7551 7552 2a13e1d 7551->7552 7552->7547 7554 2a130fa 4 API calls 7553->7554 7555 2a13e5c 7554->7555 7555->7547 7557 2a130fa 4 API calls 7556->7557 7558 2a13863 7557->7558 7559 2a138b9 7558->7559 7560 2a13889 7558->7560 7567 2a138b2 7558->7567 7671 2a135f9 7559->7671 7665 2a13718 7560->7665 7565 2a13718 6 API calls 7565->7567 7566 2a135f9 6 API calls 7566->7567 7567->7547 7569 2a15cf4 7568->7569 7570 2a15cec 7568->7570 7571 2a14bd1 4 API calls 7569->7571 7677 2a14bd1 GetTickCount 7570->7677 7573 2a15d02 7571->7573 7682 2a15472 7573->7682 7577 2a1a7b9 7576->7577 7577->7547 7579 2a1f315 14 API calls 7578->7579 7580 2a1aceb 7579->7580 7581 2a1acff 7580->7581 7582 2a1f315 14 API calls 7580->7582 7581->7547 7582->7581 7584 2a1abfb 7583->7584 7587 2a1ac65 7584->7587 7745 2a12f22 7584->7745 7586 2a1f315 14 API calls 7586->7587 7587->7586 7588 2a1ac8a 7587->7588 7589 2a1ac6f 7587->7589 7588->7547 7591 2a1ab81 2 API calls 7589->7591 7590 2a1ac23 7590->7587 7593 2a12684 2 API calls 7590->7593 7592 2a1ac81 7591->7592 7753 2a138f0 7592->7753 7593->7590 7595->7547 7597 2a1a87d lstrlenA send 7596->7597 7598 2a1a7df 7596->7598 7599 2a1a899 7597->7599 7600 2a1a8bf 7597->7600 7598->7597 7605 2a1a7fa wsprintfA 7598->7605 7606 2a1a80a 7598->7606 7608 2a1a8f2 7598->7608 7601 2a1a8a5 wsprintfA 7599->7601 7615 2a1a89e 7599->7615 7602 2a1a8c4 send 7600->7602 7600->7608 7601->7615 7604 2a1a8d8 wsprintfA 7602->7604 7602->7608 7603 2a1a978 recv 7603->7608 7609 2a1a982 7603->7609 7604->7615 7605->7606 7606->7597 7607 2a1a9b0 wsprintfA 7607->7615 7608->7603 7608->7607 7608->7609 7610 2a130b5 2 API calls 7609->7610 7609->7615 7611 2a1ab05 7610->7611 7612 2a1e819 11 API calls 7611->7612 7613 2a1ab17 7612->7613 7614 2a1a7a3 inet_ntoa 7613->7614 7614->7615 7615->7547 7617 2a130fa 4 API calls 7616->7617 7618 2a13d0b 7617->7618 7618->7547 7620 2a15ce1 22 API calls 7619->7620 7621 2a1b3e6 7620->7621 7622 2a15ce1 22 API calls 7621->7622 7623 2a1b404 7622->7623 7624 2a1b440 7623->7624 7625 2a1ef7c 3 API calls 7623->7625 7626 2a1ef7c 3 API calls 7624->7626 7627 2a1b42b 7625->7627 7628 2a1b458 wsprintfA 7626->7628 7629 2a1ef7c 3 API calls 7627->7629 7630 2a1ef7c 3 API calls 7628->7630 7629->7624 7631 2a1b480 7630->7631 7632 2a1ef7c 3 API calls 7631->7632 7633 2a1b493 7632->7633 7634 2a1ef7c 3 API calls 7633->7634 7635 2a1b4bb 7634->7635 7769 2a1ad89 GetLocalTime SystemTimeToFileTime 7635->7769 7639 2a1b4cc 7640 2a1ef7c 3 API calls 7639->7640 7641 2a1b4dd 7640->7641 7642 2a1b211 7 API calls 7641->7642 7643 2a1b4ec 7642->7643 7644 2a1ef7c 3 API calls 7643->7644 7645 2a1b4fd 7644->7645 7646 2a1b211 7 API calls 7645->7646 7647 2a1b509 7646->7647 7648 2a1ef7c 3 API calls 7647->7648 7649 2a1b51a 7648->7649 7649->7547 7651 2a1abe9 GetTickCount 7650->7651 7653 2a1ab8c 7650->7653 7655 2a1a51d 7651->7655 7652 2a1aba8 lstrcpynA 7652->7653 7653->7651 7653->7652 7654 2a1abe1 InterlockedIncrement 7653->7654 7654->7653 7656 2a1a4c7 4 API calls 7655->7656 7657 2a1a52c 7656->7657 7658 2a1a542 GetTickCount 7657->7658 7660 2a1a539 GetTickCount 7657->7660 7658->7660 7661 2a1a56c 7660->7661 7661->7547 7663 2a1a4c7 4 API calls 7662->7663 7664 2a1a633 7663->7664 7664->7547 7666 2a1f04e 4 API calls 7665->7666 7668 2a1372a 7666->7668 7667 2a13847 7667->7565 7667->7567 7668->7667 7669 2a137b3 GetCurrentThreadId 7668->7669 7669->7668 7670 2a137c8 GetCurrentThreadId 7669->7670 7670->7668 7672 2a1f04e 4 API calls 7671->7672 7676 2a1360c 7672->7676 7673 2a136f1 7673->7566 7673->7567 7674 2a136da GetCurrentThreadId 7674->7673 7675 2a136e5 GetCurrentThreadId 7674->7675 7675->7673 7676->7673 7676->7674 7678 2a14bff InterlockedExchange 7677->7678 7679 2a14c08 7678->7679 7680 2a14bec GetTickCount 7678->7680 7679->7569 7680->7679 7681 2a14bf7 Sleep 7680->7681 7681->7678 7701 2a14763 7682->7701 7684 2a15b58 7711 2a14699 7684->7711 7687 2a14763 lstrlenA 7688 2a15b6e 7687->7688 7732 2a14f9f 7688->7732 7690 2a15b79 7690->7547 7692 2a15549 lstrlenA 7698 2a1548a 7692->7698 7694 2a1558d lstrcpynA 7694->7698 7695 2a15a9f lstrcpyA 7695->7698 7696 2a15935 lstrcpynA 7696->7698 7697 2a15472 13 API calls 7697->7698 7698->7684 7698->7694 7698->7695 7698->7696 7698->7697 7699 2a158e7 lstrcpyA 7698->7699 7700 2a14ae6 8 API calls 7698->7700 7705 2a14ae6 7698->7705 7709 2a1ef7c lstrlenA lstrlenA lstrlenA 7698->7709 7699->7698 7700->7698 7703 2a1477a 7701->7703 7702 2a14859 7702->7698 7703->7702 7704 2a1480d lstrlenA 7703->7704 7704->7703 7706 2a14af3 7705->7706 7708 2a14b03 7705->7708 7707 2a1ebed 8 API calls 7706->7707 7707->7708 7708->7692 7710 2a1efb4 7709->7710 7710->7698 7737 2a145b3 7711->7737 7714 2a145b3 7 API calls 7715 2a146c6 7714->7715 7716 2a145b3 7 API calls 7715->7716 7717 2a146d8 7716->7717 7718 2a145b3 7 API calls 7717->7718 7719 2a146ea 7718->7719 7720 2a145b3 7 API calls 7719->7720 7721 2a146ff 7720->7721 7722 2a145b3 7 API calls 7721->7722 7723 2a14711 7722->7723 7724 2a145b3 7 API calls 7723->7724 7725 2a14723 7724->7725 7726 2a1ef7c 3 API calls 7725->7726 7727 2a14735 7726->7727 7728 2a1ef7c 3 API calls 7727->7728 7729 2a1474a 7728->7729 7730 2a1ef7c 3 API calls 7729->7730 7731 2a1475c 7730->7731 7731->7687 7733 2a14fac 7732->7733 7735 2a14fb0 7732->7735 7733->7690 7734 2a14ffd 7734->7690 7735->7734 7736 2a14fd5 IsBadCodePtr 7735->7736 7736->7735 7738 2a145c1 7737->7738 7739 2a145c8 7737->7739 7740 2a1ebcc 4 API calls 7738->7740 7741 2a1ebcc 4 API calls 7739->7741 7743 2a145e1 7739->7743 7740->7739 7741->7743 7742 2a14691 7742->7714 7743->7742 7744 2a1ef7c 3 API calls 7743->7744 7744->7743 7760 2a12d21 GetModuleHandleA 7745->7760 7748 2a12fcf GetProcessHeap HeapFree 7752 2a12f44 7748->7752 7749 2a12f85 7749->7748 7749->7749 7750 2a12f4f 7751 2a12f6b GetProcessHeap HeapFree 7750->7751 7751->7752 7752->7590 7754 2a13900 7753->7754 7755 2a13980 7753->7755 7756 2a130fa 4 API calls 7754->7756 7755->7588 7759 2a1390a 7756->7759 7757 2a1391b GetCurrentThreadId 7757->7759 7758 2a13939 GetCurrentThreadId 7758->7759 7759->7755 7759->7757 7759->7758 7761 2a12d46 LoadLibraryA 7760->7761 7762 2a12d5b GetProcAddress 7760->7762 7761->7762 7764 2a12d54 7761->7764 7763 2a12d6b DnsQuery_A 7762->7763 7762->7764 7763->7764 7765 2a12d7d 7763->7765 7764->7749 7764->7750 7764->7752 7765->7764 7766 2a12d97 GetProcessHeap HeapAlloc 7765->7766 7766->7764 7768 2a12dac 7766->7768 7767 2a12db5 lstrcpynA 7767->7768 7768->7765 7768->7767 7770 2a1adbf 7769->7770 7794 2a1ad08 gethostname 7770->7794 7773 2a130b5 2 API calls 7774 2a1add3 7773->7774 7775 2a1a7a3 inet_ntoa 7774->7775 7777 2a1ade4 7774->7777 7775->7777 7776 2a1ae85 wsprintfA 7778 2a1ef7c 3 API calls 7776->7778 7777->7776 7779 2a1ae36 wsprintfA wsprintfA 7777->7779 7780 2a1aebb 7778->7780 7781 2a1ef7c 3 API calls 7779->7781 7782 2a1ef7c 3 API calls 7780->7782 7781->7777 7783 2a1aed2 7782->7783 7784 2a1b211 7783->7784 7785 2a1b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7784->7785 7786 2a1b2af GetLocalTime 7784->7786 7787 2a1b2d2 7785->7787 7786->7787 7788 2a1b2d9 SystemTimeToFileTime 7787->7788 7789 2a1b31c GetTimeZoneInformation 7787->7789 7790 2a1b2ec 7788->7790 7792 2a1b33a wsprintfA 7789->7792 7791 2a1b312 FileTimeToSystemTime 7790->7791 7791->7789 7792->7639 7795 2a1ad71 7794->7795 7800 2a1ad26 lstrlenA 7794->7800 7796 2a1ad85 7795->7796 7797 2a1ad79 lstrcpyA 7795->7797 7796->7773 7797->7796 7799 2a1ad68 lstrlenA 7799->7795 7800->7795 7800->7799 7802 2a12d21 7 API calls 7801->7802 7803 2a12f01 7802->7803 7804 2a12f14 7803->7804 7805 2a12f06 7803->7805 7806 2a12684 2 API calls 7804->7806 7824 2a12df2 GetModuleHandleA 7805->7824 7808 2a12f1d 7806->7808 7808->7387 7810 2a12f1f 7810->7387 7812 2a1f428 14 API calls 7811->7812 7813 2a1198a 7812->7813 7814 2a11990 closesocket 7813->7814 7815 2a11998 7813->7815 7814->7815 7815->7384 7817 2a11c80 7816->7817 7818 2a11cc2 wsprintfA 7817->7818 7819 2a11d1c 7817->7819 7823 2a11d79 7817->7823 7820 2a12684 2 API calls 7818->7820 7819->7819 7821 2a11d47 wsprintfA 7819->7821 7820->7817 7822 2a12684 2 API calls 7821->7822 7822->7823 7823->7382 7825 2a12e10 LoadLibraryA 7824->7825 7826 2a12e0b 7824->7826 7827 2a12e17 7825->7827 7826->7825 7826->7827 7828 2a12ef1 7827->7828 7829 2a12e28 GetProcAddress 7827->7829 7828->7804 7828->7810 7829->7828 7830 2a12e3e GetProcessHeap HeapAlloc 7829->7830 7832 2a12e62 7830->7832 7831 2a12ede GetProcessHeap HeapFree 7831->7828 7832->7828 7832->7831 7833 2a12e7f htons inet_addr 7832->7833 7834 2a12ea5 gethostbyname 7832->7834 7836 2a12ceb 7832->7836 7833->7832 7833->7834 7834->7832 7838 2a12cf2 7836->7838 7839 2a12d1c 7838->7839 7840 2a12d0e Sleep 7838->7840 7841 2a12a62 GetProcessHeap HeapAlloc 7838->7841 7839->7832 7840->7838 7840->7839 7842 2a12a92 7841->7842 7843 2a12a99 socket 7841->7843 7842->7838 7844 2a12cd3 GetProcessHeap HeapFree 7843->7844 7845 2a12ab4 7843->7845 7844->7842 7845->7844 7859 2a12abd 7845->7859 7846 2a12adb htons 7861 2a126ff 7846->7861 7848 2a12b04 select 7848->7859 7849 2a12ca4 7850 2a12cb3 GetProcessHeap HeapFree closesocket 7849->7850 7850->7842 7851 2a12b3f recv 7851->7859 7852 2a12b66 htons 7852->7849 7852->7859 7853 2a12b87 htons 7853->7849 7853->7859 7856 2a12bf3 GetProcessHeap HeapAlloc 7856->7859 7857 2a12c17 htons 7876 2a12871 7857->7876 7859->7846 7859->7848 7859->7849 7859->7850 7859->7851 7859->7852 7859->7853 7859->7856 7859->7857 7860 2a12c4d GetProcessHeap HeapFree 7859->7860 7868 2a12923 7859->7868 7880 2a12904 7859->7880 7860->7859 7862 2a1271d 7861->7862 7863 2a12717 7861->7863 7865 2a1272b GetTickCount htons 7862->7865 7864 2a1ebcc 4 API calls 7863->7864 7864->7862 7866 2a127cc htons htons sendto 7865->7866 7867 2a1278a 7865->7867 7866->7859 7867->7866 7869 2a12944 7868->7869 7871 2a1293d 7868->7871 7884 2a12816 htons 7869->7884 7871->7859 7872 2a12871 htons 7875 2a12950 7872->7875 7873 2a129bd htons htons htons 7873->7871 7874 2a129f6 GetProcessHeap HeapAlloc 7873->7874 7874->7871 7874->7875 7875->7871 7875->7872 7875->7873 7877 2a128e3 7876->7877 7879 2a12889 7876->7879 7877->7859 7878 2a128c3 htons 7878->7877 7878->7879 7879->7877 7879->7878 7881 2a12921 7880->7881 7882 2a12908 7880->7882 7881->7859 7883 2a12909 GetProcessHeap HeapFree 7882->7883 7883->7881 7883->7883 7885 2a1286b 7884->7885 7886 2a12836 7884->7886 7885->7875 7886->7885 7887 2a1285c htons 7886->7887 7887->7885 7887->7886 7889 2a16bc0 7888->7889 7890 2a16bbc 7888->7890 7891 2a1ebcc 4 API calls 7889->7891 7902 2a16bd4 7889->7902 7890->7421 7892 2a16be4 7891->7892 7893 2a16c07 CreateFileA 7892->7893 7894 2a16bfc 7892->7894 7892->7902 7896 2a16c34 WriteFile 7893->7896 7897 2a16c2a 7893->7897 7895 2a1ec2e codecvt 4 API calls 7894->7895 7895->7902 7898 2a16c49 CloseHandle DeleteFileA 7896->7898 7899 2a16c5a CloseHandle 7896->7899 7900 2a1ec2e codecvt 4 API calls 7897->7900 7898->7897 7901 2a1ec2e codecvt 4 API calls 7899->7901 7900->7902 7901->7902 7902->7421 7984 2a1be31 lstrcmpiA 7985 2a1be55 lstrcmpiA 7984->7985 7992 2a1be71 7984->7992 7987 2a1be61 lstrcmpiA 7985->7987 7985->7992 7986 2a1bf62 lstrcmpiA 7989 2a1bf77 lstrcmpiA 7986->7989 7991 2a1bf70 7986->7991 7988 2a1bfc8 7987->7988 7987->7992 7990 2a1bf8c lstrcmpiA 7989->7990 7989->7991 7990->7991 7991->7988 7993 2a1bfc2 7991->7993 7994 2a1ec2e codecvt 4 API calls 7991->7994 7992->7986 7995 2a1ebcc 4 API calls 7992->7995 7996 2a1ec2e codecvt 4 API calls 7993->7996 7994->7991 7999 2a1beb6 7995->7999 7996->7988 7997 2a1ebcc 4 API calls 7997->7999 7998 2a1bf5a 7998->7986 7999->7986 7999->7988 7999->7997 7999->7998 8000 2a15d34 IsBadWritePtr 8001 2a15d47 8000->8001 8002 2a15d4a 8000->8002 8005 2a15389 8002->8005 8006 2a14bd1 4 API calls 8005->8006 8007 2a153a5 8006->8007 8008 2a14ae6 8 API calls 8007->8008 8011 2a153ad 8008->8011 8009 2a14ae6 8 API calls 8009->8011 8010 2a15407 8011->8009 8011->8010 8012 2a1f483 WSAStartup 8013 2a15c05 IsBadWritePtr 8014 2a15c24 IsBadWritePtr 8013->8014 8021 2a15ca6 8013->8021 8015 2a15c32 8014->8015 8014->8021 8016 2a15c82 8015->8016 8017 2a14bd1 4 API calls 8015->8017 8018 2a14bd1 4 API calls 8016->8018 8017->8016 8019 2a15c90 8018->8019 8020 2a15472 18 API calls 8019->8020 8020->8021 8022 2a15b84 IsBadWritePtr 8023 2a15b99 8022->8023 8024 2a15b9d 8022->8024 8025 2a14bd1 4 API calls 8024->8025 8026 2a15bcc 8025->8026 8027 2a15472 18 API calls 8026->8027 8028 2a15be5 8027->8028 8029 2a1f304 8032 2a1f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8029->8032 8031 2a1f312 8032->8031 8122 2a1e749 8123 2a1dd05 6 API calls 8122->8123 8124 2a1e751 8123->8124 8125 2a1e781 lstrcmpA 8124->8125 8126 2a1e799 8124->8126 8125->8124 8033 2a1448b 8034 2a14499 8033->8034 8035 2a144ab 8034->8035 8037 2a11940 8034->8037 8038 2a1ec2e codecvt 4 API calls 8037->8038 8039 2a11949 8038->8039 8039->8035 8049 2a15e0d 8050 2a150dc 17 API calls 8049->8050 8051 2a15e20 8050->8051 8052 2a14c0d 8053 2a14ae6 8 API calls 8052->8053 8054 2a14c17 8053->8054 8131 2a15e4d 8136 2a15048 8131->8136 8137 2a14bd1 4 API calls 8136->8137 8140 2a15056 8137->8140 8138 2a1508b 8139 2a1ec2e codecvt 4 API calls 8139->8138 8140->8138 8140->8139 8055 2a16511 wsprintfA IsBadReadPtr 8056 2a1656a htonl htonl wsprintfA wsprintfA 8055->8056 8057 2a1674e 8055->8057 8062 2a165f3 8056->8062 8058 2a1e318 23 API calls 8057->8058 8059 2a16753 ExitProcess 8058->8059 8060 2a1668a GetCurrentProcess StackWalk64 8061 2a166a0 wsprintfA 8060->8061 8060->8062 8063 2a166ba 8061->8063 8062->8060 8062->8061 8064 2a16652 wsprintfA 8062->8064 8065 2a16712 wsprintfA 8063->8065 8066 2a166da wsprintfA 8063->8066 8067 2a166ed wsprintfA 8063->8067 8064->8062 8068 2a1e8a1 30 API calls 8065->8068 8066->8067 8067->8063 8069 2a16739 8068->8069 8070 2a1e318 23 API calls 8069->8070 8071 2a16741 8070->8071 8141 2a18c51 8142 2a18c86 8141->8142 8144 2a18c5d 8141->8144 8143 2a18c8b lstrcmpA 8142->8143 8154 2a18c7b 8142->8154 8146 2a18c9e 8143->8146 8143->8154 8147 2a18c7d 8144->8147 8148 2a18c6e 8144->8148 8145 2a18cad 8153 2a1ebcc 4 API calls 8145->8153 8145->8154 8146->8145 8150 2a1ec2e codecvt 4 API calls 8146->8150 8163 2a18bb3 8147->8163 8155 2a18be7 8148->8155 8150->8145 8153->8154 8156 2a18bf2 8155->8156 8162 2a18c2a 8155->8162 8157 2a18bb3 6 API calls 8156->8157 8158 2a18bf8 8157->8158 8167 2a16410 8158->8167 8160 2a18c01 8160->8162 8182 2a16246 8160->8182 8162->8154 8164 2a18bbc 8163->8164 8165 2a18be4 8163->8165 8164->8165 8166 2a16246 6 API calls 8164->8166 8166->8165 8168 2a16421 8167->8168 8169 2a1641e 8167->8169 8170 2a1643a 8168->8170 8171 2a1643e VirtualAlloc 8168->8171 8169->8160 8170->8160 8172 2a16472 8171->8172 8173 2a1645b VirtualAlloc 8171->8173 8174 2a1ebcc 4 API calls 8172->8174 8173->8172 8181 2a164fb 8173->8181 8175 2a16479 8174->8175 8175->8181 8192 2a16069 8175->8192 8178 2a164da 8180 2a16246 6 API calls 8178->8180 8178->8181 8180->8181 8181->8160 8183 2a162b3 8182->8183 8187 2a16252 8182->8187 8183->8162 8184 2a16297 8185 2a162a0 VirtualFree 8184->8185 8186 2a162ad 8184->8186 8185->8186 8190 2a1ec2e codecvt 4 API calls 8186->8190 8187->8184 8188 2a1628f 8187->8188 8191 2a16281 FreeLibrary 8187->8191 8189 2a1ec2e codecvt 4 API calls 8188->8189 8189->8184 8190->8183 8191->8187 8193 2a16090 IsBadReadPtr 8192->8193 8194 2a16089 8192->8194 8193->8194 8199 2a160aa 8193->8199 8194->8178 8202 2a15f3f 8194->8202 8195 2a160c0 LoadLibraryA 8195->8194 8195->8199 8196 2a1ebcc 4 API calls 8196->8199 8197 2a1ebed 8 API calls 8197->8199 8198 2a16191 IsBadReadPtr 8198->8194 8198->8199 8199->8194 8199->8195 8199->8196 8199->8197 8199->8198 8200 2a16141 GetProcAddress 8199->8200 8201 2a16155 GetProcAddress 8199->8201 8200->8199 8201->8199 8203 2a15fe6 8202->8203 8205 2a15f61 8202->8205 8203->8178 8204 2a15fbf VirtualProtect 8204->8203 8204->8205 8205->8203 8205->8204 8072 2a15d93 IsBadWritePtr 8073 2a15da8 8072->8073 8075 2a15ddc 8072->8075 8074 2a15389 12 API calls 8073->8074 8073->8075 8074->8075 8206 2a14ed3 8211 2a14c9a 8206->8211 8212 2a14cd8 8211->8212 8214 2a14ca9 8211->8214 8213 2a1ec2e codecvt 4 API calls 8213->8212 8214->8213 8215 2a15453 8220 2a1543a 8215->8220 8221 2a15048 8 API calls 8220->8221 8222 2a1544b 8221->8222 8076 2a14e92 GetTickCount 8077 2a14ec0 InterlockedExchange 8076->8077 8078 2a14ec9 8077->8078 8079 2a14ead GetTickCount 8077->8079 8079->8078 8080 2a14eb8 Sleep 8079->8080 8080->8077 8223 2a143d2 8224 2a143e0 8223->8224 8225 2a143ef 8224->8225 8226 2a11940 4 API calls 8224->8226 8226->8225 8081 2a18314 8082 2a1675c 21 API calls 8081->8082 8083 2a18324 8082->8083 8084 2a15099 8085 2a14bd1 4 API calls 8084->8085 8086 2a150a2 8085->8086 8227 2a1195b 8228 2a11971 8227->8228 8229 2a1196b 8227->8229 8230 2a1ec2e codecvt 4 API calls 8229->8230 8230->8228
                                                                                        APIs
                                                                                        • closesocket.WS2_32(?), ref: 02A1CA4E
                                                                                        • closesocket.WS2_32(?), ref: 02A1CB63
                                                                                        • GetTempPathA.KERNEL32(00000120,?), ref: 02A1CC28
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02A1CCB4
                                                                                        • WriteFile.KERNEL32(02A1A4B3,?,-000000E8,?,00000000), ref: 02A1CCDC
                                                                                        • CloseHandle.KERNEL32(02A1A4B3), ref: 02A1CCED
                                                                                        • wsprintfA.USER32 ref: 02A1CD21
                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02A1CD77
                                                                                        • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 02A1CD89
                                                                                        • CloseHandle.KERNEL32(?), ref: 02A1CD98
                                                                                        • CloseHandle.KERNEL32(?), ref: 02A1CD9D
                                                                                        • DeleteFileA.KERNEL32(?), ref: 02A1CDC4
                                                                                        • CloseHandle.KERNEL32(02A1A4B3), ref: 02A1CDCC
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02A1CFB1
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02A1CFEF
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02A1D033
                                                                                        • lstrcatA.KERNEL32(?,03F00108), ref: 02A1D10C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 02A1D155
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 02A1D171
                                                                                        • WriteFile.KERNEL32(00000000,03F0012C,?,?,00000000), ref: 02A1D195
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02A1D19C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 02A1D1C8
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02A1D231
                                                                                        • lstrcatA.KERNEL32(?,03F00108,?,?,?,?,?,?,?,00000100), ref: 02A1D27C
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02A1D2AB
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02A1D2C7
                                                                                        • WriteFile.KERNEL32(00000000,03F0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02A1D2EB
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02A1D2F2
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02A1D326
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02A1D372
                                                                                        • lstrcatA.KERNEL32(?,03F00108,?,?,?,?,?,?,?,00000100), ref: 02A1D3BD
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02A1D3EC
                                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02A1D408
                                                                                        • WriteFile.KERNEL32(00000000,03F0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02A1D428
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02A1D42F
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02A1D45B
                                                                                        • CreateProcessA.KERNEL32(?,02A20264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02A1D4DE
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02A1D4F4
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02A1D4FC
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02A1D513
                                                                                        • closesocket.WS2_32(?), ref: 02A1D56C
                                                                                        • Sleep.KERNEL32(000003E8), ref: 02A1D577
                                                                                        • ExitProcess.KERNEL32 ref: 02A1D583
                                                                                        • wsprintfA.USER32 ref: 02A1D81F
                                                                                          • Part of subcall function 02A1C65C: send.WS2_32(00000000,?,00000000), ref: 02A1C74B
                                                                                        • closesocket.WS2_32(?), ref: 02A1DAD5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                        • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\tizvpcy\oxdombt.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                        • API String ID: 562065436-3491277984
                                                                                        • Opcode ID: ccf4ed3d25fe60626032aa8b80b7562d0662dfbccf8de3ec14bb6d0a8ad627fd
                                                                                        • Instruction ID: 48e641289ccb32aa8b1ef2057ec8c032ea73a9ece8abc24621c06806022c34d2
                                                                                        • Opcode Fuzzy Hash: ccf4ed3d25fe60626032aa8b80b7562d0662dfbccf8de3ec14bb6d0a8ad627fd
                                                                                        • Instruction Fuzzy Hash: 72B2C571D80218AFEB20DF68DD85FEA7BBEEB05324F05046AEA05A7180DF349959CF51
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 02A19A7F
                                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 02A19A83
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(02A16511), ref: 02A19A8A
                                                                                          • Part of subcall function 02A1EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 02A1EC5E
                                                                                          • Part of subcall function 02A1EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02A1EC72
                                                                                          • Part of subcall function 02A1EC54: GetTickCount.KERNEL32 ref: 02A1EC78
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02A19AB3
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 02A19ABA
                                                                                        • GetCommandLineA.KERNEL32 ref: 02A19AFD
                                                                                        • lstrlenA.KERNEL32(?), ref: 02A19B99
                                                                                        • ExitProcess.KERNEL32 ref: 02A19C06
                                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 02A19CAC
                                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 02A19D7A
                                                                                        • lstrcatA.KERNEL32(?,?), ref: 02A19D8B
                                                                                        • lstrcatA.KERNEL32(?,02A2070C), ref: 02A19D9D
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02A19DED
                                                                                        • DeleteFileA.KERNEL32(00000022), ref: 02A19E38
                                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02A19E6F
                                                                                        • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02A19EC8
                                                                                        • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02A19ED5
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02A19F3B
                                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02A19F5E
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02A19F6A
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02A19FAD
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02A19FB4
                                                                                        • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02A19FFE
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 02A1A038
                                                                                        • lstrcatA.KERNEL32(00000022,02A20A34), ref: 02A1A05E
                                                                                        • lstrcatA.KERNEL32(00000022,00000022), ref: 02A1A072
                                                                                        • lstrcatA.KERNEL32(00000022,02A20A34), ref: 02A1A08D
                                                                                        • wsprintfA.USER32 ref: 02A1A0B6
                                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 02A1A0DE
                                                                                        • lstrcatA.KERNEL32(00000022,?), ref: 02A1A0FD
                                                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 02A1A120
                                                                                        • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02A1A131
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 02A1A174
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 02A1A17B
                                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 02A1A1B6
                                                                                        • GetCommandLineA.KERNEL32 ref: 02A1A1E5
                                                                                          • Part of subcall function 02A199D2: lstrcpyA.KERNEL32(?,?,00000100,02A222F8,00000000,?,02A19E9D,?,00000022,?,?,?,?,?,?,?), ref: 02A199DF
                                                                                          • Part of subcall function 02A199D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02A19E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02A19A3C
                                                                                          • Part of subcall function 02A199D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02A19E9D,?,00000022,?,?,?), ref: 02A19A52
                                                                                        • lstrlenA.KERNEL32(?), ref: 02A1A288
                                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 02A1A3B7
                                                                                        • GetLastError.KERNEL32 ref: 02A1A3ED
                                                                                        • Sleep.KERNELBASE(000003E8), ref: 02A1A400
                                                                                        • DeleteFileA.KERNELBASE(02A233D8), ref: 02A1A407
                                                                                        • CreateThread.KERNELBASE(00000000,00000000,02A1405E,00000000,00000000,00000000), ref: 02A1A42C
                                                                                        • WSAStartup.WS2_32(00001010,?), ref: 02A1A43A
                                                                                        • CreateThread.KERNELBASE(00000000,00000000,02A1877E,00000000,00000000,00000000), ref: 02A1A469
                                                                                        • Sleep.KERNELBASE(00000BB8), ref: 02A1A48A
                                                                                        • GetTickCount.KERNEL32 ref: 02A1A49F
                                                                                        • GetTickCount.KERNEL32 ref: 02A1A4B7
                                                                                        • Sleep.KERNELBASE(00001A90), ref: 02A1A4C3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                        • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\tizvpcy\oxdombt.exe$D$P$\$tizvpcy
                                                                                        • API String ID: 2089075347-3764418329
                                                                                        • Opcode ID: 7e047d942d1a701d0af10007b8aa3f72fb7253e553dd3d43bd70c586b0020b95
                                                                                        • Instruction ID: 606cc7b9d69938d3b139627fed12ec150b578080a7b65dd7be38f095ff4f3523
                                                                                        • Opcode Fuzzy Hash: 7e047d942d1a701d0af10007b8aa3f72fb7253e553dd3d43bd70c586b0020b95
                                                                                        • Instruction Fuzzy Hash: 8B52A4B1D81259BFEB21DBA4CD89EEF7BBDAB04314F0444A5E509E2141EF709A49CF60

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 905 2a1199c-2a119cc inet_addr LoadLibraryA 906 2a119d5-2a119fe GetProcAddress * 3 905->906 907 2a119ce-2a119d0 905->907 909 2a11ab3-2a11ab6 FreeLibrary 906->909 910 2a11a04-2a11a06 906->910 908 2a11abf-2a11ac2 907->908 912 2a11abc 909->912 910->909 911 2a11a0c-2a11a0e 910->911 911->909 913 2a11a14-2a11a28 GetBestInterface GetProcessHeap 911->913 914 2a11abe 912->914 913->912 915 2a11a2e-2a11a40 HeapAlloc 913->915 914->908 915->912 916 2a11a42-2a11a50 GetAdaptersInfo 915->916 917 2a11a62-2a11a67 916->917 918 2a11a52-2a11a60 HeapReAlloc 916->918 919 2a11aa1-2a11aad FreeLibrary 917->919 920 2a11a69-2a11a73 GetAdaptersInfo 917->920 918->917 919->912 922 2a11aaf-2a11ab1 919->922 920->919 921 2a11a75 920->921 923 2a11a77-2a11a80 921->923 922->914 924 2a11a82-2a11a86 923->924 925 2a11a8a-2a11a91 923->925 924->923 926 2a11a88 924->926 927 2a11a93 925->927 928 2a11a96-2a11a9b HeapFree 925->928 926->928 927->928 928->919
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(123.45.67.89), ref: 02A119B1
                                                                                        • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,02A11E9E), ref: 02A119BF
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02A119E2
                                                                                        • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 02A119ED
                                                                                        • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 02A119F9
                                                                                        • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02A11E9E), ref: 02A11A1B
                                                                                        • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02A11E9E), ref: 02A11A1D
                                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02A11E9E), ref: 02A11A36
                                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,02A11E9E,?,?,?,?,00000001,02A11E9E), ref: 02A11A4A
                                                                                        • HeapReAlloc.KERNEL32(?,00000000,00000000,02A11E9E,?,?,?,?,00000001,02A11E9E), ref: 02A11A5A
                                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,02A11E9E,?,?,?,?,00000001,02A11E9E), ref: 02A11A6E
                                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02A11E9E), ref: 02A11A9B
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02A11E9E), ref: 02A11AA4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                        • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                        • API String ID: 293628436-270533642
                                                                                        • Opcode ID: a8d0ceb733487bc6e4910ce150126e5b87544480303f9c87332a144afcb2dae5
                                                                                        • Instruction ID: 9994387f96e992e0b496a101f243172a8c67f88fc624cee43e52e39ea2d8ee1c
                                                                                        • Opcode Fuzzy Hash: a8d0ceb733487bc6e4910ce150126e5b87544480303f9c87332a144afcb2dae5
                                                                                        • Instruction Fuzzy Hash: C2316131D40219AFDB119FE8DDC88BEBFB9FF54325B55056AE609A2140DF308A45CB60

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 696 2a17a95-2a17ac2 RegOpenKeyExA 697 2a17ac4-2a17ac6 696->697 698 2a17acb-2a17ae7 GetUserNameA 696->698 699 2a17db4-2a17db6 697->699 700 2a17da7-2a17db3 RegCloseKey 698->700 701 2a17aed-2a17b1e LookupAccountNameA 698->701 700->699 701->700 702 2a17b24-2a17b43 RegGetKeySecurity 701->702 702->700 703 2a17b49-2a17b61 GetSecurityDescriptorOwner 702->703 704 2a17b63-2a17b72 EqualSid 703->704 705 2a17bb8-2a17bd6 GetSecurityDescriptorDacl 703->705 704->705 706 2a17b74-2a17b88 LocalAlloc 704->706 707 2a17da6 705->707 708 2a17bdc-2a17be1 705->708 706->705 709 2a17b8a-2a17b94 InitializeSecurityDescriptor 706->709 707->700 708->707 710 2a17be7-2a17bf2 708->710 711 2a17bb1-2a17bb2 LocalFree 709->711 712 2a17b96-2a17ba4 SetSecurityDescriptorOwner 709->712 710->707 713 2a17bf8-2a17c08 GetAce 710->713 711->705 712->711 716 2a17ba6-2a17bab RegSetKeySecurity 712->716 714 2a17cc6 713->714 715 2a17c0e-2a17c1b 713->715 717 2a17cc9-2a17cd3 714->717 718 2a17c1d-2a17c2f EqualSid 715->718 719 2a17c4f-2a17c52 715->719 716->711 717->713 720 2a17cd9-2a17cdc 717->720 721 2a17c31-2a17c34 718->721 722 2a17c36-2a17c38 718->722 723 2a17c54-2a17c5e 719->723 724 2a17c5f-2a17c71 EqualSid 719->724 720->707 725 2a17ce2-2a17ce8 720->725 721->718 721->722 722->719 726 2a17c3a-2a17c4d DeleteAce 722->726 723->724 727 2a17c73-2a17c84 724->727 728 2a17c86 724->728 729 2a17d5a-2a17d6e LocalAlloc 725->729 730 2a17cea-2a17cf0 725->730 726->717 731 2a17c8b-2a17c8e 727->731 728->731 729->707 735 2a17d70-2a17d7a InitializeSecurityDescriptor 729->735 730->729 732 2a17cf2-2a17d0d RegOpenKeyExA 730->732 733 2a17c90-2a17c96 731->733 734 2a17c9d-2a17c9f 731->734 732->729 736 2a17d0f-2a17d16 732->736 733->734 737 2a17ca1-2a17ca5 734->737 738 2a17ca7-2a17cc3 734->738 739 2a17d7c-2a17d8a SetSecurityDescriptorDacl 735->739 740 2a17d9f-2a17da0 LocalFree 735->740 741 2a17d19-2a17d1e 736->741 737->714 737->738 738->714 739->740 742 2a17d8c-2a17d9a RegSetKeySecurity 739->742 740->707 741->741 743 2a17d20-2a17d52 call 2a12544 RegSetValueExA 741->743 742->740 744 2a17d9c 742->744 743->729 747 2a17d54 743->747 744->740 747->729
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02A17ABA
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 02A17ADF
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,02A2070C,?,?,?), ref: 02A17B16
                                                                                        • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02A17B3B
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02A17B59
                                                                                        • EqualSid.ADVAPI32(?,00000022), ref: 02A17B6A
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02A17B7E
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02A17B8C
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02A17B9C
                                                                                        • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 02A17BAB
                                                                                        • LocalFree.KERNEL32(00000000), ref: 02A17BB2
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,02A17FC9,?,00000000), ref: 02A17BCE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                        • String ID: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe$D
                                                                                        • API String ID: 2976863881-81543814
                                                                                        • Opcode ID: 324cc09891f77088898b9bde1930f5d915c649a355c564174b1afe4dcf39f34c
                                                                                        • Instruction ID: 31a709934a548e51db396c741b21665aa9ad6659b5157b81f226bda76c0a5c26
                                                                                        • Opcode Fuzzy Hash: 324cc09891f77088898b9bde1930f5d915c649a355c564174b1afe4dcf39f34c
                                                                                        • Instruction Fuzzy Hash: 00A13971D40219AFEF218FA4DC88FFEBBB9FB44314F055469E906E2140EB359A59CB60

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 748 2a17809-2a17837 GetUserNameA 749 2a1783d-2a1786e LookupAccountNameA 748->749 750 2a17a8e-2a17a94 748->750 749->750 751 2a17874-2a178a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 2a178a8-2a178c3 GetSecurityDescriptorOwner 751->752 753 2a178c5-2a178da EqualSid 752->753 754 2a1791d-2a1793b GetSecurityDescriptorDacl 752->754 753->754 755 2a178dc-2a178ed LocalAlloc 753->755 756 2a17941-2a17946 754->756 757 2a17a8d 754->757 755->754 758 2a178ef-2a178f9 InitializeSecurityDescriptor 755->758 756->757 759 2a1794c-2a17955 756->759 757->750 760 2a17916-2a17917 LocalFree 758->760 761 2a178fb-2a17909 SetSecurityDescriptorOwner 758->761 759->757 762 2a1795b-2a1796b GetAce 759->762 760->754 761->760 763 2a1790b-2a17910 SetFileSecurityA 761->763 764 2a17971-2a1797e 762->764 765 2a17a2a 762->765 763->760 767 2a17980-2a17992 EqualSid 764->767 768 2a179ae-2a179b1 764->768 766 2a17a2d-2a17a37 765->766 766->762 769 2a17a3d-2a17a41 766->769 772 2a17994-2a17997 767->772 773 2a17999-2a1799b 767->773 770 2a179b3-2a179bd 768->770 771 2a179be-2a179d0 EqualSid 768->771 769->757 775 2a17a43-2a17a54 LocalAlloc 769->775 770->771 776 2a179d2-2a179e3 771->776 777 2a179e5 771->777 772->767 772->773 773->768 774 2a1799d-2a179ac DeleteAce 773->774 774->766 775->757 778 2a17a56-2a17a60 InitializeSecurityDescriptor 775->778 779 2a179ea-2a179ed 776->779 777->779 780 2a17a62-2a17a71 SetSecurityDescriptorDacl 778->780 781 2a17a86-2a17a87 LocalFree 778->781 782 2a179f8-2a179fb 779->782 783 2a179ef-2a179f5 779->783 780->781 784 2a17a73-2a17a81 SetFileSecurityA 780->784 781->757 785 2a17a03-2a17a0e 782->785 786 2a179fd-2a17a01 782->786 783->782 784->781 787 2a17a83 784->787 788 2a17a10-2a17a17 785->788 789 2a17a19-2a17a24 785->789 786->765 786->785 787->781 790 2a17a27 788->790 789->790 790->765
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 02A1782F
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02A17866
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 02A17878
                                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02A1789A
                                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,02A17F63,?), ref: 02A178B8
                                                                                        • EqualSid.ADVAPI32(?,02A17F63), ref: 02A178D2
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02A178E3
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02A178F1
                                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02A17901
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02A17910
                                                                                        • LocalFree.KERNEL32(00000000), ref: 02A17917
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02A17933
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 02A17963
                                                                                        • EqualSid.ADVAPI32(?,02A17F63), ref: 02A1798A
                                                                                        • DeleteAce.ADVAPI32(?,00000000), ref: 02A179A3
                                                                                        • EqualSid.ADVAPI32(?,02A17F63), ref: 02A179C5
                                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02A17A4A
                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02A17A58
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02A17A69
                                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02A17A79
                                                                                        • LocalFree.KERNEL32(00000000), ref: 02A17A87
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                        • String ID: D
                                                                                        • API String ID: 3722657555-2746444292
                                                                                        • Opcode ID: 9d01c60e0f747922beca8c9e86c3e6546f47fcd5dc3708dd875dfbdcb975a247
                                                                                        • Instruction ID: e6cf6fb0c9f7f438b14aea784e06d41eb7e5a312ee6c86a5bd8b6a69d6e05940
                                                                                        • Opcode Fuzzy Hash: 9d01c60e0f747922beca8c9e86c3e6546f47fcd5dc3708dd875dfbdcb975a247
                                                                                        • Instruction Fuzzy Hash: 73814B71D4021AABDB21CFA4CD84FEEBBB8EF08355F15456AE505E2140DB34DA59CFA0

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 791 2a18328-2a1833e call 2a17dd6 794 2a18340-2a18343 791->794 795 2a18348-2a18356 call 2a16ec3 791->795 796 2a1877b-2a1877d 794->796 799 2a1846b-2a18474 795->799 800 2a1835c-2a18378 call 2a173ff 795->800 802 2a185c2-2a185ce 799->802 803 2a1847a-2a18480 799->803 811 2a18464-2a18466 800->811 812 2a1837e-2a18384 800->812 806 2a185d0-2a185da call 2a1675c 802->806 807 2a18615-2a18620 802->807 803->802 804 2a18486-2a184ba call 2a12544 RegOpenKeyExA 803->804 821 2a184c0-2a184db RegQueryValueExA 804->821 822 2a18543-2a18571 call 2a12544 RegOpenKeyExA 804->822 814 2a185df-2a185eb 806->814 809 2a186a7-2a186b0 call 2a16ba7 807->809 810 2a18626-2a1864c GetTempPathA call 2a18274 call 2a1eca5 807->810 830 2a18762 809->830 831 2a186b6-2a186bd call 2a17e2f 809->831 849 2a18671-2a186a4 call 2a12544 call 2a1ef00 call 2a1ee2a 810->849 850 2a1864e-2a1866f call 2a1eca5 810->850 819 2a18779-2a1877a 811->819 812->811 818 2a1838a-2a1838d 812->818 814->807 820 2a185ed-2a185ef 814->820 818->811 825 2a18393-2a18399 818->825 819->796 820->807 826 2a185f1-2a185fa 820->826 828 2a18521-2a1852d RegCloseKey 821->828 829 2a184dd-2a184e1 821->829 843 2a18573-2a1857b 822->843 844 2a185a5-2a185b7 call 2a1ee2a 822->844 833 2a1839c-2a183a1 825->833 826->807 834 2a185fc-2a1860f call 2a124c2 826->834 828->822 840 2a1852f-2a18541 call 2a1eed1 828->840 829->828 836 2a184e3-2a184e6 829->836 838 2a18768-2a1876b 830->838 862 2a186c3-2a1873b call 2a1ee2a * 2 lstrcpyA lstrlenA call 2a17fcf CreateProcessA 831->862 863 2a1875b-2a1875c DeleteFileA 831->863 833->833 841 2a183a3-2a183af 833->841 834->807 834->838 836->828 845 2a184e8-2a184f6 call 2a1ebcc 836->845 847 2a18776-2a18778 838->847 848 2a1876d-2a18775 call 2a1ec2e 838->848 840->822 840->844 852 2a183b1 841->852 853 2a183b3-2a183ba 841->853 859 2a1857e-2a18583 843->859 844->802 878 2a185b9-2a185c1 call 2a1ec2e 844->878 845->828 877 2a184f8-2a18513 RegQueryValueExA 845->877 847->819 848->847 849->809 850->849 852->853 856 2a18450-2a1845f call 2a1ee2a 853->856 857 2a183c0-2a183fb call 2a12544 RegOpenKeyExA 853->857 856->802 857->856 882 2a183fd-2a1841c RegQueryValueExA 857->882 859->859 868 2a18585-2a1859f RegSetValueExA RegCloseKey 859->868 899 2a1873d-2a1874d CloseHandle * 2 862->899 900 2a1874f-2a1875a call 2a17ee6 call 2a17ead 862->900 863->830 868->844 877->828 883 2a18515-2a1851e call 2a1ec2e 877->883 878->802 888 2a1842d-2a18441 RegSetValueExA 882->888 889 2a1841e-2a18421 882->889 883->828 895 2a18447-2a1844a RegCloseKey 888->895 889->888 894 2a18423-2a18426 889->894 894->888 898 2a18428-2a1842b 894->898 895->856 898->888 898->895 899->838 900->863
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,02A20750,?,?,00000000,localcfg,00000000), ref: 02A183F3
                                                                                        • RegQueryValueExA.KERNELBASE(02A20750,?,00000000,?,02A18893,?,?,?,00000000,00000103,02A20750,?,?,00000000,localcfg,00000000), ref: 02A18414
                                                                                        • RegSetValueExA.KERNELBASE(02A20750,?,00000000,00000004,02A18893,00000004,?,?,00000000,00000103,02A20750,?,?,00000000,localcfg,00000000), ref: 02A18441
                                                                                        • RegCloseKey.ADVAPI32(02A20750,?,?,00000000,00000103,02A20750,?,?,00000000,localcfg,00000000), ref: 02A1844A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseOpenQuery
                                                                                        • String ID: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe$localcfg
                                                                                        • API String ID: 237177642-1360186656
                                                                                        • Opcode ID: 317c950e61370faf30206ecf27b7040243a3426902a179ee98bb9c95c4e14be0
                                                                                        • Instruction ID: a35cf559ff0fc7431fe1907310d968583b6265d657579fccc4cfbf7b4d0ca8eb
                                                                                        • Opcode Fuzzy Hash: 317c950e61370faf30206ecf27b7040243a3426902a179ee98bb9c95c4e14be0
                                                                                        • Instruction Fuzzy Hash: D6C191B1D84109BEFB219BA8DD85EFE7BBEEB04724F140465F905A2040EF348A59CF61

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32 ref: 02A11DC6
                                                                                        • GetSystemInfo.KERNELBASE(?), ref: 02A11DE8
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02A11E03
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02A11E0A
                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 02A11E1B
                                                                                        • GetTickCount.KERNEL32 ref: 02A11FC9
                                                                                          • Part of subcall function 02A11BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02A11C15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                        • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                        • API String ID: 4207808166-1381319158
                                                                                        • Opcode ID: a48fa0055b637480f0962362010af56428268cdf5e586fba9b54afcd88d93e34
                                                                                        • Instruction ID: 168712c9913358e6813543f8a08f8bc82e81825d8cb0b22ea629e243c7989335
                                                                                        • Opcode Fuzzy Hash: a48fa0055b637480f0962362010af56428268cdf5e586fba9b54afcd88d93e34
                                                                                        • Instruction Fuzzy Hash: B051A9709483446FF330AF798E85F27BAEDEB54714F04095DF98A82141DF75A908CBA1

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 999 2a173ff-2a17419 1000 2a1741b 999->1000 1001 2a1741d-2a17422 999->1001 1000->1001 1002 2a17424 1001->1002 1003 2a17426-2a1742b 1001->1003 1002->1003 1004 2a17430-2a17435 1003->1004 1005 2a1742d 1003->1005 1006 2a17437 1004->1006 1007 2a1743a-2a17481 call 2a16dc2 call 2a12544 RegOpenKeyExA 1004->1007 1005->1004 1006->1007 1012 2a17487-2a1749d call 2a1ee2a 1007->1012 1013 2a177f9-2a177fe call 2a1ee2a 1007->1013 1018 2a17703-2a1770e RegEnumKeyA 1012->1018 1019 2a17801 1013->1019 1021 2a174a2-2a174b1 call 2a16cad 1018->1021 1022 2a17714-2a1771d RegCloseKey 1018->1022 1020 2a17804-2a17808 1019->1020 1025 2a174b7-2a174cc call 2a1f1a5 1021->1025 1026 2a176ed-2a17700 1021->1026 1022->1019 1025->1026 1029 2a174d2-2a174f8 RegOpenKeyExA 1025->1029 1026->1018 1030 2a17727-2a1772a 1029->1030 1031 2a174fe-2a17530 call 2a12544 RegQueryValueExA 1029->1031 1032 2a17755-2a17764 call 2a1ee2a 1030->1032 1033 2a1772c-2a17740 call 2a1ef00 1030->1033 1031->1030 1039 2a17536-2a1753c 1031->1039 1044 2a176df-2a176e2 1032->1044 1041 2a17742-2a17745 RegCloseKey 1033->1041 1042 2a1774b-2a1774e 1033->1042 1043 2a1753f-2a17544 1039->1043 1041->1042 1046 2a177ec-2a177f7 RegCloseKey 1042->1046 1043->1043 1045 2a17546-2a1754b 1043->1045 1044->1026 1047 2a176e4-2a176e7 RegCloseKey 1044->1047 1045->1032 1048 2a17551-2a1756b call 2a1ee95 1045->1048 1046->1020 1047->1026 1048->1032 1051 2a17571-2a17593 call 2a12544 call 2a1ee95 1048->1051 1056 2a17753 1051->1056 1057 2a17599-2a175a0 1051->1057 1056->1032 1058 2a175a2-2a175c6 call 2a1ef00 call 2a1ed03 1057->1058 1059 2a175c8-2a175d7 call 2a1ed03 1057->1059 1065 2a175d8-2a175da 1058->1065 1059->1065 1067 2a175dc 1065->1067 1068 2a175df-2a17623 call 2a1ee95 call 2a12544 call 2a1ee95 call 2a1ee2a 1065->1068 1067->1068 1077 2a17626-2a1762b 1068->1077 1077->1077 1078 2a1762d-2a17634 1077->1078 1079 2a17637-2a1763c 1078->1079 1079->1079 1080 2a1763e-2a17642 1079->1080 1081 2a17644-2a17656 call 2a1ed77 1080->1081 1082 2a1765c-2a17673 call 2a1ed23 1080->1082 1081->1082 1087 2a17769-2a1777c call 2a1ef00 1081->1087 1088 2a17680 1082->1088 1089 2a17675-2a1767e 1082->1089 1094 2a177e3-2a177e6 RegCloseKey 1087->1094 1091 2a17683-2a1768e call 2a16cad 1088->1091 1089->1091 1096 2a17722-2a17725 1091->1096 1097 2a17694-2a176bf call 2a1f1a5 call 2a16c96 1091->1097 1094->1046 1099 2a176dd 1096->1099 1103 2a176c1-2a176c7 1097->1103 1104 2a176d8 1097->1104 1099->1044 1103->1104 1105 2a176c9-2a176d2 1103->1105 1104->1099 1105->1104 1106 2a1777e-2a17797 GetFileAttributesExA 1105->1106 1107 2a17799 1106->1107 1108 2a1779a-2a1779f 1106->1108 1107->1108 1109 2a177a1 1108->1109 1110 2a177a3-2a177a8 1108->1110 1109->1110 1111 2a177c4-2a177c8 1110->1111 1112 2a177aa-2a177c0 call 2a1ee08 1110->1112 1114 2a177d7-2a177dc 1111->1114 1115 2a177ca-2a177d6 call 2a1ef00 1111->1115 1112->1111 1118 2a177e0-2a177e2 1114->1118 1119 2a177de 1114->1119 1115->1114 1118->1094 1119->1118
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 02A17472
                                                                                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 02A174F0
                                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 02A17528
                                                                                        • ___ascii_stricmp.LIBCMT ref: 02A1764D
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 02A176E7
                                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02A17706
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 02A17717
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 02A17745
                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 02A177EF
                                                                                          • Part of subcall function 02A1F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02A222F8,000000C8,02A17150,?), ref: 02A1F1AD
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02A1778F
                                                                                        • RegCloseKey.KERNELBASE(?), ref: 02A177E6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                        • String ID: "
                                                                                        • API String ID: 3433985886-123907689
                                                                                        • Opcode ID: de20de843f6f1fd746d114416004a658cf1a3b1ef6bc5a774a2423f9a3ea3646
                                                                                        • Instruction ID: 212ea4d99dbcb73cacb29a4700ff8c0e35a8a9bfa7c09b0a62d0711bd264d428
                                                                                        • Opcode Fuzzy Hash: de20de843f6f1fd746d114416004a658cf1a3b1ef6bc5a774a2423f9a3ea3646
                                                                                        • Instruction Fuzzy Hash: 47C17F71944219AFEB21DBA8DD84FEEBBBAEF45320F140495E504E6190EF71DA84CF60

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1121 2a1675c-2a16778 1122 2a16784-2a167a2 CreateFileA 1121->1122 1123 2a1677a-2a1677e SetFileAttributesA 1121->1123 1124 2a167b5-2a167b8 1122->1124 1125 2a167a4-2a167b2 CreateFileA 1122->1125 1123->1122 1126 2a167c5-2a167c9 1124->1126 1127 2a167ba-2a167bf SetFileAttributesA 1124->1127 1125->1124 1128 2a16977-2a16986 1126->1128 1129 2a167cf-2a167df GetFileSize 1126->1129 1127->1126 1130 2a167e5-2a167e7 1129->1130 1131 2a1696b 1129->1131 1130->1131 1132 2a167ed-2a1680b ReadFile 1130->1132 1133 2a1696e-2a16971 FindCloseChangeNotification 1131->1133 1132->1131 1134 2a16811-2a16824 SetFilePointer 1132->1134 1133->1128 1134->1131 1135 2a1682a-2a16842 ReadFile 1134->1135 1135->1131 1136 2a16848-2a16861 SetFilePointer 1135->1136 1136->1131 1137 2a16867-2a16876 1136->1137 1138 2a168d5-2a168df 1137->1138 1139 2a16878-2a1688f ReadFile 1137->1139 1138->1133 1140 2a168e5-2a168eb 1138->1140 1141 2a16891-2a1689e 1139->1141 1142 2a168d2 1139->1142 1143 2a168f0-2a168fe call 2a1ebcc 1140->1143 1144 2a168ed 1140->1144 1145 2a168a0-2a168b5 1141->1145 1146 2a168b7-2a168ba 1141->1146 1142->1138 1143->1131 1153 2a16900-2a1690b SetFilePointer 1143->1153 1144->1143 1148 2a168bd-2a168c3 1145->1148 1146->1148 1150 2a168c5 1148->1150 1151 2a168c8-2a168ce 1148->1151 1150->1151 1151->1139 1152 2a168d0 1151->1152 1152->1138 1154 2a1695a-2a16969 call 2a1ec2e 1153->1154 1155 2a1690d-2a16920 ReadFile 1153->1155 1154->1133 1155->1154 1156 2a16922-2a16958 1155->1156 1156->1133
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 02A1677E
                                                                                        • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 02A1679A
                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 02A167B0
                                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 02A167BF
                                                                                        • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 02A167D3
                                                                                        • ReadFile.KERNELBASE(000000FF,?,00000040,02A18244,00000000,?,75920F10,00000000), ref: 02A16807
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 02A1681F
                                                                                        • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 02A1683E
                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 02A1685C
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000028,02A18244,00000000,?,75920F10,00000000), ref: 02A1688B
                                                                                        • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 02A16906
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000000,02A18244,00000000,?,75920F10,00000000), ref: 02A1691C
                                                                                        • FindCloseChangeNotification.KERNELBASE(000000FF,?,75920F10,00000000), ref: 02A16971
                                                                                          • Part of subcall function 02A1EC2E: GetProcessHeap.KERNEL32(00000000,02A1EA27,00000000,02A1EA27,00000000), ref: 02A1EC41
                                                                                          • Part of subcall function 02A1EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02A1EC48
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                        • String ID:
                                                                                        • API String ID: 1400801100-0
                                                                                        • Opcode ID: 064afbdda8936c8804ba916fbfc63d0664404c08d9ef8f605bb198ec82845191
                                                                                        • Instruction ID: 0e44c7f14825080b7819270f37cf942153556073693261af71827d89a6487ca1
                                                                                        • Opcode Fuzzy Hash: 064afbdda8936c8804ba916fbfc63d0664404c08d9ef8f605bb198ec82845191
                                                                                        • Instruction Fuzzy Hash: C4711571C00219EFDB148FA4CD80AEEBBB9FB04764F10456AE925E6190EB309E56DF60

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1159 2a1f315-2a1f332 1160 2a1f334-2a1f336 1159->1160 1161 2a1f33b-2a1f372 call 2a1ee2a htons socket 1159->1161 1162 2a1f424-2a1f427 1160->1162 1165 2a1f382-2a1f39b ioctlsocket 1161->1165 1166 2a1f374-2a1f37d closesocket 1161->1166 1167 2a1f3aa-2a1f3f0 connect select 1165->1167 1168 2a1f39d 1165->1168 1166->1162 1170 2a1f421 1167->1170 1171 2a1f3f2-2a1f401 __WSAFDIsSet 1167->1171 1169 2a1f39f-2a1f3a8 closesocket 1168->1169 1172 2a1f423 1169->1172 1170->1172 1171->1169 1173 2a1f403-2a1f416 ioctlsocket call 2a1f26d 1171->1173 1172->1162 1175 2a1f41b-2a1f41f 1173->1175 1175->1172
                                                                                        APIs
                                                                                        • htons.WS2_32(02A1CA1D), ref: 02A1F34D
                                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 02A1F367
                                                                                        • closesocket.WS2_32(00000000), ref: 02A1F375
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesockethtonssocket
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 311057483-2401304539
                                                                                        • Opcode ID: b5c7aa15f7e7eca6f519e407752fe32af397e716a4e4ba6896a79bc908ac39ad
                                                                                        • Instruction ID: bb08433ac27515e07817b8e1a8c623d9e5084c64c02ab4e26281602797ce4aa9
                                                                                        • Opcode Fuzzy Hash: b5c7aa15f7e7eca6f519e407752fe32af397e716a4e4ba6896a79bc908ac39ad
                                                                                        • Instruction Fuzzy Hash: 51317076940258AFDB10DFA8EC859FEBBBCFF48320F104566FA15D3140EB3096468BA0

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1176 2a1405e-2a1407b CreateEventA 1177 2a14084-2a140a8 call 2a13ecd call 2a14000 1176->1177 1178 2a1407d-2a14081 1176->1178 1183 2a14130-2a1413e call 2a1ee2a 1177->1183 1184 2a140ae-2a140be call 2a1ee2a 1177->1184 1189 2a1413f-2a14165 call 2a13ecd CreateNamedPipeA 1183->1189 1184->1183 1190 2a140c0-2a140f1 call 2a1eca5 call 2a13f18 call 2a13f8c 1184->1190 1195 2a14167-2a14174 Sleep 1189->1195 1196 2a14188-2a14193 ConnectNamedPipe 1189->1196 1207 2a140f3-2a140ff 1190->1207 1208 2a14127-2a1412a CloseHandle 1190->1208 1195->1189 1198 2a14176-2a14182 CloseHandle 1195->1198 1200 2a14195-2a141a5 GetLastError 1196->1200 1201 2a141ab-2a141c0 call 2a13f8c 1196->1201 1198->1196 1200->1201 1203 2a1425e-2a14265 DisconnectNamedPipe 1200->1203 1201->1196 1209 2a141c2-2a141f2 call 2a13f18 call 2a13f8c 1201->1209 1203->1196 1207->1208 1210 2a14101-2a14121 call 2a13f18 ExitProcess 1207->1210 1208->1183 1209->1203 1217 2a141f4-2a14200 1209->1217 1217->1203 1218 2a14202-2a14215 call 2a13f8c 1217->1218 1218->1203 1221 2a14217-2a1421b 1218->1221 1221->1203 1222 2a1421d-2a14230 call 2a13f8c 1221->1222 1222->1203 1225 2a14232-2a14236 1222->1225 1225->1196 1226 2a1423c-2a14251 call 2a13f18 1225->1226 1229 2a14253-2a14259 1226->1229 1230 2a1426a-2a14276 CloseHandle * 2 call 2a1e318 1226->1230 1229->1196 1232 2a1427b 1230->1232 1232->1232
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02A14070
                                                                                        • ExitProcess.KERNEL32 ref: 02A14121
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEventExitProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2404124870-0
                                                                                        • Opcode ID: 51ab56788eae72ebb67a6057417eaf9b2208d2373d7719cb917052a1fbd58e11
                                                                                        • Instruction ID: fa1422d800e7f766ce028807dc2958184afcdd8c7e3d309ff225ac1adc633cbb
                                                                                        • Opcode Fuzzy Hash: 51ab56788eae72ebb67a6057417eaf9b2208d2373d7719cb917052a1fbd58e11
                                                                                        • Instruction Fuzzy Hash: 095184B1D80219BBEF209BA89D85FFFBA7DEB15724F100055FA14B6080EF718A45CB61

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1233 2a12d21-2a12d44 GetModuleHandleA 1234 2a12d46-2a12d52 LoadLibraryA 1233->1234 1235 2a12d5b-2a12d69 GetProcAddress 1233->1235 1234->1235 1236 2a12d54-2a12d56 1234->1236 1235->1236 1237 2a12d6b-2a12d7b DnsQuery_A 1235->1237 1238 2a12dee-2a12df1 1236->1238 1237->1236 1239 2a12d7d-2a12d88 1237->1239 1240 2a12deb 1239->1240 1241 2a12d8a-2a12d8b 1239->1241 1240->1238 1242 2a12d90-2a12d95 1241->1242 1243 2a12de2-2a12de8 1242->1243 1244 2a12d97-2a12daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 2a12dea 1243->1245 1244->1245 1246 2a12dac-2a12dd9 call 2a1ee2a lstrcpynA 1244->1246 1245->1240 1249 2a12de0 1246->1249 1250 2a12ddb-2a12dde 1246->1250 1249->1243 1250->1243
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,02A12F01,?,02A120FF,02A22000), ref: 02A12D3A
                                                                                        • LoadLibraryA.KERNEL32(?), ref: 02A12D4A
                                                                                        • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02A12D61
                                                                                        • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02A12D77
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02A12D99
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 02A12DA0
                                                                                        • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02A12DCB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                        • String ID: DnsQuery_A$dnsapi.dll
                                                                                        • API String ID: 233223969-3847274415
                                                                                        • Opcode ID: 7182907816a8b4f7f9e9e6a7e1537f662ba240610f92d6e5ad63783ae6708d0a
                                                                                        • Instruction ID: 3c861aab4bdbd8642f4ee6eac0c8adc0d6dedb4d88654f14b0e692ba7b2ca4cf
                                                                                        • Opcode Fuzzy Hash: 7182907816a8b4f7f9e9e6a7e1537f662ba240610f92d6e5ad63783ae6708d0a
                                                                                        • Instruction Fuzzy Hash: A1214F71940735ABDB219B68DC84BAEBBB9EF18B60F114452F905A7100DB70D98A8BD0

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1251 2a180c9-2a180ed call 2a16ec3 1254 2a180f9-2a18115 call 2a1704c 1251->1254 1255 2a180ef call 2a17ee6 1251->1255 1260 2a18225-2a1822b 1254->1260 1261 2a1811b-2a18121 1254->1261 1258 2a180f4 1255->1258 1258->1260 1262 2a1822d-2a18233 1260->1262 1263 2a1826c-2a18273 1260->1263 1261->1260 1264 2a18127-2a1812a 1261->1264 1262->1263 1265 2a18235-2a1823f call 2a1675c 1262->1265 1264->1260 1266 2a18130-2a18167 call 2a12544 RegOpenKeyExA 1264->1266 1269 2a18244-2a1824b 1265->1269 1272 2a18216-2a18222 call 2a1ee2a 1266->1272 1273 2a1816d-2a1818b RegQueryValueExA 1266->1273 1269->1263 1271 2a1824d-2a18269 call 2a124c2 call 2a1ec2e 1269->1271 1271->1263 1272->1260 1275 2a181f7-2a181fe 1273->1275 1276 2a1818d-2a18191 1273->1276 1280 2a18200-2a18206 call 2a1ec2e 1275->1280 1281 2a1820d-2a18210 RegCloseKey 1275->1281 1276->1275 1282 2a18193-2a18196 1276->1282 1289 2a1820c 1280->1289 1281->1272 1282->1275 1285 2a18198-2a181a8 call 2a1ebcc 1282->1285 1285->1281 1291 2a181aa-2a181c2 RegQueryValueExA 1285->1291 1289->1281 1291->1275 1292 2a181c4-2a181ca 1291->1292 1293 2a181cd-2a181d2 1292->1293 1293->1293 1294 2a181d4-2a181e5 call 2a1ebcc 1293->1294 1294->1281 1297 2a181e7-2a181f5 call 2a1ef00 1294->1297 1297->1289
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02A1815F
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02A1A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02A18187
                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,02A1A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02A181BE
                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02A18210
                                                                                          • Part of subcall function 02A1675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 02A1677E
                                                                                          • Part of subcall function 02A1675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 02A1679A
                                                                                          • Part of subcall function 02A1675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 02A167B0
                                                                                          • Part of subcall function 02A1675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 02A167BF
                                                                                          • Part of subcall function 02A1675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 02A167D3
                                                                                          • Part of subcall function 02A1675C: ReadFile.KERNELBASE(000000FF,?,00000040,02A18244,00000000,?,75920F10,00000000), ref: 02A16807
                                                                                          • Part of subcall function 02A1675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 02A1681F
                                                                                          • Part of subcall function 02A1675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 02A1683E
                                                                                          • Part of subcall function 02A1675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 02A1685C
                                                                                          • Part of subcall function 02A1EC2E: GetProcessHeap.KERNEL32(00000000,02A1EA27,00000000,02A1EA27,00000000), ref: 02A1EC41
                                                                                          • Part of subcall function 02A1EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02A1EC48
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                        • String ID: C:\Windows\SysWOW64\tizvpcy\oxdombt.exe
                                                                                        • API String ID: 124786226-1823783247
                                                                                        • Opcode ID: e3aaa175499bcee8167b7828a0de9b0f05f4289314e5d3d8e6f18947424e308a
                                                                                        • Instruction ID: ffd141cfd8aad69c2f2eec80c5b4623594058fdc93cf16a2da302096b33a74cc
                                                                                        • Opcode Fuzzy Hash: e3aaa175499bcee8167b7828a0de9b0f05f4289314e5d3d8e6f18947424e308a
                                                                                        • Instruction Fuzzy Hash: CB4192B2D84119BFFB25EBA49EC0EBEB77DAB04324F144866E911D7000EF349A598F50

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1300 2a11ac3-2a11adc LoadLibraryA 1301 2a11ae2-2a11af3 GetProcAddress 1300->1301 1302 2a11b6b-2a11b70 1300->1302 1303 2a11af5-2a11b01 1301->1303 1304 2a11b6a 1301->1304 1305 2a11b1c-2a11b27 GetAdaptersAddresses 1303->1305 1304->1302 1306 2a11b03-2a11b12 call 2a1ebed 1305->1306 1307 2a11b29-2a11b2b 1305->1307 1306->1307 1318 2a11b14-2a11b1b 1306->1318 1309 2a11b5b-2a11b5e 1307->1309 1310 2a11b2d-2a11b32 1307->1310 1311 2a11b60-2a11b68 call 2a1ec2e 1309->1311 1312 2a11b69 1309->1312 1310->1312 1314 2a11b34-2a11b3b 1310->1314 1311->1312 1312->1304 1315 2a11b54-2a11b59 1314->1315 1316 2a11b3d-2a11b52 1314->1316 1315->1309 1315->1314 1316->1315 1316->1316 1318->1305
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02A11AD4
                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02A11AE9
                                                                                        • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02A11B20
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                        • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                        • API String ID: 3646706440-1087626847
                                                                                        • Opcode ID: f677ea4b77be59faaeb3fa3cd200739607ee9a18c1bf9595f33cce21d32de246
                                                                                        • Instruction ID: 9cb15373ac1408edebdb29700e47527e3b391fdaa6f587f9a6711de8ff77f30d
                                                                                        • Opcode Fuzzy Hash: f677ea4b77be59faaeb3fa3cd200739607ee9a18c1bf9595f33cce21d32de246
                                                                                        • Instruction Fuzzy Hash: D111D375E49138BFDB219BADDDC48EDFBBAEB44B24B554056E309A3100EF309A44CB94

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1320 2a1e3ca-2a1e3ee RegOpenKeyExA 1321 2a1e3f4-2a1e3fb 1320->1321 1322 2a1e528-2a1e52d 1320->1322 1323 2a1e3fe-2a1e403 1321->1323 1323->1323 1324 2a1e405-2a1e40f 1323->1324 1325 2a1e411-2a1e413 1324->1325 1326 2a1e414-2a1e452 call 2a1ee08 call 2a1f1ed RegQueryValueExA 1324->1326 1325->1326 1331 2a1e458-2a1e486 call 2a1f1ed RegQueryValueExA 1326->1331 1332 2a1e51d-2a1e527 RegCloseKey 1326->1332 1335 2a1e488-2a1e48a 1331->1335 1332->1322 1335->1332 1336 2a1e490-2a1e4a1 call 2a1db2e 1335->1336 1336->1332 1339 2a1e4a3-2a1e4a6 1336->1339 1340 2a1e4a9-2a1e4d3 call 2a1f1ed RegQueryValueExA 1339->1340 1343 2a1e4d5-2a1e4da 1340->1343 1344 2a1e4e8-2a1e4ea 1340->1344 1343->1344 1345 2a1e4dc-2a1e4e6 1343->1345 1344->1332 1346 2a1e4ec-2a1e516 call 2a12544 call 2a1e332 1344->1346 1345->1340 1345->1344 1346->1332
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(80000001,02A1E5F2,00000000,00020119,02A1E5F2,02A222F8), ref: 02A1E3E6
                                                                                        • RegQueryValueExA.ADVAPI32(02A1E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 02A1E44E
                                                                                        • RegQueryValueExA.ADVAPI32(02A1E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 02A1E482
                                                                                        • RegQueryValueExA.ADVAPI32(02A1E5F2,?,00000000,?,80000001,?), ref: 02A1E4CF
                                                                                        • RegCloseKey.ADVAPI32(02A1E5F2,?,?,?,?,000000C8,000000E4), ref: 02A1E520
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: QueryValue$CloseOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1586453840-0
                                                                                        • Opcode ID: ad189f6b09e05395986ee6f7b55118a2f2e3fba956512ee6e466c1c9abe8b4f4
                                                                                        • Instruction ID: c8c87ad8200b9a63b2bd54fddd96deb2410f3d22e88777959700c40700b9e537
                                                                                        • Opcode Fuzzy Hash: ad189f6b09e05395986ee6f7b55118a2f2e3fba956512ee6e466c1c9abe8b4f4
                                                                                        • Instruction Fuzzy Hash: 764127B2D4021DBFEF11AFD8DD81DEEBBBDEB08314F144466EA01E2150EB319A158B60

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1351 2a1f26d-2a1f303 setsockopt * 5
                                                                                        APIs
                                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 02A1F2A0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 02A1F2C0
                                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 02A1F2DD
                                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 02A1F2EC
                                                                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02A1F2FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: setsockopt
                                                                                        • String ID:
                                                                                        • API String ID: 3981526788-0
                                                                                        • Opcode ID: a308fac47d4faeebcee30116bc1b8e432c4fe7a2b833e253603f06220172863f
                                                                                        • Instruction ID: ffc31cac1ef0e773eddf01ad92c7c4be922e74602a706e8e5a99f64d0aa7ed61
                                                                                        • Opcode Fuzzy Hash: a308fac47d4faeebcee30116bc1b8e432c4fe7a2b833e253603f06220172863f
                                                                                        • Instruction Fuzzy Hash: 29110DB1A40248BAEF11DF94CD41FEE7FBDEB44751F004066BB04EA1D0E6B19A45CB94

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1352 2a11bdf-2a11c04 call 2a11ac3 1354 2a11c09-2a11c0b 1352->1354 1355 2a11c5a-2a11c5e 1354->1355 1356 2a11c0d-2a11c1d GetComputerNameA 1354->1356 1357 2a11c45-2a11c57 GetVolumeInformationA 1356->1357 1358 2a11c1f-2a11c24 1356->1358 1357->1355 1358->1357 1359 2a11c26-2a11c3b 1358->1359 1359->1359 1360 2a11c3d-2a11c3f 1359->1360 1360->1357 1361 2a11c41-2a11c43 1360->1361 1361->1355
                                                                                        APIs
                                                                                          • Part of subcall function 02A11AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02A11AD4
                                                                                          • Part of subcall function 02A11AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02A11AE9
                                                                                          • Part of subcall function 02A11AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02A11B20
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 02A11C15
                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02A11C51
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: hi_id$localcfg
                                                                                        • API String ID: 2794401326-2393279970
                                                                                        • Opcode ID: c5d1448f4f122fe4d84ecb1abe72f13936c62f6c6e0bce5bf8db52d051521f69
                                                                                        • Instruction ID: d6d9b2389b1e8a5099c43bc05c10f38247fbffb1366da36b79e07bdfa11dfcca
                                                                                        • Opcode Fuzzy Hash: c5d1448f4f122fe4d84ecb1abe72f13936c62f6c6e0bce5bf8db52d051521f69
                                                                                        • Instruction Fuzzy Hash: 2F0180B2A04218BBEB50DBE8C8C49EFBABCAB44669F100475E706E2540DA309E4496A0
                                                                                        APIs
                                                                                          • Part of subcall function 02A11AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02A11AD4
                                                                                          • Part of subcall function 02A11AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02A11AE9
                                                                                          • Part of subcall function 02A11AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02A11B20
                                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 02A11BA3
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,02A11EFD,00000000,00000000,00000000,00000000), ref: 02A11BB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2794401326-1857712256
                                                                                        • Opcode ID: 01371d9ea5ee1e647bd4a7f8161c89cbed05990c80fbc49a71836417a6872b10
                                                                                        • Instruction ID: efc323e119cab40023b5b2c02af5fb552233b28168ec477958d82971a5c78398
                                                                                        • Opcode Fuzzy Hash: 01371d9ea5ee1e647bd4a7f8161c89cbed05990c80fbc49a71836417a6872b10
                                                                                        • Instruction Fuzzy Hash: BA014FB6D04108BFEB119BE9C8819EFFABDAB58764F150561A705E7140DA709E094AA0
                                                                                        APIs
                                                                                        • inet_addr.WS2_32(00000001), ref: 02A12693
                                                                                        • gethostbyname.WS2_32(00000001), ref: 02A1269F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynameinet_addr
                                                                                        • String ID: time_cfg
                                                                                        • API String ID: 1594361348-2401304539
                                                                                        • Opcode ID: 9ce1d0354ec723155efd158c969e1a729eeb4eabb0c2434a078ad7c5d0bf0be8
                                                                                        • Instruction ID: 03f4930404740cf6227996be16657fa792cb1af65ad095f16d7b65f32570eb42
                                                                                        • Opcode Fuzzy Hash: 9ce1d0354ec723155efd158c969e1a729eeb4eabb0c2434a078ad7c5d0bf0be8
                                                                                        • Instruction Fuzzy Hash: 6EE0EC306145219FDB609B28F884BA577A5EF46330F064585F964D7190DB34DC819794
                                                                                        APIs
                                                                                          • Part of subcall function 02A1DD05: GetTickCount.KERNEL32 ref: 02A1DD0F
                                                                                          • Part of subcall function 02A1DD05: InterlockedExchange.KERNEL32(02A236B4,00000001), ref: 02A1DD44
                                                                                          • Part of subcall function 02A1DD05: GetCurrentThreadId.KERNEL32 ref: 02A1DD53
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,02A1A445), ref: 02A1E558
                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,75920F10,?,00000000,?,02A1A445), ref: 02A1E583
                                                                                        • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,02A1A445), ref: 02A1E5B2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                        • String ID:
                                                                                        • API String ID: 3683885500-0
                                                                                        • Opcode ID: 06a314ad0f70348d954495f875f0222c92238336ce86292ebe13bf394620830c
                                                                                        • Instruction ID: 1167c110a2ff5b8cdca00583403ce15277e0a5a9c3324066c2932116fe1201ed
                                                                                        • Opcode Fuzzy Hash: 06a314ad0f70348d954495f875f0222c92238336ce86292ebe13bf394620830c
                                                                                        • Instruction Fuzzy Hash: D92102B2AC43103AF2207A299E89FAB7E4EDB55770F000854FE0AA11C2FE55E5158AB1
                                                                                        APIs
                                                                                        • Sleep.KERNELBASE(000003E8), ref: 02A188A5
                                                                                          • Part of subcall function 02A1F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02A1E342,00000000,7508EA50,80000001,00000000,02A1E513,?,00000000,00000000,?,000000E4), ref: 02A1F089
                                                                                          • Part of subcall function 02A1F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02A1E342,00000000,7508EA50,80000001,00000000,02A1E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02A1F093
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$FileSystem$Sleep
                                                                                        • String ID: localcfg$rresolv
                                                                                        • API String ID: 1561729337-486471987
                                                                                        • Opcode ID: 04d41c1ba6c075739f53393087ffa590a715973a6a05cb821316075ca4022c22
                                                                                        • Instruction ID: fb2cef85e24e9348b2072f6e57828e6da105433b3db7f6005f809106603aaf27
                                                                                        • Opcode Fuzzy Hash: 04d41c1ba6c075739f53393087ffa590a715973a6a05cb821316075ca4022c22
                                                                                        • Instruction Fuzzy Hash: 0A21D7319CC3016EF324F7686E86F7A3B9AEB50774FA5082AFD04D50C0EF95C55889A2
                                                                                        APIs
                                                                                        • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,02A222F8,02A142B6,00000000,00000001,02A222F8,00000000,?,02A198FD), ref: 02A14021
                                                                                        • GetLastError.KERNEL32(?,02A198FD,00000001,00000100,02A222F8,02A1A3C7), ref: 02A1402C
                                                                                        • Sleep.KERNEL32(000001F4,?,02A198FD,00000001,00000100,02A222F8,02A1A3C7), ref: 02A14046
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateErrorFileLastSleep
                                                                                        • String ID:
                                                                                        • API String ID: 408151869-0
                                                                                        • Opcode ID: 5dd2dcb954560bb186959953a6920056b93c7dda02a2598df2443fdbae15d066
                                                                                        • Instruction ID: 58d4b364b062705fa0b0c8af6de2f778ddb0786c34545be90eefb92d1cc46c53
                                                                                        • Opcode Fuzzy Hash: 5dd2dcb954560bb186959953a6920056b93c7dda02a2598df2443fdbae15d066
                                                                                        • Instruction Fuzzy Hash: 0FF0A7316841016BE7350B3DAC89B2A3671DB85734F264B24F3B6E60D0CF3484869B14
                                                                                        APIs
                                                                                        • GetEnvironmentVariableA.KERNEL32(02A1DC19,?,00000104), ref: 02A1DB7F
                                                                                        • lstrcpyA.KERNEL32(?,02A228F8), ref: 02A1DBA4
                                                                                        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 02A1DBC2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                        • String ID:
                                                                                        • API String ID: 2536392590-0
                                                                                        • Opcode ID: 7959e7328f06f91f1e40acd071fe273edf985b014137057a3a87ca018ef2ef38
                                                                                        • Instruction ID: 21c7da8dd979244f9f246afb153d45966aad5c396bddc4855a5dacec59216d27
                                                                                        • Opcode Fuzzy Hash: 7959e7328f06f91f1e40acd071fe273edf985b014137057a3a87ca018ef2ef38
                                                                                        • Instruction Fuzzy Hash: 9EF0B470544209ABEF21DF64DC89FE93B69BB10318F104594FB51A40D0DBF2D559CF10
                                                                                        APIs
                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 02A1EC5E
                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02A1EC72
                                                                                        • GetTickCount.KERNEL32 ref: 02A1EC78
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$CountFileInformationSystemTickVolume
                                                                                        • String ID:
                                                                                        • API String ID: 1209300637-0
                                                                                        • Opcode ID: 3e254bf1ece04b22b7dd226002980c31f436d07130cfc96762d1d52020efe8e7
                                                                                        • Instruction ID: 2c6d8b5f032a485a37b17a33c339297b969a3986c10d432b0d910c92ce9c3c7f
                                                                                        • Opcode Fuzzy Hash: 3e254bf1ece04b22b7dd226002980c31f436d07130cfc96762d1d52020efe8e7
                                                                                        • Instruction Fuzzy Hash: FFE01AF1C50108BFEB10ABB4DC0EE7B77BCEB08314F410A50B911D6080DA70DA198B60
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 02A130D8
                                                                                        • gethostbyname.WS2_32(?), ref: 02A130E2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbynamegethostname
                                                                                        • String ID:
                                                                                        • API String ID: 3961807697-0
                                                                                        • Opcode ID: 3ae2f99873f1bf69fa6b5f75c17e11d471fdd4655f926abc9fa57ac3aca11c2f
                                                                                        • Instruction ID: 021572f8bf0e06fd8028b662ccf18b6752944ff28acb6433d06f83c0ccedc083
                                                                                        • Opcode Fuzzy Hash: 3ae2f99873f1bf69fa6b5f75c17e11d471fdd4655f926abc9fa57ac3aca11c2f
                                                                                        • Instruction Fuzzy Hash: 79E06571D40119ABCF10DBA8EC85F9A77ECBB04318F080461F905E7240EE34E5098B90
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,02A1DB55,7FFF0001), ref: 02A1EC13
                                                                                        • RtlReAllocateHeap.NTDLL(00000000,?,02A1DB55,7FFF0001), ref: 02A1EC1A
                                                                                          • Part of subcall function 02A1EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02A1EBFE,7FFF0001,?,02A1DB55,7FFF0001), ref: 02A1EBD3
                                                                                          • Part of subcall function 02A1EBCC: RtlAllocateHeap.NTDLL(00000000,?,02A1DB55,7FFF0001), ref: 02A1EBDA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1357844191-0
                                                                                        • Opcode ID: 65fab7c7fc015aa49f6d333a69f6ac1a7ada6484bf3f1cc1939b3c40b1e06baf
                                                                                        • Instruction ID: a80eb4c1d27c5775022f3fdb452c5dffd0889f120fd277b63206c4f2045c1365
                                                                                        • Opcode Fuzzy Hash: 65fab7c7fc015aa49f6d333a69f6ac1a7ada6484bf3f1cc1939b3c40b1e06baf
                                                                                        • Instruction Fuzzy Hash: 0BE012365482187ADF112B94EE08BA93B9AEB44371F108015FE0D49460CF3185A4DA94
                                                                                        APIs
                                                                                          • Part of subcall function 02A1EBA0: GetProcessHeap.KERNEL32(00000000,00000000,02A1EC0A,00000000,80000001,?,02A1DB55,7FFF0001), ref: 02A1EBAD
                                                                                          • Part of subcall function 02A1EBA0: HeapSize.KERNEL32(00000000,?,02A1DB55,7FFF0001), ref: 02A1EBB4
                                                                                        • GetProcessHeap.KERNEL32(00000000,02A1EA27,00000000,02A1EA27,00000000), ref: 02A1EC41
                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 02A1EC48
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$FreeSize
                                                                                        • String ID:
                                                                                        • API String ID: 1305341483-0
                                                                                        • Opcode ID: 94128afd7a8d2a72e8e6a3c16a695060d52fe3471f4c8995c4777598ad141278
                                                                                        • Instruction ID: 87dc449c53acac12a8822bcc34917a4f83b2d0ec3e68de02724de3e474135ffb
                                                                                        • Opcode Fuzzy Hash: 94128afd7a8d2a72e8e6a3c16a695060d52fe3471f4c8995c4777598ad141278
                                                                                        • Instruction Fuzzy Hash: B6C0123284A2306BC5612754BE0CFAB6B59AF55721F0A4809F949660408F6098564AE1
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,80000001,02A1EBFE,7FFF0001,?,02A1DB55,7FFF0001), ref: 02A1EBD3
                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,02A1DB55,7FFF0001), ref: 02A1EBDA
                                                                                          • Part of subcall function 02A1EB74: GetProcessHeap.KERNEL32(00000000,00000000,02A1EC28,00000000,?,02A1DB55,7FFF0001), ref: 02A1EB81
                                                                                          • Part of subcall function 02A1EB74: HeapSize.KERNEL32(00000000,?,02A1DB55,7FFF0001), ref: 02A1EB88
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AllocateSize
                                                                                        • String ID:
                                                                                        • API String ID: 2559512979-0
                                                                                        • Opcode ID: 8f938e4b603f5b9e4085806ca9bcaa6f2fd0af52053ec46fc3c0e3a414663724
                                                                                        • Instruction ID: 489105c9ef013978bd1fb5ffc9aa1455e522e8a9b08016dcfa305dbd3811c2e9
                                                                                        • Opcode Fuzzy Hash: 8f938e4b603f5b9e4085806ca9bcaa6f2fd0af52053ec46fc3c0e3a414663724
                                                                                        • Instruction Fuzzy Hash: C0C08032A4823067C61127A87D0CFAA3E95EF14362F054404F64DC1150CF3488558791
                                                                                        APIs
                                                                                        • recv.WS2_32(000000C8,?,00000000,02A1CA44), ref: 02A1F476
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: recv
                                                                                        • String ID:
                                                                                        • API String ID: 1507349165-0
                                                                                        • Opcode ID: 6249a280f0c85ed9add3c52efc37d1069757d8ebf7f8ab3f64d998bc1ce2a1b4
                                                                                        • Instruction ID: 49815b1ab2b61fcdadf99c49d56f09eb9c846834354378e77a4c1e470f015133
                                                                                        • Opcode Fuzzy Hash: 6249a280f0c85ed9add3c52efc37d1069757d8ebf7f8ab3f64d998bc1ce2a1b4
                                                                                        • Instruction Fuzzy Hash: E3F08232200689AF9B119E59DC84CAB3BAEFB893207040122FA04D3110DA31D8218B60
                                                                                        APIs
                                                                                        • closesocket.WS2_32(00000000), ref: 02A11992
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: closesocket
                                                                                        • String ID:
                                                                                        • API String ID: 2781271927-0
                                                                                        • Opcode ID: 681a57deb11e2a9e0d2373ef19935db6d70978a6236ef0861d59e8cd01038b1b
                                                                                        • Instruction ID: 6ca4185c3861e075ff37bfa3dc544050b23773a26212d730a92420f49f522b23
                                                                                        • Opcode Fuzzy Hash: 681a57deb11e2a9e0d2373ef19935db6d70978a6236ef0861d59e8cd01038b1b
                                                                                        • Instruction Fuzzy Hash: 8BD012265886356A52112759B80447FEB9DDF45672711941BFD48C4150DF34C84287A5
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(80000011,00000000), ref: 02A1DDB5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 1586166983-0
                                                                                        • Opcode ID: c147e785e4004c5cc1cb83675eb428a0af6a5aeb1b8cda3efcb1bc0dba269ee3
                                                                                        • Instruction ID: b091ddc8949ad209b7b2651b18960d715a17b65bd0fd9be9fe31bb1b841940a1
                                                                                        • Opcode Fuzzy Hash: c147e785e4004c5cc1cb83675eb428a0af6a5aeb1b8cda3efcb1bc0dba269ee3
                                                                                        • Instruction Fuzzy Hash: A2F08C32206B02CBDB30CF28A8C4666B3E8EB86379F19482EE655D2140DF30D859CB11
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02A19816,EntryPoint), ref: 02A1638F
                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02A19816,EntryPoint), ref: 02A163A9
                                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02A163CA
                                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02A163EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 1965334864-0
                                                                                        • Opcode ID: 306d6bbdf39880048e3f370b4b7731c34cfc72ace2114b2de5c9caeabc6393ec
                                                                                        • Instruction ID: 1681390fea0b5d45a6e26906fd3d93e5d488527447842a89cbcc5352c1946b58
                                                                                        • Opcode Fuzzy Hash: 306d6bbdf39880048e3f370b4b7731c34cfc72ace2114b2de5c9caeabc6393ec
                                                                                        • Instruction Fuzzy Hash: 6E119471A40219BFDB214F69DD49F9B7BACEB04BB4F014464F904E6280DB70DC108AA0
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02A11839,02A19646), ref: 02A11012
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 02A110C2
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 02A110E1
                                                                                        • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02A11101
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02A11121
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02A11140
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02A11160
                                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02A11180
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 02A1119F
                                                                                        • GetProcAddress.KERNEL32(00000000,NtClose), ref: 02A111BF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 02A111DF
                                                                                        • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 02A111FE
                                                                                        • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 02A1121A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                        • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                        • API String ID: 2238633743-3228201535
                                                                                        • Opcode ID: 2b1a0c21aba6154daab42e00b11ef225c1a0eedf45e9ead214280bcc2612ad30
                                                                                        • Instruction ID: fb8d3ff7031b7f9f264de5206da9c2994a6ad74c89ea3657ef5ea7aa0a5749bd
                                                                                        • Opcode Fuzzy Hash: 2b1a0c21aba6154daab42e00b11ef225c1a0eedf45e9ead214280bcc2612ad30
                                                                                        • Instruction Fuzzy Hash: 4E515471D82611A6EB348B6CA8E076176E4674B334F1607A6DA29F22D0DF78C09FCF51
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 02A1B2B3
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 02A1B2C2
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 02A1B2D0
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 02A1B2E1
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 02A1B31A
                                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 02A1B329
                                                                                        • wsprintfA.USER32 ref: 02A1B3B7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                        • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                        • API String ID: 766114626-2976066047
                                                                                        • Opcode ID: d5ac07ddcf2ed765f312b5d3302852957bc74f9e57aff182f19a219787e2e212
                                                                                        • Instruction ID: 02b248a0a225280f5523b59bb13ba0d356bd396a5da11c5e59d8275f3bdacc9f
                                                                                        • Opcode Fuzzy Hash: d5ac07ddcf2ed765f312b5d3302852957bc74f9e57aff182f19a219787e2e212
                                                                                        • Instruction Fuzzy Hash: 3F512CB1E0022CABCF14DFD9DA845EFBBB9BF58314F105499E501B6150DB344A9DCBA0
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                        • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                        • API String ID: 2400214276-165278494
                                                                                        • Opcode ID: 51f1514fb73e30610cafd8d5441571b75ba4978dd47758197db740c300d43d55
                                                                                        • Instruction ID: 324788127e27f0c82df1e5b2b0cfa292a50d7f0299e6372278a505be914f4722
                                                                                        • Opcode Fuzzy Hash: 51f1514fb73e30610cafd8d5441571b75ba4978dd47758197db740c300d43d55
                                                                                        • Instruction Fuzzy Hash: E7615B72A40218AFEB609FA8DC45FEA77E9FF08310F148469F969D2121EA7199548F50
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$send$lstrlenrecv
                                                                                        • String ID: .$ $AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                        • API String ID: 3650048968-4264063882
                                                                                        • Opcode ID: 5a1489485e32c235544ef7c0d79020657c80760e8f4d9d024d11d741cf8294d4
                                                                                        • Instruction ID: ee968fe0d8c8778e23323b3c27c2dadcab23b53b48b3d753d8caf2750200ffb4
                                                                                        • Opcode Fuzzy Hash: 5a1489485e32c235544ef7c0d79020657c80760e8f4d9d024d11d741cf8294d4
                                                                                        • Instruction Fuzzy Hash: DFA15771A86355BAEF208B58CDC5FBE377AFB10338F140466FA06A6082DF318949CB55
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 02A1139A
                                                                                        • lstrlenW.KERNEL32(-00000003), ref: 02A11571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExecuteShelllstrlen
                                                                                        • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                        • API String ID: 1628651668-3716895483
                                                                                        • Opcode ID: d5f6c32df8701214df31e1978f6cfd537c6cf2b589f4e33161045c55caed511f
                                                                                        • Instruction ID: 76738775dbeb026f0d0ce4b4eef45bbc4a3e7d9892510a8517ad6b5fa0fab494
                                                                                        • Opcode Fuzzy Hash: d5f6c32df8701214df31e1978f6cfd537c6cf2b589f4e33161045c55caed511f
                                                                                        • Instruction Fuzzy Hash: C6F189B56083419FD720DF68C888B6AB7E5FB89314F00496DFA9A97380DB74D849CF52
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 02A12A83
                                                                                        • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 02A12A86
                                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 02A12AA0
                                                                                        • htons.WS2_32(00000000), ref: 02A12ADB
                                                                                        • select.WS2_32 ref: 02A12B28
                                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 02A12B4A
                                                                                        • htons.WS2_32(?), ref: 02A12B71
                                                                                        • htons.WS2_32(?), ref: 02A12B8C
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02A12BFB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                        • String ID:
                                                                                        • API String ID: 1639031587-0
                                                                                        • Opcode ID: c77182aefdf91ed74656d610f3382d61ac9a069e7dbd75e2577aaf6137815131
                                                                                        • Instruction ID: 7cc94d3c0cd24cbfa688e6d86a373059cabbb90e33c08c5ddb15a6bab6ccaade
                                                                                        • Opcode Fuzzy Hash: c77182aefdf91ed74656d610f3382d61ac9a069e7dbd75e2577aaf6137815131
                                                                                        • Instruction Fuzzy Hash: 8461E1719443259FD7209F64DC48B7ABBE9FB983A5F010809FE8997180DFB0D8598BA1
                                                                                        APIs
                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 02A170C2
                                                                                        • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 02A1719E
                                                                                        • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 02A171B2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 02A17208
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 02A17291
                                                                                        • ___ascii_stricmp.LIBCMT ref: 02A172C2
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 02A172D0
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 02A17314
                                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02A1738D
                                                                                        • RegCloseKey.ADVAPI32(75920F10), ref: 02A173D8
                                                                                          • Part of subcall function 02A1F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02A222F8,000000C8,02A17150,?), ref: 02A1F1AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                        • String ID: $"
                                                                                        • API String ID: 4293430545-3817095088
                                                                                        • Opcode ID: 1136d3c7af784f88fbf8ba55df82e32995112adcf7705a5372ec775e0af3fdd0
                                                                                        • Instruction ID: 10c5241517c02b946f688ba439b55e840662c7532a77cfa6df3e6bc8db57aebe
                                                                                        • Opcode Fuzzy Hash: 1136d3c7af784f88fbf8ba55df82e32995112adcf7705a5372ec775e0af3fdd0
                                                                                        • Instruction Fuzzy Hash: C9B19172884219BEEB15DFA4DD84BEEB7B9EF04320F100466F901E2090EF759A84CF64
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 02A1AD98
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 02A1ADA6
                                                                                          • Part of subcall function 02A1AD08: gethostname.WS2_32(?,00000080), ref: 02A1AD1C
                                                                                          • Part of subcall function 02A1AD08: lstrlenA.KERNEL32(?), ref: 02A1AD60
                                                                                          • Part of subcall function 02A1AD08: lstrlenA.KERNEL32(?), ref: 02A1AD69
                                                                                          • Part of subcall function 02A1AD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 02A1AD7F
                                                                                          • Part of subcall function 02A130B5: gethostname.WS2_32(?,00000080), ref: 02A130D8
                                                                                          • Part of subcall function 02A130B5: gethostbyname.WS2_32(?), ref: 02A130E2
                                                                                        • wsprintfA.USER32 ref: 02A1AEA5
                                                                                          • Part of subcall function 02A1A7A3: inet_ntoa.WS2_32(00000000), ref: 02A1A7A9
                                                                                        • wsprintfA.USER32 ref: 02A1AE4F
                                                                                        • wsprintfA.USER32 ref: 02A1AE5E
                                                                                          • Part of subcall function 02A1EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 02A1EF92
                                                                                          • Part of subcall function 02A1EF7C: lstrlenA.KERNEL32(?), ref: 02A1EF99
                                                                                          • Part of subcall function 02A1EF7C: lstrlenA.KERNEL32(00000000), ref: 02A1EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                        • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                        • API String ID: 3631595830-1816598006
                                                                                        • Opcode ID: cf7bc6b01ef1c33802b3852ab06011b2495393c8e2f3d7d818fff3f7d42d8a34
                                                                                        • Instruction ID: e361bdc97da7bd7a76d59aa62aab4136d38ff1caed2c9aa937205922fed58a72
                                                                                        • Opcode Fuzzy Hash: cf7bc6b01ef1c33802b3852ab06011b2495393c8e2f3d7d818fff3f7d42d8a34
                                                                                        • Instruction Fuzzy Hash: 78412BB294021CBBEB25AFA4CD45EEE3BAEBB18310F14041ABA1592151EE71D918CF60
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,02A12F0F,?,02A120FF,02A22000), ref: 02A12E01
                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02A12F0F,?,02A120FF,02A22000), ref: 02A12E11
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02A12E2E
                                                                                        • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02A12F0F,?,02A120FF,02A22000), ref: 02A12E4C
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,02A12F0F,?,02A120FF,02A22000), ref: 02A12E4F
                                                                                        • htons.WS2_32(00000035), ref: 02A12E88
                                                                                        • inet_addr.WS2_32(?), ref: 02A12E93
                                                                                        • gethostbyname.WS2_32(?), ref: 02A12EA6
                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02A12F0F,?,02A120FF,02A22000), ref: 02A12EE3
                                                                                        • HeapFree.KERNEL32(00000000,?,00000000,02A12F0F,?,02A120FF,02A22000), ref: 02A12EE6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                        • String ID: GetNetworkParams$iphlpapi.dll
                                                                                        • API String ID: 929413710-2099955842
                                                                                        • Opcode ID: fb08adc61e64a400e1836af82b6ffce78117238c46bee7b2ffc72babfb102b31
                                                                                        • Instruction ID: 507c910b005dfb7ed65f9dc39d6ed10d957a46f5822a6c17c2960e57071d311f
                                                                                        • Opcode Fuzzy Hash: fb08adc61e64a400e1836af82b6ffce78117238c46bee7b2ffc72babfb102b31
                                                                                        • Instruction Fuzzy Hash: B131E031E4022AABDB209BB89888B7E7FB8AF14734F150515ED18E72C0EF30C5468F60
                                                                                        APIs
                                                                                        • GetVersionExA.KERNEL32(?,?,02A19DD7,?,00000022,?,?,00000000,00000001), ref: 02A19340
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02A19DD7,?,00000022,?,?,00000000,00000001), ref: 02A1936E
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,02A19DD7,?,00000022,?,?,00000000,00000001), ref: 02A19375
                                                                                        • wsprintfA.USER32 ref: 02A193CE
                                                                                        • wsprintfA.USER32 ref: 02A1940C
                                                                                        • wsprintfA.USER32 ref: 02A1948D
                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02A194F1
                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02A19526
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02A19571
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                        • String ID: runas
                                                                                        • API String ID: 3696105349-4000483414
                                                                                        • Opcode ID: b9bcb4021ad576db17cf640ce24bfea745d95ebba2ba37a70ee46a133ad1242d
                                                                                        • Instruction ID: 54039464a905547a3f7193ba579da2fc9f81e1f65fbcc0b1cd18102d9d9e595f
                                                                                        • Opcode Fuzzy Hash: b9bcb4021ad576db17cf640ce24bfea745d95ebba2ba37a70ee46a133ad1242d
                                                                                        • Instruction Fuzzy Hash: 9DA1A0B2980259AFEB219FA4CC95FEF3BADFB04750F100026FA15A2141EB75D548CFA1
                                                                                        APIs
                                                                                        • wsprintfA.USER32 ref: 02A1B467
                                                                                          • Part of subcall function 02A1EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 02A1EF92
                                                                                          • Part of subcall function 02A1EF7C: lstrlenA.KERNEL32(?), ref: 02A1EF99
                                                                                          • Part of subcall function 02A1EF7C: lstrlenA.KERNEL32(00000000), ref: 02A1EFA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$wsprintf
                                                                                        • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                        • API String ID: 1220175532-2340906255
                                                                                        • Opcode ID: f28537206a015d9d552571c796d34dee3cf6dfbb2ab5f013e390f58067cf4644
                                                                                        • Instruction ID: 15231852c63291b32dbb7d15ad43e93847337d66305752abf17748da70a71aaf
                                                                                        • Opcode Fuzzy Hash: f28537206a015d9d552571c796d34dee3cf6dfbb2ab5f013e390f58067cf4644
                                                                                        • Instruction Fuzzy Hash: F64151B29802287EEF01AAA4CEC1DFF7B6DFE59668F140415FD05A2000DE31A9198BB1
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02A12078
                                                                                        • GetTickCount.KERNEL32 ref: 02A120D4
                                                                                        • GetTickCount.KERNEL32 ref: 02A120DB
                                                                                        • GetTickCount.KERNEL32 ref: 02A1212B
                                                                                        • GetTickCount.KERNEL32 ref: 02A12132
                                                                                        • GetTickCount.KERNEL32 ref: 02A12142
                                                                                          • Part of subcall function 02A1F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02A1E342,00000000,7508EA50,80000001,00000000,02A1E513,?,00000000,00000000,?,000000E4), ref: 02A1F089
                                                                                          • Part of subcall function 02A1F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02A1E342,00000000,7508EA50,80000001,00000000,02A1E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02A1F093
                                                                                          • Part of subcall function 02A1E854: lstrcpyA.KERNEL32(00000001,?,?,02A1D8DF,00000001,localcfg,except_info,00100000,02A20264), ref: 02A1E88B
                                                                                          • Part of subcall function 02A1E854: lstrlenA.KERNEL32(00000001,?,02A1D8DF,00000001,localcfg,except_info,00100000,02A20264), ref: 02A1E899
                                                                                          • Part of subcall function 02A11C5F: wsprintfA.USER32 ref: 02A11CE1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                        • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                        • API String ID: 3976553417-1522128867
                                                                                        • Opcode ID: 806a000d0a965651798a34fd5b81f86674c63c604b4d4789ccfb7488064ce934
                                                                                        • Instruction ID: 0c8c10a758bdcf49bf2722947bde2e7ff11f2db0db74ec2a14f26a842e2ab960
                                                                                        • Opcode Fuzzy Hash: 806a000d0a965651798a34fd5b81f86674c63c604b4d4789ccfb7488064ce934
                                                                                        • Instruction Fuzzy Hash: A9510370D883555EE738EF28EE84B667BE9AB00324F010919DE01C6190EFB1E95DCF11
                                                                                        APIs
                                                                                          • Part of subcall function 02A1A4C7: GetTickCount.KERNEL32 ref: 02A1A4D1
                                                                                          • Part of subcall function 02A1A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 02A1A4FA
                                                                                        • GetTickCount.KERNEL32 ref: 02A1C31F
                                                                                        • GetTickCount.KERNEL32 ref: 02A1C32B
                                                                                        • GetTickCount.KERNEL32 ref: 02A1C363
                                                                                        • GetTickCount.KERNEL32 ref: 02A1C378
                                                                                        • GetTickCount.KERNEL32 ref: 02A1C44D
                                                                                        • InterlockedIncrement.KERNEL32(02A1C4E4), ref: 02A1C4AE
                                                                                        • CreateThread.KERNEL32(00000000,00000000,02A1B535,00000000,?,02A1C4E0), ref: 02A1C4C1
                                                                                        • CloseHandle.KERNEL32(00000000,?,02A1C4E0,02A23588,02A18810), ref: 02A1C4CC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1553760989-1857712256
                                                                                        • Opcode ID: a155b140a4e1b3af1031561641b342239fe8eb530f4a684b8d2c10a456726454
                                                                                        • Instruction ID: d14ad726889f13bc84f457b44cab325127dcfaf6e292054b518616f4971d57f1
                                                                                        • Opcode Fuzzy Hash: a155b140a4e1b3af1031561641b342239fe8eb530f4a684b8d2c10a456726454
                                                                                        • Instruction Fuzzy Hash: 2B516F71940B418FD7248F69C6C562AFBEAFB48324B505D2ED18BC7A90DB74E844CB15
                                                                                        APIs
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02A1BE4F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02A1BE5B
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02A1BE67
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02A1BF6A
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02A1BF7F
                                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02A1BF94
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmpi
                                                                                        • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                        • API String ID: 1586166983-1625972887
                                                                                        • Opcode ID: 5908339e60d2408de2ebbc3f9d3f1963497af5e76a34625473d2c487b9acc66b
                                                                                        • Instruction ID: 1cfd7312ab55f9ea6ab610fc2607b890a0e9cb962fd50e8be5c913947a6725d8
                                                                                        • Opcode Fuzzy Hash: 5908339e60d2408de2ebbc3f9d3f1963497af5e76a34625473d2c487b9acc66b
                                                                                        • Instruction Fuzzy Hash: 59519675A04316EFDB159F69C980B5EBBB9AF0436CF044856ED419B250DF30E945CFA0
                                                                                        APIs
                                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,02A19A60,?,?,02A19E9D), ref: 02A16A7D
                                                                                        • GetDiskFreeSpaceA.KERNEL32(02A19E9D,02A19A60,?,?,?,02A222F8,?,?,?,02A19A60,?,?,02A19E9D), ref: 02A16ABB
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,02A19A60,?,?,02A19E9D), ref: 02A16B40
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02A19A60,?,?,02A19E9D), ref: 02A16B4E
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02A19A60,?,?,02A19E9D), ref: 02A16B5F
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,02A19A60,?,?,02A19E9D), ref: 02A16B6F
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02A19A60,?,?,02A19E9D), ref: 02A16B7D
                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02A19A60,?,?,02A19E9D), ref: 02A16B80
                                                                                        • GetLastError.KERNEL32(?,?,?,02A19A60,?,?,02A19E9D,?,?,?,?,?,02A19E9D,?,00000022,?), ref: 02A16B96
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                        • String ID:
                                                                                        • API String ID: 3188212458-0
                                                                                        • Opcode ID: 2a2ae3767a94fd980a01e763fe76766d996f89e8cd311c8e7ae7e55f8e3ee52b
                                                                                        • Instruction ID: 170589b19b3c2c9fd7ad8e2d07164a2c946a28aea9fa06a57d3556c6d6fc4db7
                                                                                        • Opcode Fuzzy Hash: 2a2ae3767a94fd980a01e763fe76766d996f89e8cd311c8e7ae7e55f8e3ee52b
                                                                                        • Instruction Fuzzy Hash: F33113B2D8410CAFEB119FA89D84EEEBB7DEB58720F054466E611E3240DF30855A8F61
                                                                                        APIs
                                                                                        • GetUserNameA.ADVAPI32(?,02A1D7C3), ref: 02A16F7A
                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,02A1D7C3), ref: 02A16FC1
                                                                                        • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02A16FE8
                                                                                        • LocalFree.KERNEL32(00000120), ref: 02A1701F
                                                                                        • wsprintfA.USER32 ref: 02A17036
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                        • String ID: /%d$|
                                                                                        • API String ID: 676856371-4124749705
                                                                                        • Opcode ID: de9d68cd8673a8caf096634281e9d714e15311292098833ec20bf30af87f91e0
                                                                                        • Instruction ID: 72cc45aef7ca245588a7bbed0642565937c4ce2b1c5dd7ea3d898e9ae6deb53a
                                                                                        • Opcode Fuzzy Hash: de9d68cd8673a8caf096634281e9d714e15311292098833ec20bf30af87f91e0
                                                                                        • Instruction Fuzzy Hash: 4E311A72900218BFDB11DFA8D949ADA7BBCEF04324F048156F819DB140EB75D6088B94
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,02A222F8,000000E4,02A16DDC,000000C8), ref: 02A16CE7
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02A16CEE
                                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02A16D14
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02A16D2B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                        • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                        • API String ID: 1082366364-3395550214
                                                                                        • Opcode ID: 35164e88f2a4e9afdef3f26da325298ed0278b2a12a55ce76c38b41bddccf1ee
                                                                                        • Instruction ID: 7b4d2d3657bf3b08b10c0997df4d29ac8573a3e7e6f9cf9ac04816f8872757f4
                                                                                        • Opcode Fuzzy Hash: 35164e88f2a4e9afdef3f26da325298ed0278b2a12a55ce76c38b41bddccf1ee
                                                                                        • Instruction Fuzzy Hash: E3212351AC07647EF732573A4DC8FB73E4E8B22B24F0A0444FC44E6080DF99C68E8AA5
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,02A19947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,02A222F8), ref: 02A197B1
                                                                                        • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,02A222F8), ref: 02A197EB
                                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,02A222F8), ref: 02A197F9
                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,02A222F8), ref: 02A19831
                                                                                        • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,02A222F8), ref: 02A1984E
                                                                                        • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,02A222F8), ref: 02A1985B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                        • String ID: D
                                                                                        • API String ID: 2981417381-2746444292
                                                                                        • Opcode ID: 901a72895ace25998d66195190459f2141b5459f7f98f0688bd916f3afb97364
                                                                                        • Instruction ID: 204a1cdbc6423687a0939032befa2822cc7b783e425d6d2a74998036c5028157
                                                                                        • Opcode Fuzzy Hash: 901a72895ace25998d66195190459f2141b5459f7f98f0688bd916f3afb97364
                                                                                        • Instruction Fuzzy Hash: B3210C71D4112ABBDB219FA5DC49FEF7B7CEF05764F000461BA19E5040EF309659CAA0
                                                                                        APIs
                                                                                          • Part of subcall function 02A1DD05: GetTickCount.KERNEL32 ref: 02A1DD0F
                                                                                          • Part of subcall function 02A1DD05: InterlockedExchange.KERNEL32(02A236B4,00000001), ref: 02A1DD44
                                                                                          • Part of subcall function 02A1DD05: GetCurrentThreadId.KERNEL32 ref: 02A1DD53
                                                                                          • Part of subcall function 02A1DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 02A1DDB5
                                                                                        • lstrcpynA.KERNEL32(?,02A11E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,02A1EAAA,?,?), ref: 02A1E8DE
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,02A1EAAA,?,?,00000001,?,02A11E84,?), ref: 02A1E935
                                                                                        • lstrlenA.KERNEL32(00000001,?,?,?,?,?,02A1EAAA,?,?,00000001,?,02A11E84,?,0000000A), ref: 02A1E93D
                                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,02A1EAAA,?,?,00000001,?,02A11E84,?), ref: 02A1E94F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                        • String ID: flags_upd$localcfg
                                                                                        • API String ID: 204374128-3505511081
                                                                                        • Opcode ID: 335ffe0c5be0dabdecd88362684ee5fd30e9f36c78891e7a1e31453b24464a50
                                                                                        • Instruction ID: 4ce4c5bae0191df1f461be60026cec04cf86de1ec4f3b8a281a3731fdcb386a9
                                                                                        • Opcode Fuzzy Hash: 335ffe0c5be0dabdecd88362684ee5fd30e9f36c78891e7a1e31453b24464a50
                                                                                        • Instruction Fuzzy Hash: 78511172D40209AFCF11DFA8CA84DAEBBF9FF44314F144569E405A7250DB35EA158F50
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Code
                                                                                        • String ID:
                                                                                        • API String ID: 3609698214-0
                                                                                        • Opcode ID: ba89366edd66f441ae79297115323ce301f6465aadcca0ca1e16446459a34c21
                                                                                        • Instruction ID: 89d5ce27012ca5616bfb29320b0f04b378429cb866e6113a1f4becabc34f859d
                                                                                        • Opcode Fuzzy Hash: ba89366edd66f441ae79297115323ce301f6465aadcca0ca1e16446459a34c21
                                                                                        • Instruction Fuzzy Hash: F721C376948105FFEB259B74EE88DAF3B6CDB05B74B114815F502E1040EF30DA05DA74
                                                                                        APIs
                                                                                        • GetTempPathA.KERNEL32(00000400,?,00000000,02A222F8), ref: 02A1907B
                                                                                        • wsprintfA.USER32 ref: 02A190E9
                                                                                        • CreateFileA.KERNEL32(02A222F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02A1910E
                                                                                        • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02A19122
                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02A1912D
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02A19134
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 2439722600-0
                                                                                        • Opcode ID: af55c9e2242344406bee640b6822b406dd612d53327e07ad538cc8db2a7e2fb8
                                                                                        • Instruction ID: 62244df154aaa87eba19048de88c2cd9c18a5d495151db062a7ec2b8ea240c3b
                                                                                        • Opcode Fuzzy Hash: af55c9e2242344406bee640b6822b406dd612d53327e07ad538cc8db2a7e2fb8
                                                                                        • Instruction Fuzzy Hash: BF11DAB2A801147FF7256635DE09FBF367EDBD4710F008465BB0AA1040EE708A168AA0
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02A1DD0F
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02A1DD20
                                                                                        • GetTickCount.KERNEL32 ref: 02A1DD2E
                                                                                        • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,02A1E538,?,75920F10,?,00000000,?,02A1A445), ref: 02A1DD3B
                                                                                        • InterlockedExchange.KERNEL32(02A236B4,00000001), ref: 02A1DD44
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02A1DD53
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 3819781495-0
                                                                                        • Opcode ID: c322b202746d7e0dcc8901a282c1db9610753857e9ca03280ee2ccb48610a42d
                                                                                        • Instruction ID: 246596521888791f980743b2f8b6502026990395bfc1fdeb403467fb53d8467d
                                                                                        • Opcode Fuzzy Hash: c322b202746d7e0dcc8901a282c1db9610753857e9ca03280ee2ccb48610a42d
                                                                                        • Instruction Fuzzy Hash: 12F0B4719892049BEBA05B6DAC84B363BBBE766321F020855E109D2140CF28D06FCE21
                                                                                        APIs
                                                                                        • gethostname.WS2_32(?,00000080), ref: 02A1AD1C
                                                                                        • lstrlenA.KERNEL32(?), ref: 02A1AD60
                                                                                        • lstrlenA.KERNEL32(?), ref: 02A1AD69
                                                                                        • lstrcpyA.KERNEL32(?,LocalHost), ref: 02A1AD7F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$gethostnamelstrcpy
                                                                                        • String ID: LocalHost
                                                                                        • API String ID: 3695455745-3154191806
                                                                                        • Opcode ID: 52d161110213ebec9e7a3c2b11ff7697284ab7deef4f5f5537d1a85b16cca49f
                                                                                        • Instruction ID: 281985645c29223709d571547433041b66db6c0a52ec2eff4fd58351b8a2cc82
                                                                                        • Opcode Fuzzy Hash: 52d161110213ebec9e7a3c2b11ff7697284ab7deef4f5f5537d1a85b16cca49f
                                                                                        • Instruction Fuzzy Hash: 8601F560886B895EEF31473C9588BB57F76AB9672AF500056E4C09B117EF28C087C7A6
                                                                                        APIs
                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,02A198FD,00000001,00000100,02A222F8,02A1A3C7), ref: 02A14290
                                                                                        • CloseHandle.KERNEL32(02A1A3C7), ref: 02A143AB
                                                                                        • CloseHandle.KERNEL32(00000001), ref: 02A143AE
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CloseHandle$CreateEvent
                                                                                        • String ID:
                                                                                        • API String ID: 1371578007-0
                                                                                        • Opcode ID: c8101c775be75f0742db2820bc7407b7872d59543d88b4d9103b2bd46b83af65
                                                                                        • Instruction ID: ff21dc591e97e6bce20a1c49edc51ca5d07291e9bf930e3fcc91065f964dec5b
                                                                                        • Opcode Fuzzy Hash: c8101c775be75f0742db2820bc7407b7872d59543d88b4d9103b2bd46b83af65
                                                                                        • Instruction Fuzzy Hash: 8141ABB1C44209BBDF20ABA5DE85FAFBFB9EF44374F104596F604A6180DB348651DBA0
                                                                                        APIs
                                                                                        • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,02A164CF,00000000), ref: 02A1609C
                                                                                        • LoadLibraryA.KERNEL32(?,?,02A164CF,00000000), ref: 02A160C3
                                                                                        • GetProcAddress.KERNEL32(?,00000014), ref: 02A1614A
                                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 02A1619E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2438460464-0
                                                                                        • Opcode ID: 6c52834cde2d201514b68597d4510500736d956ee6954b2c040198ae093b9832
                                                                                        • Instruction ID: c1002204d4ec9e30bab4be307b2471ebfef4d5f6f351980b8e2fc0d5514c3a1d
                                                                                        • Opcode Fuzzy Hash: 6c52834cde2d201514b68597d4510500736d956ee6954b2c040198ae093b9832
                                                                                        • Instruction Fuzzy Hash: DF416A71E0020AAFDB24CF58C884BA9B7BDFF14768F148069E815D7291EB30E959CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2644aacfd3269fe5d8ca6cb51aa951c8c38c1dc85f9bcc453355b4f8d7afeb1b
                                                                                        • Instruction ID: 83b05dfabed7f7ea514866d029e0606b02df1331e7df1ae093c3c0dc80d6f3a1
                                                                                        • Opcode Fuzzy Hash: 2644aacfd3269fe5d8ca6cb51aa951c8c38c1dc85f9bcc453355b4f8d7afeb1b
                                                                                        • Instruction Fuzzy Hash: E631D271A40328ABDB208FA8CD81BBEB7F4FF48721F104456E944E6280EB74D641CF50
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02A1272E
                                                                                        • htons.WS2_32(00000001), ref: 02A12752
                                                                                        • htons.WS2_32(0000000F), ref: 02A127D5
                                                                                        • htons.WS2_32(00000001), ref: 02A127E3
                                                                                        • sendto.WS2_32(?,02A22BF8,00000009,00000000,00000010,00000010), ref: 02A12802
                                                                                          • Part of subcall function 02A1EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02A1EBFE,7FFF0001,?,02A1DB55,7FFF0001), ref: 02A1EBD3
                                                                                          • Part of subcall function 02A1EBCC: RtlAllocateHeap.NTDLL(00000000,?,02A1DB55,7FFF0001), ref: 02A1EBDA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                        • String ID:
                                                                                        • API String ID: 1128258776-0
                                                                                        • Opcode ID: cca2b5c46aa9c5162690403e8f0cf47021a7226a46e19cca22bf9c4dd368091c
                                                                                        • Instruction ID: 9f11a1c8571ee024ca4285f7a12d59fd44dbdc5646167aa417bc384bb20dcabd
                                                                                        • Opcode Fuzzy Hash: cca2b5c46aa9c5162690403e8f0cf47021a7226a46e19cca22bf9c4dd368091c
                                                                                        • Instruction Fuzzy Hash: BA313834A843969FDB208F78D880B727764EF19328B6A845DEE55CB312DE32D457CB10
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,02A222F8), ref: 02A1915F
                                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 02A19166
                                                                                        • CharToOemA.USER32(?,?), ref: 02A19174
                                                                                        • wsprintfA.USER32 ref: 02A191A9
                                                                                          • Part of subcall function 02A19064: GetTempPathA.KERNEL32(00000400,?,00000000,02A222F8), ref: 02A1907B
                                                                                          • Part of subcall function 02A19064: wsprintfA.USER32 ref: 02A190E9
                                                                                          • Part of subcall function 02A19064: CreateFileA.KERNEL32(02A222F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02A1910E
                                                                                          • Part of subcall function 02A19064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02A19122
                                                                                          • Part of subcall function 02A19064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02A1912D
                                                                                          • Part of subcall function 02A19064: CloseHandle.KERNEL32(00000000), ref: 02A19134
                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02A191E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 3857584221-0
                                                                                        • Opcode ID: c00cf7f26a6d182045e2291dbaab36d90657a899a7effafb84e55043af558a20
                                                                                        • Instruction ID: e1f09590f30d7190fb41c1985ced3f40f339392bbdfd4ef66d6750f4e1fd9bc7
                                                                                        • Opcode Fuzzy Hash: c00cf7f26a6d182045e2291dbaab36d90657a899a7effafb84e55043af558a20
                                                                                        • Instruction Fuzzy Hash: 4D016DB68801287BE720A6658D89FEF7A7CDB95B11F000091BB09E2040EE70968D8F60
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02A12491,?,?,?,02A1E844,-00000030,?,?,?,00000001), ref: 02A12429
                                                                                        • lstrlenA.KERNEL32(?,?,02A12491,?,?,?,02A1E844,-00000030,?,?,?,00000001,02A11E3D,00000001,localcfg,lid_file_upd), ref: 02A1243E
                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 02A12452
                                                                                        • lstrlenA.KERNEL32(?,?,02A12491,?,?,?,02A1E844,-00000030,?,?,?,00000001,02A11E3D,00000001,localcfg,lid_file_upd), ref: 02A12467
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrlen$lstrcmpi
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 1808961391-1857712256
                                                                                        • Opcode ID: 954c3f42f2c2efe27ea8eb09846f0c8a3fafd2ea13b3801e03a1d52498bf7064
                                                                                        • Instruction ID: 86fa4c0dd7b13c513fca4b02213ac86b2fc6d02e3bdbacca04dc86b43cc63cf6
                                                                                        • Opcode Fuzzy Hash: 954c3f42f2c2efe27ea8eb09846f0c8a3fafd2ea13b3801e03a1d52498bf7064
                                                                                        • Instruction Fuzzy Hash: 2901DA31600228AFCF15EF69DC85ADE7BA9EF44364B01C425ED5997201E730EA558A94
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: wsprintf
                                                                                        • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                        • API String ID: 2111968516-120809033
                                                                                        • Opcode ID: ecf77392b4f7c16f6bba3720edb7ed225a78e0853e4028f2de6806353c8b9cb3
                                                                                        • Instruction ID: 8f1cd904566323051d96df88ebc6e75dfcb3afc61b721523ae1d581c7826d919
                                                                                        • Opcode Fuzzy Hash: ecf77392b4f7c16f6bba3720edb7ed225a78e0853e4028f2de6806353c8b9cb3
                                                                                        • Instruction Fuzzy Hash: A8418D729042A89FDB21DF788D44BEE3BE99F49320F240156FEA4D3151DA35DA05CFA0
                                                                                        APIs
                                                                                          • Part of subcall function 02A1DD05: GetTickCount.KERNEL32 ref: 02A1DD0F
                                                                                          • Part of subcall function 02A1DD05: InterlockedExchange.KERNEL32(02A236B4,00000001), ref: 02A1DD44
                                                                                          • Part of subcall function 02A1DD05: GetCurrentThreadId.KERNEL32 ref: 02A1DD53
                                                                                        • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,02A15EC1), ref: 02A1E693
                                                                                        • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,02A15EC1), ref: 02A1E6E9
                                                                                        • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,75920F10,00000000,?,02A15EC1), ref: 02A1E722
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                        • String ID: 89ABCDEF
                                                                                        • API String ID: 3343386518-71641322
                                                                                        • Opcode ID: d03257a52345bdb407e9b392dc707217720c1c64a16fa3f80927f9cd0306d10f
                                                                                        • Instruction ID: 269cee5ad6021b8bdf428f99c07c0c6bd3a0328e3137bb0d3dd20bbeb80fa300
                                                                                        • Opcode Fuzzy Hash: d03257a52345bdb407e9b392dc707217720c1c64a16fa3f80927f9cd0306d10f
                                                                                        • Instruction Fuzzy Hash: EA31BC31A04712DFEB318F68DAC4B6677E5AF05334F54882AED658B541EF70E888CB81
                                                                                        APIs
                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,02A1E2A3,00000000,00000000,00000000,00020106,00000000,02A1E2A3,00000000,000000E4), ref: 02A1E0B2
                                                                                        • RegSetValueExA.ADVAPI32(02A1E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,02A222F8), ref: 02A1E127
                                                                                        • RegDeleteValueA.ADVAPI32(02A1E2A3,?,?,?,?,?,000000C8,02A222F8), ref: 02A1E158
                                                                                        • RegCloseKey.ADVAPI32(02A1E2A3,?,?,?,?,000000C8,02A222F8,?,?,?,?,?,?,?,?,02A1E2A3), ref: 02A1E161
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Value$CloseCreateDelete
                                                                                        • String ID:
                                                                                        • API String ID: 2667537340-0
                                                                                        • Opcode ID: 8f459e35c233681e9f6a96007aafdaa4cf922c747001df4c527cd21c411f803c
                                                                                        • Instruction ID: c724dc40fdccc4507b482c8ca0234e0ba4c35805270fb951eadc13b6ee3669a7
                                                                                        • Opcode Fuzzy Hash: 8f459e35c233681e9f6a96007aafdaa4cf922c747001df4c527cd21c411f803c
                                                                                        • Instruction Fuzzy Hash: BA214C71E40219BBDF219FA8DD89EEE7F79EF19760F004061FD04E6150EA318A59DB90
                                                                                        APIs
                                                                                        • ReadFile.KERNEL32(00000000,00000000,02A1A3C7,00000000,00000000,000007D0,00000001), ref: 02A13FB8
                                                                                        • GetLastError.KERNEL32 ref: 02A13FC2
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 02A13FD3
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02A13FE6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                        • String ID:
                                                                                        • API String ID: 888215731-0
                                                                                        • Opcode ID: 18141304ad0868614c48557929ce393586df820c1b99ed18d23823ab77383f8c
                                                                                        • Instruction ID: c50ca74d46775185448acbfe3e127a80a94ab15946962fc083d2187cee0c7dbb
                                                                                        • Opcode Fuzzy Hash: 18141304ad0868614c48557929ce393586df820c1b99ed18d23823ab77383f8c
                                                                                        • Instruction Fuzzy Hash: D701E97291010AABEF11DF94D985BEE7B7CEB14365F014452F902EA040DB70DA698BB1
                                                                                        APIs
                                                                                        • WriteFile.KERNEL32(00000000,00000000,02A1A3C7,00000000,00000000,000007D0,00000001), ref: 02A13F44
                                                                                        • GetLastError.KERNEL32 ref: 02A13F4E
                                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 02A13F5F
                                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02A13F72
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3373104450-0
                                                                                        • Opcode ID: 618b1e597877412a5954185d86cbf62effa27fb38a48698e2b0fbf9079cc8002
                                                                                        • Instruction ID: b2ce11cf9fa84ce5e9b4be86c09ef4e5bda6f2b99cff9a06d244030ea31089c5
                                                                                        • Opcode Fuzzy Hash: 618b1e597877412a5954185d86cbf62effa27fb38a48698e2b0fbf9079cc8002
                                                                                        • Instruction Fuzzy Hash: B4014872914119ABEF11DF94ED84BEF3BBCEB04365F0144A6FA01E6040DB70DA258BB2
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02A14E9E
                                                                                        • GetTickCount.KERNEL32 ref: 02A14EAD
                                                                                        • Sleep.KERNEL32(0000000A,?,00000001), ref: 02A14EBA
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 02A14EC3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 60eed6a30a48487fc8bd84b530ca4dba4af98499a76bd2af9656e3af64ecaf55
                                                                                        • Instruction ID: 38c803bb42ddc0c2dfcfaa8d032c111da6155c0dae6bc47ae3c1b4ba5f4e6334
                                                                                        • Opcode Fuzzy Hash: 60eed6a30a48487fc8bd84b530ca4dba4af98499a76bd2af9656e3af64ecaf55
                                                                                        • Instruction Fuzzy Hash: D0E07D3374820417E62022BEAC80FB777499B5A3B0F020931F708C21C0CE57D81349F1
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02A1A4D1
                                                                                        • GetTickCount.KERNEL32 ref: 02A1A4E4
                                                                                        • Sleep.KERNEL32(00000000,?,02A1C2E9,02A1C4E0,00000000,localcfg,?,02A1C4E0,02A23588,02A18810), ref: 02A1A4F1
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 02A1A4FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 22b697deff817b84daa4ad2053f2e8a645aa8386de2d3e741b0d195b0d4e5ff9
                                                                                        • Instruction ID: 26d24e8ca807bb8f548c21e6133adde58f26e6e3d0f172a1fd40ba4796584e0a
                                                                                        • Opcode Fuzzy Hash: 22b697deff817b84daa4ad2053f2e8a645aa8386de2d3e741b0d195b0d4e5ff9
                                                                                        • Instruction Fuzzy Hash: 7FE0263324A20457D61057A9AD84F7A3398AB49771F020421FB04D3142CE1AE856C1B6
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02A14BDD
                                                                                        • GetTickCount.KERNEL32 ref: 02A14BEC
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,02E1B0B4,02A150F2), ref: 02A14BF9
                                                                                        • InterlockedExchange.KERNEL32(02E1B0A8,00000001), ref: 02A14C02
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 7cd4db1db4b67c36def387eec7e8d88429c0a75b23415f938356388b9af48845
                                                                                        • Instruction ID: 29ec0adbc21fae3b78048c653b93edcf4f0164ce1d7e13e290939dcd05559c65
                                                                                        • Opcode Fuzzy Hash: 7cd4db1db4b67c36def387eec7e8d88429c0a75b23415f938356388b9af48845
                                                                                        • Instruction Fuzzy Hash: 25E0863A68921457D62016AE5D80F6677589B59771F070462F708D2140CD56D45642B1
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 02A13103
                                                                                        • GetTickCount.KERNEL32 ref: 02A1310F
                                                                                        • Sleep.KERNEL32(00000000), ref: 02A1311C
                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 02A13128
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                                        • String ID:
                                                                                        • API String ID: 2207858713-0
                                                                                        • Opcode ID: 8ac2409955857c5e5a17001dc5a4e5333c5b54a3ea52862bfc52cfca318dc275
                                                                                        • Instruction ID: 62e083ec441d0aae8266a1d8c17e6f23074432943cce78ebe195b4521aed7452
                                                                                        • Opcode Fuzzy Hash: 8ac2409955857c5e5a17001dc5a4e5333c5b54a3ea52862bfc52cfca318dc275
                                                                                        • Instruction Fuzzy Hash: 22E0C235644215ABEF102F7AAD84BA96A5EDF94771F120871F205D2090CE608C1E8971
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTick
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 536389180-1857712256
                                                                                        • Opcode ID: e4c861b9933acb94c2d623d814e0b7457603e9378c8e2b4b845140c95b4b2c67
                                                                                        • Instruction ID: 427dc87901914631c00ebc31b2a43e6b91d3636f014fa36c95426980a18c1a6a
                                                                                        • Opcode Fuzzy Hash: e4c861b9933acb94c2d623d814e0b7457603e9378c8e2b4b845140c95b4b2c67
                                                                                        • Instruction Fuzzy Hash: B921D232A10715AFEB208FB8D9C066ABBBAEF21364B2A04D9D401D7101CF38E944CB50
                                                                                        APIs
                                                                                        Strings
                                                                                        • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 02A1C057
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CountTickwsprintf
                                                                                        • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                        • API String ID: 2424974917-1012700906
                                                                                        • Opcode ID: 12eb7f7347f80fadf6119c754ec94378e466fd6d5911e7383a0705f87693b457
                                                                                        • Instruction ID: 17e19d21c08fc964c4e7ffd3afb3b92b656a48578e914cdfd09247544663dec5
                                                                                        • Opcode Fuzzy Hash: 12eb7f7347f80fadf6119c754ec94378e466fd6d5911e7383a0705f87693b457
                                                                                        • Instruction Fuzzy Hash: 0F119772500100FFDB529AA9CD44E567FA6FF8C318B34819CF6188E126D633D867EB50
                                                                                        APIs
                                                                                        • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 02A126C3
                                                                                        • inet_ntoa.WS2_32(?), ref: 02A126E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: gethostbyaddrinet_ntoa
                                                                                        • String ID: localcfg
                                                                                        • API String ID: 2112563974-1857712256
                                                                                        • Opcode ID: b79553a86263e212aae04e28370a9318dab3a6fcceb2996030e6f0be01dd9715
                                                                                        • Instruction ID: bfeb8b6b5a55731eea994d249d5c36d4be29be6efd291928e7a22ccec5c56f3f
                                                                                        • Opcode Fuzzy Hash: b79553a86263e212aae04e28370a9318dab3a6fcceb2996030e6f0be01dd9715
                                                                                        • Instruction Fuzzy Hash: DCF082361882186BEB00AFA4ED45BAA379DDB04360F104422FE18CA090EF71D9508798
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,02A1EB54,_alldiv,02A1F0B7,80000001,00000000,00989680,00000000,?,?,?,02A1E342,00000000,7508EA50,80000001,00000000), ref: 02A1EAF2
                                                                                        • GetProcAddress.KERNEL32(76E80000,00000000), ref: 02A1EB07
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: ntdll.dll
                                                                                        • API String ID: 2574300362-2227199552
                                                                                        • Opcode ID: 2d37fa9a77e8b0a3cfe94329006674d1035ec805d9b335f53a2a828390fa8c89
                                                                                        • Instruction ID: 5a5dac619a84b1d18ad648c6e680ce2fa4bbac75074e982489da566972f1becc
                                                                                        • Opcode Fuzzy Hash: 2d37fa9a77e8b0a3cfe94329006674d1035ec805d9b335f53a2a828390fa8c89
                                                                                        • Instruction Fuzzy Hash: 82D0C734F44302579F314F6C964AA2A76EC7750B11741CC55E507D1501DF34D41DD604
                                                                                        APIs
                                                                                          • Part of subcall function 02A12D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,02A12F01,?,02A120FF,02A22000), ref: 02A12D3A
                                                                                          • Part of subcall function 02A12D21: LoadLibraryA.KERNEL32(?), ref: 02A12D4A
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A12F73
                                                                                        • HeapFree.KERNEL32(00000000), ref: 02A12F7A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.3296361627.0000000002A10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A10000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2a10000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1017166417-0
                                                                                        • Opcode ID: 37774a2139f0177252339aa34497cb2b0dca0c6bf2f2dd157078dd763dc62e8e
                                                                                        • Instruction ID: 994d913a787b52211b6e948c274c3c586f5bc30671bac6a8c1af294e79dee245
                                                                                        • Opcode Fuzzy Hash: 37774a2139f0177252339aa34497cb2b0dca0c6bf2f2dd157078dd763dc62e8e
                                                                                        • Instruction Fuzzy Hash: C751AE7590021AAFCF01DF64D888AFAB7B5FF05314F1445A9EC96D7210EB32DA29CB90