Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
knkduwqg.exe

Overview

General Information

Sample name:knkduwqg.exe
Analysis ID:1503656
MD5:b32f61c5c47e9473cf4a0ac98e8143c1
SHA1:d6de6d48a87510f4ba641785e56311a4732dcf26
SHA256:2d49ab2f33264eb29d38ab91a7c6dc193a6a0fa65260b0295b1123c18612d7c5
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • knkduwqg.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\knkduwqg.exe" MD5: B32F61C5C47E9473CF4A0AC98E8143C1)
    • cmd.exe (PID: 7636 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gtdjtffe\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7712 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\ubezyssm.exe" C:\Windows\SysWOW64\gtdjtffe\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7772 cmdline: "C:\Windows\System32\sc.exe" create gtdjtffe binPath= "C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d\"C:\Users\user\Desktop\knkduwqg.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7836 cmdline: "C:\Windows\System32\sc.exe" description gtdjtffe "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7896 cmdline: "C:\Windows\System32\sc.exe" start gtdjtffe MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 7984 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • ubezyssm.exe (PID: 7964 cmdline: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d"C:\Users\user\Desktop\knkduwqg.exe" MD5: 3B676A4B7350880B5593DF595D075E81)
    • svchost.exe (PID: 8048 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
00000000.00000002.1721874433.000000000061A000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x100fa:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    0000000B.00000002.1724774915.00000000007F2000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x1048a:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    Click to see the 24 entries
    SourceRuleDescriptionAuthorStrings
    11.2.ubezyssm.exe.f40000.2.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
      11.2.ubezyssm.exe.f40000.2.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      11.2.ubezyssm.exe.f40000.2.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
      • 0xed10:$s2: loader_id
      • 0xed40:$s3: start_srv
      • 0xed70:$s4: lid_file_upd
      • 0xed64:$s5: localcfg
      • 0xf494:$s6: Incorrect respons
      • 0xf574:$s7: mx connect error
      • 0xf4f0:$s8: Error sending command (sent = %d/%d)
      • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
      0.2.knkduwqg.exe.400000.0.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        0.2.knkduwqg.exe.400000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        Click to see the 39 entries

        System Summary

        barindex
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d"C:\Users\user\Desktop\knkduwqg.exe", ParentImage: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe, ParentProcessId: 7964, ParentProcessName: ubezyssm.exe, ProcessCommandLine: svchost.exe, ProcessId: 8048, ProcessName: svchost.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create gtdjtffe binPath= "C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d\"C:\Users\user\Desktop\knkduwqg.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create gtdjtffe binPath= "C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d\"C:\Users\user\Desktop\knkduwqg.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\knkduwqg.exe", ParentImage: C:\Users\user\Desktop\knkduwqg.exe, ParentProcessId: 7584, ParentProcessName: knkduwqg.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create gtdjtffe binPath= "C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d\"C:\Users\user\Desktop\knkduwqg.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7772, ProcessName: sc.exe
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.11.0, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 8048, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d"C:\Users\user\Desktop\knkduwqg.exe", ParentImage: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe, ParentProcessId: 7964, ParentProcessName: ubezyssm.exe, ProcessCommandLine: svchost.exe, ProcessId: 8048, ProcessName: svchost.exe
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 8048, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\gtdjtffe
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create gtdjtffe binPath= "C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d\"C:\Users\user\Desktop\knkduwqg.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create gtdjtffe binPath= "C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d\"C:\Users\user\Desktop\knkduwqg.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\knkduwqg.exe", ParentImage: C:\Users\user\Desktop\knkduwqg.exe, ParentProcessId: 7584, ParentProcessName: knkduwqg.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create gtdjtffe binPath= "C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d\"C:\Users\user\Desktop\knkduwqg.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7772, ProcessName: sc.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: jotunheim.name:443Avira URL Cloud: Label: malware
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Source: 0.2.knkduwqg.exe.400000.0.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Source: knkduwqg.exeReversingLabs: Detection: 39%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
        Source: C:\Users\user\AppData\Local\Temp\ubezyssm.exeJoe Sandbox ML: detected
        Source: knkduwqg.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Source: C:\Users\user\Desktop\knkduwqg.exeUnpacked PE file: 0.2.knkduwqg.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeUnpacked PE file: 11.2.ubezyssm.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\knkduwqg.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\gtdjtffeJump to behavior

        Networking

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.75 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.168.26 25Jump to behavior
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 52.101.11.0 52.101.11.0
        Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
        Source: Joe Sandbox ViewIP Address: 98.136.96.75 98.136.96.75
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: Joe Sandbox ViewASN Name: EUT-ASEUTIPNetworkRU EUT-ASEUTIPNetworkRU
        Source: Joe Sandbox ViewASN Name: YAHOO-NE1US YAHOO-NE1US
        Source: global trafficTCP traffic: 192.168.2.4:49731 -> 52.101.11.0:25
        Source: global trafficTCP traffic: 192.168.2.4:49739 -> 98.136.96.75:25
        Source: global trafficTCP traffic: 192.168.2.4:49740 -> 142.251.168.26:25
        Source: global trafficTCP traffic: 192.168.2.4:49743 -> 217.69.139.150:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta6.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 11.2.ubezyssm.exe.f40000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.knkduwqg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.svchost.exe.2990000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.svchost.exe.2990000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ubezyssm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.knkduwqg.exe.2240000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ubezyssm.exe.780e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.knkduwqg.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ubezyssm.exe.f40000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ubezyssm.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.knkduwqg.exe.720e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.ubezyssm.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1724915958.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.1723770489.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1687417430.0000000002240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: knkduwqg.exe PID: 7584, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ubezyssm.exe PID: 7964, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8048, type: MEMORYSTR

        System Summary

        barindex
        Source: 11.2.ubezyssm.exe.f40000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.ubezyssm.exe.f40000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.knkduwqg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.knkduwqg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 14.2.svchost.exe.2990000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 14.2.svchost.exe.2990000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 14.2.svchost.exe.2990000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 14.2.svchost.exe.2990000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.knkduwqg.exe.2240000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.knkduwqg.exe.2240000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.ubezyssm.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.ubezyssm.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.ubezyssm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.ubezyssm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.knkduwqg.exe.720e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.knkduwqg.exe.720e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.knkduwqg.exe.2240000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.knkduwqg.exe.2240000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.3.ubezyssm.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.3.ubezyssm.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.ubezyssm.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.ubezyssm.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.knkduwqg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.knkduwqg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.ubezyssm.exe.f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.ubezyssm.exe.f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.ubezyssm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.ubezyssm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.knkduwqg.exe.720e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.knkduwqg.exe.720e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.3.ubezyssm.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.3.ubezyssm.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.1721874433.000000000061A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000002.1724774915.00000000007F2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000002.1724915958.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000002.1724915958.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000003.1723770489.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000003.1723770489.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000003.1687417430.0000000002240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.1687417430.0000000002240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\gtdjtffe\Jump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeCode function: 11_2_0040C91311_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0299C91314_2_0299C913
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: String function: 007227AB appears 35 times
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: String function: 00402544 appears 53 times
        Source: 11.2.ubezyssm.exe.f40000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.ubezyssm.exe.f40000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.knkduwqg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.knkduwqg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 14.2.svchost.exe.2990000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 14.2.svchost.exe.2990000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 14.2.svchost.exe.2990000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 14.2.svchost.exe.2990000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.knkduwqg.exe.2240000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.knkduwqg.exe.2240000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.ubezyssm.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.ubezyssm.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.ubezyssm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.ubezyssm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.knkduwqg.exe.720e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.knkduwqg.exe.720e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.knkduwqg.exe.2240000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.knkduwqg.exe.2240000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.3.ubezyssm.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.3.ubezyssm.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.ubezyssm.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.ubezyssm.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.knkduwqg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.knkduwqg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.ubezyssm.exe.f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.ubezyssm.exe.f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.ubezyssm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.ubezyssm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.knkduwqg.exe.720e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.knkduwqg.exe.720e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.3.ubezyssm.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.3.ubezyssm.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.1721874433.000000000061A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000002.1724774915.00000000007F2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000002.1724915958.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000002.1724915958.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000003.1723770489.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000003.1723770489.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000003.1687417430.0000000002240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.1687417430.0000000002240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: classification engineClassification label: mal100.troj.evad.winEXE@22/3@9/5
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_0062A128 CreateToolhelp32Snapshot,Module32First,0_2_0062A128
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02999A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,14_2_02999A6B
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
        Source: C:\Users\user\Desktop\knkduwqg.exeFile created: C:\Users\user\AppData\Local\Temp\ubezyssm.exeJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: knkduwqg.exeReversingLabs: Detection: 39%
        Source: C:\Users\user\Desktop\knkduwqg.exeFile read: C:\Users\user\Desktop\knkduwqg.exeJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-14897
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_11-14975
        Source: unknownProcess created: C:\Users\user\Desktop\knkduwqg.exe "C:\Users\user\Desktop\knkduwqg.exe"
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gtdjtffe\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\ubezyssm.exe" C:\Windows\SysWOW64\gtdjtffe\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create gtdjtffe binPath= "C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d\"C:\Users\user\Desktop\knkduwqg.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description gtdjtffe "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start gtdjtffe
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d"C:\Users\user\Desktop\knkduwqg.exe"
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gtdjtffe\Jump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\ubezyssm.exe" C:\Windows\SysWOW64\gtdjtffe\Jump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create gtdjtffe binPath= "C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d\"C:\Users\user\Desktop\knkduwqg.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description gtdjtffe "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start gtdjtffeJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: knkduwqg.exeStatic file information: File size 12330496 > 1048576
        Source: C:\Users\user\Desktop\knkduwqg.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\knkduwqg.exeUnpacked PE file: 0.2.knkduwqg.exe.400000.0.unpack .text:ER;.data:W;.tuhorak:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeUnpacked PE file: 11.2.ubezyssm.exe.400000.0.unpack .text:ER;.data:W;.tuhorak:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\knkduwqg.exeUnpacked PE file: 0.2.knkduwqg.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeUnpacked PE file: 11.2.ubezyssm.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_0062D410 push 0000002Bh; iretd 0_2_0062D416
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeCode function: 11_2_008057A0 push 0000002Bh; iretd 11_2_008057A6

        Persistence and Installation Behavior

        barindex
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\knkduwqg.exeFile created: C:\Users\user\AppData\Local\Temp\ubezyssm.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gtdjtffeJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create gtdjtffe binPath= "C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d\"C:\Users\user\Desktop\knkduwqg.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\knkduwqg.exeJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,14_2_0299199C
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_11-15957
        Source: C:\Users\user\Desktop\knkduwqg.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15952
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_14-7592
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_14-6129
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_14-6417
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_11-15350
        Source: C:\Users\user\Desktop\knkduwqg.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15342
        Source: C:\Users\user\Desktop\knkduwqg.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-15085
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_14-7409
        Source: C:\Users\user\Desktop\knkduwqg.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14912
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_11-14992
        Source: C:\Users\user\Desktop\knkduwqg.exeAPI coverage: 5.9 %
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeAPI coverage: 4.4 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8068Thread sleep count: 37 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8068Thread sleep time: -37000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 0000000E.00000002.2922084953.0000000002E00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeAPI call chain: ExitProcess graph end nodegraph_11-15361

        Anti Debugging

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_14-7654
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00629A05 push dword ptr fs:[00000030h]0_2_00629A05
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_0072092B mov eax, dword ptr fs:[00000030h]0_2_0072092B
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00720D90 mov eax, dword ptr fs:[00000030h]0_2_00720D90
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeCode function: 11_2_0078092B mov eax, dword ptr fs:[00000030h]11_2_0078092B
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeCode function: 11_2_00780D90 mov eax, dword ptr fs:[00000030h]11_2_00780D90
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeCode function: 11_2_00801D95 push dword ptr fs:[00000030h]11_2_00801D95
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02999A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,14_2_02999A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.75 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.168.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2990000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2990000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2990000Jump to behavior
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2A56008Jump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gtdjtffe\Jump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\ubezyssm.exe" C:\Windows\SysWOW64\gtdjtffe\Jump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create gtdjtffe binPath= "C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d\"C:\Users\user\Desktop\knkduwqg.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description gtdjtffe "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start gtdjtffeJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00407A95 RegOpenKeyExA,CreateThread,GetUserNameA,LookupAccountNameA,RegGetKeySecurity,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,RegSetKeySecurity,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,RegOpenKeyExA,RegSetValueExA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegSetKeySecurity,LocalFree,RegCloseKey,0_2_00407A95
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\knkduwqg.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00407A95 RegOpenKeyExA,CreateThread,GetUserNameA,LookupAccountNameA,RegGetKeySecurity,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,RegSetKeySecurity,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,RegOpenKeyExA,RegSetValueExA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegSetKeySecurity,LocalFree,RegCloseKey,0_2_00407A95
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Users\user\Desktop\knkduwqg.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 11.2.ubezyssm.exe.f40000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.knkduwqg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.svchost.exe.2990000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.svchost.exe.2990000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ubezyssm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.knkduwqg.exe.2240000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ubezyssm.exe.780e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.knkduwqg.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ubezyssm.exe.f40000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ubezyssm.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.knkduwqg.exe.720e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.ubezyssm.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1724915958.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.1723770489.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1687417430.0000000002240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: knkduwqg.exe PID: 7584, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ubezyssm.exe PID: 7964, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8048, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 11.2.ubezyssm.exe.f40000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.knkduwqg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.svchost.exe.2990000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.svchost.exe.2990000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ubezyssm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.knkduwqg.exe.2240000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ubezyssm.exe.780e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.knkduwqg.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ubezyssm.exe.f40000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ubezyssm.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.knkduwqg.exe.720e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.ubezyssm.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1724915958.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.1723770489.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1687417430.0000000002240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: knkduwqg.exe PID: 7584, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ubezyssm.exe PID: 7964, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8048, type: MEMORYSTR
        Source: C:\Users\user\Desktop\knkduwqg.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exeCode function: 11_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,11_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_029988B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,14_2_029988B0
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts
        41
        Native API
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        3
        Disable or Modify Tools
        OS Credential Dumping2
        System Time Discovery
        Remote Services1
        Archive Collected Data
        1
        Ingress Tool Transfer
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter
        1
        Valid Accounts
        1
        Valid Accounts
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory1
        Account Discovery
        Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution
        14
        Windows Service
        1
        Access Token Manipulation
        2
        Obfuscated Files or Information
        Security Account Manager1
        File and Directory Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service
        2
        Software Packing
        NTDS15
        System Information Discovery
        Distributed Component Object ModelInput Capture112
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection
        1
        DLL Side-Loading
        LSA Secrets111
        Security Software Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion
        Cached Domain Credentials11
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading
        DCSync1
        Process Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts
        Proc Filesystem1
        System Owner/User Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
        Virtualization/Sandbox Evasion
        /etc/passwd and /etc/shadow1
        System Network Configuration Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1503656 Sample: knkduwqg.exe Startdate: 03/09/2024 Architecture: WINDOWS Score: 100 43 yahoo.com 2->43 45 vanaheim.cn 2->45 47 6 other IPs or domains 2->47 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 9 other signatures 2->61 8 ubezyssm.exe 2->8         started        11 knkduwqg.exe 2 2->11         started        signatures3 process4 file5 63 Detected unpacking (changes PE section rights) 8->63 65 Detected unpacking (overwrites its own PE header) 8->65 67 Writes to foreign memory regions 8->67 73 2 other signatures 8->73 14 svchost.exe 1 8->14         started        41 C:\Users\user\AppData\Local\...\ubezyssm.exe, PE32 11->41 dropped 69 Uses netsh to modify the Windows network and firewall settings 11->69 71 Modifies the windows firewall 11->71 18 cmd.exe 1 11->18         started        21 netsh.exe 2 11->21         started        23 cmd.exe 2 11->23         started        25 3 other processes 11->25 signatures6 process7 dnsIp8 49 mta6.am0.yahoodns.net 98.136.96.75, 25 YAHOO-NE1US United States 14->49 51 microsoft-com.mail.protection.outlook.com 52.101.11.0, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->51 53 3 other IPs or domains 14->53 75 System process connects to network (likely due to code injection or exploit) 14->75 77 Found API chain indicative of debugger detection 14->77 79 Deletes itself after installation 14->79 81 Adds extensions / path to Windows Defender exclusion list (Registry) 14->81 39 C:\Windows\SysWOW64\...\ubezyssm.exe (copy), PE32 18->39 dropped 27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        knkduwqg.exe39%ReversingLabs
        knkduwqg.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\ubezyssm.exe100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        jotunheim.name:443100%Avira URL Cloudmalware
        vanaheim.cn:443100%Avira URL Cloudphishing
        NameIPActiveMaliciousAntivirus DetectionReputation
        mta6.am0.yahoodns.net
        98.136.96.75
        truetrue
          unknown
          mxs.mail.ru
          217.69.139.150
          truetrue
            unknown
            microsoft-com.mail.protection.outlook.com
            52.101.11.0
            truetrue
              unknown
              vanaheim.cn
              77.232.41.29
              truetrue
                unknown
                smtp.google.com
                142.251.168.26
                truefalse
                  unknown
                  google.com
                  unknown
                  unknowntrue
                    unknown
                    yahoo.com
                    unknown
                    unknowntrue
                      unknown
                      mail.ru
                      unknown
                      unknowntrue
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        vanaheim.cn:443true
                        • Avira URL Cloud: phishing
                        unknown
                        jotunheim.name:443true
                        • Avira URL Cloud: malware
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        52.101.11.0
                        microsoft-com.mail.protection.outlook.comUnited States
                        8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                        142.251.168.26
                        smtp.google.comUnited States
                        15169GOOGLEUSfalse
                        217.69.139.150
                        mxs.mail.ruRussian Federation
                        47764MAILRU-ASMailRuRUtrue
                        77.232.41.29
                        vanaheim.cnRussian Federation
                        28968EUT-ASEUTIPNetworkRUtrue
                        98.136.96.75
                        mta6.am0.yahoodns.netUnited States
                        36646YAHOO-NE1UStrue
                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1503656
                        Start date and time:2024-09-03 19:04:08 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 13s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:19
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:knkduwqg.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@22/3@9/5
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 68
                        • Number of non-executed functions: 250
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded IPs from analysis (whitelisted): 20.231.239.246, 20.236.44.162, 20.112.250.133, 20.70.246.20, 20.76.201.171
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtEnumerateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: knkduwqg.exe
                        TimeTypeDescription
                        13:05:47API Interceptor10x Sleep call for process: svchost.exe modified
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        52.101.11.0bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                          SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                            vyrcclmm.exeGet hashmaliciousTofseeBrowse
                              AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                  kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                    Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                      L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                        file.exeGet hashmaliciousTofseeBrowse
                                          sorteado!!.com.exeGet hashmaliciousUnknownBrowse
                                            217.69.139.150foufdsk.exeGet hashmaliciousTofseeBrowse
                                              bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                  SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                    Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                      ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                        SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                          vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                            AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                              I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                77.232.41.29foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                  UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                    bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                      98.136.96.75AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                        gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                                          file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                            l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                                              file.log.exeGet hashmaliciousUnknownBrowse
                                                                                message.txt.exeGet hashmaliciousUnknownBrowse
                                                                                  ac492e6a204784df07ef3841b3ae1f8a68b349db90a34.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee XmrigBrowse
                                                                                    readme.txt.exeGet hashmaliciousUnknownBrowse
                                                                                      Update-KB9504-x86.exeGet hashmaliciousUnknownBrowse
                                                                                        d5lcwbdDfu.exeGet hashmaliciousTofsee XmrigBrowse
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          mta6.am0.yahoodns.netUUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.204.77
                                                                                          SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.106
                                                                                          .exeGet hashmaliciousUnknownBrowse
                                                                                          • 98.136.96.76
                                                                                          Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.204.73
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.204.74
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.74
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.75
                                                                                          I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.110
                                                                                          OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.110
                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 67.195.228.94
                                                                                          microsoft-com.mail.protection.outlook.comfoufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.40.26
                                                                                          UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.40.26
                                                                                          bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.11.0
                                                                                          Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.8.49
                                                                                          igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.40.26
                                                                                          fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.42.0
                                                                                          SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.11.0
                                                                                          .exeGet hashmaliciousUnknownBrowse
                                                                                          • 52.101.40.26
                                                                                          Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.42.0
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.8.49
                                                                                          vanaheim.cnfoufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                          • 77.232.41.29
                                                                                          UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                          • 77.232.41.29
                                                                                          bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                          • 77.232.41.29
                                                                                          Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          mxs.mail.ruUUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          MAILRU-ASMailRuRUfoufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 5.181.61.0
                                                                                          tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 5.181.61.0
                                                                                          bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          http://manga-netflix10737.tinyblogging.com.xx3.kz/Get hashmaliciousUnknownBrowse
                                                                                          • 94.100.180.209
                                                                                          SecuriteInfo.com.Trojan.Crypt.23519.13317.exeGet hashmaliciousUnknownBrowse
                                                                                          • 188.93.63.129
                                                                                          SecuriteInfo.com.Trojan.Crypt.23519.13317.exeGet hashmaliciousUnknownBrowse
                                                                                          • 188.93.63.180
                                                                                          Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          YAHOO-NE1USfoufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.76
                                                                                          .exeGet hashmaliciousUnknownBrowse
                                                                                          • 98.136.96.76
                                                                                          VvlYJBzLuW.elfGet hashmaliciousMiraiBrowse
                                                                                          • 216.252.107.64
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.74
                                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.76
                                                                                          botx.arm.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.138.56.151
                                                                                          SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.91
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.75
                                                                                          s4WsI8Qcm4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                          • 98.139.105.91
                                                                                          NgAzrOQSgK.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.139.7.69
                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUSfoufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.40.26
                                                                                          UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.40.26
                                                                                          Pensacola Country Club.pdfGet hashmaliciousUnknownBrowse
                                                                                          • 52.108.66.1
                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                          • 13.107.246.67
                                                                                          http://bestbuy.beautybyjoulexa.com.au/citrix/fxc/bWljaGFlbHNjb2ZpZWxkQGRpc25leS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 20.190.160.20
                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                          • 13.107.246.60
                                                                                          http://www.harmonyhomesestateagency.comGet hashmaliciousUnknownBrowse
                                                                                          • 168.61.99.102
                                                                                          PossiblePhishing.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.107.246.60
                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                          • 13.107.246.60
                                                                                          https://bergtool-my.sharepoint.com/:f:/p/officemgr/EkAEY_TxWUpGjuhgV5jRSO8BD2acB1HjNb72Far_j2tXBg?e=T7fVyKGet hashmaliciousEvilProxyBrowse
                                                                                          • 20.42.73.31
                                                                                          EUT-ASEUTIPNetworkRUfoufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                          • 77.232.41.29
                                                                                          UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                          • 77.232.41.29
                                                                                          bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                          • 77.232.41.29
                                                                                          Set-up.exeGet hashmaliciousCryptbotBrowse
                                                                                          • 77.232.42.234
                                                                                          Set-up.exeGet hashmaliciousCryptbotBrowse
                                                                                          • 77.232.42.234
                                                                                          file.exeGet hashmaliciousCryptbotBrowse
                                                                                          • 77.232.42.234
                                                                                          file.exeGet hashmaliciousCryptbotBrowse
                                                                                          • 77.232.42.234
                                                                                          file.exeGet hashmaliciousCryptbotBrowse
                                                                                          • 77.232.42.234
                                                                                          file.exeGet hashmaliciousCryptbotBrowse
                                                                                          • 77.232.42.234
                                                                                          file.exeGet hashmaliciousCryptbot, NeoreklamiBrowse
                                                                                          • 77.232.42.234
                                                                                          No context
                                                                                          No context
                                                                                          Process:C:\Users\user\Desktop\knkduwqg.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11193856
                                                                                          Entropy (8bit):4.606789659787796
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:Oc6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:O1OZDisvwdaxO0PuG1R4CWs
                                                                                          MD5:3B676A4B7350880B5593DF595D075E81
                                                                                          SHA1:1C86FB35DFD38CF51AEF19E2C88FCA7AA7AE3E45
                                                                                          SHA-256:D6C980735A473D0384FE819D48A73782B34B08062DB65EADD313141CE32FD700
                                                                                          SHA-512:B943CA271C4A42052FEC6AB20021DE9E6C26DC0D75D68087A0711091D6CC7F2FBE638FF186FB8AA177F392466BAA223C8516B5088DC697BEC838ED4410E86983
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e.............................l............@..................................p..........................................P........&...........................................................N..@............................................text............................... ..`.data............|..................@....tuhorak.............r..............@..@.rsrc....&.......X...v..............@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11193856
                                                                                          Entropy (8bit):4.606789659787796
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:Oc6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:O1OZDisvwdaxO0PuG1R4CWs
                                                                                          MD5:3B676A4B7350880B5593DF595D075E81
                                                                                          SHA1:1C86FB35DFD38CF51AEF19E2C88FCA7AA7AE3E45
                                                                                          SHA-256:D6C980735A473D0384FE819D48A73782B34B08062DB65EADD313141CE32FD700
                                                                                          SHA-512:B943CA271C4A42052FEC6AB20021DE9E6C26DC0D75D68087A0711091D6CC7F2FBE638FF186FB8AA177F392466BAA223C8516B5088DC697BEC838ED4410E86983
                                                                                          Malicious:true
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e.............................l............@..................................p..........................................P........&...........................................................N..@............................................text............................... ..`.data............|..................@....tuhorak.............r..............@..@.rsrc....&.......X...v..............@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Windows\SysWOW64\netsh.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3773
                                                                                          Entropy (8bit):4.7109073551842435
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                          MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                          SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                          SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                          SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                          Malicious:false
                                                                                          Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):4.599620972335306
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:knkduwqg.exe
                                                                                          File size:12'330'496 bytes
                                                                                          MD5:b32f61c5c47e9473cf4a0ac98e8143c1
                                                                                          SHA1:d6de6d48a87510f4ba641785e56311a4732dcf26
                                                                                          SHA256:2d49ab2f33264eb29d38ab91a7c6dc193a6a0fa65260b0295b1123c18612d7c5
                                                                                          SHA512:cc0cc0499616d0277920597b7beb8ee0b53d99c9e8d8c827c6e2244dc9a98785a848f17368f6991d362f9b6f76cd3a1f7ebcc31e99c34097c458872336ab5c21
                                                                                          SSDEEP:6144:9c6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:91OZDisvwdaxO0PuG1R4CWs
                                                                                          TLSH:2DC6537392E5BD54FA627A329E2FC6FC361EF951CD08379A2118BF0F2471162D1AA311
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e...................
                                                                                          Icon Hash:cd4d3d2e4e054d03
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Sep 3, 2024 19:05:05.578614950 CEST4973125192.168.2.452.101.11.0
                                                                                          Sep 3, 2024 19:05:06.583926916 CEST4973125192.168.2.452.101.11.0
                                                                                          Sep 3, 2024 19:05:08.583971977 CEST4973125192.168.2.452.101.11.0
                                                                                          Sep 3, 2024 19:05:08.929419994 CEST49732443192.168.2.477.232.41.29
                                                                                          Sep 3, 2024 19:05:08.929476976 CEST4434973277.232.41.29192.168.2.4
                                                                                          Sep 3, 2024 19:05:08.929548979 CEST49732443192.168.2.477.232.41.29
                                                                                          Sep 3, 2024 19:05:12.583942890 CEST4973125192.168.2.452.101.11.0
                                                                                          Sep 3, 2024 19:05:20.599555969 CEST4973125192.168.2.452.101.11.0
                                                                                          Sep 3, 2024 19:05:25.616332054 CEST4973925192.168.2.498.136.96.75
                                                                                          Sep 3, 2024 19:05:26.630917072 CEST4973925192.168.2.498.136.96.75
                                                                                          Sep 3, 2024 19:05:28.631036997 CEST4973925192.168.2.498.136.96.75
                                                                                          Sep 3, 2024 19:05:32.630948067 CEST4973925192.168.2.498.136.96.75
                                                                                          Sep 3, 2024 19:05:40.630841970 CEST4973925192.168.2.498.136.96.75
                                                                                          Sep 3, 2024 19:05:45.648068905 CEST4974025192.168.2.4142.251.168.26
                                                                                          Sep 3, 2024 19:05:46.662201881 CEST4974025192.168.2.4142.251.168.26
                                                                                          Sep 3, 2024 19:05:48.662147045 CEST4974025192.168.2.4142.251.168.26
                                                                                          Sep 3, 2024 19:05:48.943578959 CEST49732443192.168.2.477.232.41.29
                                                                                          Sep 3, 2024 19:05:48.943641901 CEST4434973277.232.41.29192.168.2.4
                                                                                          Sep 3, 2024 19:05:48.943689108 CEST49732443192.168.2.477.232.41.29
                                                                                          Sep 3, 2024 19:05:49.053508997 CEST49741443192.168.2.477.232.41.29
                                                                                          Sep 3, 2024 19:05:49.053558111 CEST4434974177.232.41.29192.168.2.4
                                                                                          Sep 3, 2024 19:05:49.053651094 CEST49741443192.168.2.477.232.41.29
                                                                                          Sep 3, 2024 19:05:52.677731037 CEST4974025192.168.2.4142.251.168.26
                                                                                          Sep 3, 2024 19:06:00.677818060 CEST4974025192.168.2.4142.251.168.26
                                                                                          Sep 3, 2024 19:06:05.665548086 CEST4974325192.168.2.4217.69.139.150
                                                                                          Sep 3, 2024 19:06:06.677788019 CEST4974325192.168.2.4217.69.139.150
                                                                                          Sep 3, 2024 19:06:08.693586111 CEST4974325192.168.2.4217.69.139.150
                                                                                          Sep 3, 2024 19:06:12.709148884 CEST4974325192.168.2.4217.69.139.150
                                                                                          Sep 3, 2024 19:06:20.709157944 CEST4974325192.168.2.4217.69.139.150
                                                                                          Sep 3, 2024 19:06:29.052932978 CEST49741443192.168.2.477.232.41.29
                                                                                          Sep 3, 2024 19:06:29.053004026 CEST4434974177.232.41.29192.168.2.4
                                                                                          Sep 3, 2024 19:06:29.053075075 CEST49741443192.168.2.477.232.41.29
                                                                                          Sep 3, 2024 19:06:29.163013935 CEST49744443192.168.2.477.232.41.29
                                                                                          Sep 3, 2024 19:06:29.163054943 CEST4434974477.232.41.29192.168.2.4
                                                                                          Sep 3, 2024 19:06:29.163130045 CEST49744443192.168.2.477.232.41.29
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Sep 3, 2024 19:05:05.543173075 CEST5831153192.168.2.41.1.1.1
                                                                                          Sep 3, 2024 19:05:05.570473909 CEST53583111.1.1.1192.168.2.4
                                                                                          Sep 3, 2024 19:05:08.614969015 CEST5049853192.168.2.41.1.1.1
                                                                                          Sep 3, 2024 19:05:08.915975094 CEST53504981.1.1.1192.168.2.4
                                                                                          Sep 3, 2024 19:05:25.600533009 CEST6135953192.168.2.41.1.1.1
                                                                                          Sep 3, 2024 19:05:25.607774973 CEST53613591.1.1.1192.168.2.4
                                                                                          Sep 3, 2024 19:05:25.608516932 CEST6347253192.168.2.41.1.1.1
                                                                                          Sep 3, 2024 19:05:25.615797043 CEST53634721.1.1.1192.168.2.4
                                                                                          Sep 3, 2024 19:05:45.631570101 CEST5054453192.168.2.41.1.1.1
                                                                                          Sep 3, 2024 19:05:45.639190912 CEST53505441.1.1.1192.168.2.4
                                                                                          Sep 3, 2024 19:05:45.639744997 CEST6062953192.168.2.41.1.1.1
                                                                                          Sep 3, 2024 19:05:45.647589922 CEST53606291.1.1.1192.168.2.4
                                                                                          Sep 3, 2024 19:06:05.647367954 CEST5769653192.168.2.41.1.1.1
                                                                                          Sep 3, 2024 19:06:05.655879974 CEST53576961.1.1.1192.168.2.4
                                                                                          Sep 3, 2024 19:06:05.657305002 CEST5615053192.168.2.41.1.1.1
                                                                                          Sep 3, 2024 19:06:05.664890051 CEST53561501.1.1.1192.168.2.4
                                                                                          Sep 3, 2024 19:07:05.340372086 CEST5758153192.168.2.41.1.1.1
                                                                                          Sep 3, 2024 19:07:05.348556995 CEST53575811.1.1.1192.168.2.4
                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Sep 3, 2024 19:05:05.543173075 CEST192.168.2.41.1.1.10xe671Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:08.614969015 CEST192.168.2.41.1.1.10xf13dStandard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:25.600533009 CEST192.168.2.41.1.1.10xe01Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:25.608516932 CEST192.168.2.41.1.1.10x9d50Standard query (0)mta6.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:45.631570101 CEST192.168.2.41.1.1.10xef2eStandard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:45.639744997 CEST192.168.2.41.1.1.10x856eStandard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:06:05.647367954 CEST192.168.2.41.1.1.10xe9eStandard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:06:05.657305002 CEST192.168.2.41.1.1.10xdb4Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:07:05.340372086 CEST192.168.2.41.1.1.10x7010Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Sep 3, 2024 19:05:05.570473909 CEST1.1.1.1192.168.2.40xe671No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:05.570473909 CEST1.1.1.1192.168.2.40xe671No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:05.570473909 CEST1.1.1.1192.168.2.40xe671No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:05.570473909 CEST1.1.1.1192.168.2.40xe671No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:08.915975094 CEST1.1.1.1192.168.2.40xf13dNo error (0)vanaheim.cn77.232.41.29A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:25.607774973 CEST1.1.1.1192.168.2.40xe01No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:25.607774973 CEST1.1.1.1192.168.2.40xe01No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:25.607774973 CEST1.1.1.1192.168.2.40xe01No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:25.615797043 CEST1.1.1.1192.168.2.40x9d50No error (0)mta6.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:25.615797043 CEST1.1.1.1192.168.2.40x9d50No error (0)mta6.am0.yahoodns.net67.195.228.111A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:25.615797043 CEST1.1.1.1192.168.2.40x9d50No error (0)mta6.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:25.615797043 CEST1.1.1.1192.168.2.40x9d50No error (0)mta6.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:25.615797043 CEST1.1.1.1192.168.2.40x9d50No error (0)mta6.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:25.615797043 CEST1.1.1.1192.168.2.40x9d50No error (0)mta6.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:25.615797043 CEST1.1.1.1192.168.2.40x9d50No error (0)mta6.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:25.615797043 CEST1.1.1.1192.168.2.40x9d50No error (0)mta6.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:45.639190912 CEST1.1.1.1192.168.2.40xef2eNo error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:45.647589922 CEST1.1.1.1192.168.2.40x856eNo error (0)smtp.google.com142.251.168.26A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:45.647589922 CEST1.1.1.1192.168.2.40x856eNo error (0)smtp.google.com142.251.168.27A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:45.647589922 CEST1.1.1.1192.168.2.40x856eNo error (0)smtp.google.com64.233.184.26A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:45.647589922 CEST1.1.1.1192.168.2.40x856eNo error (0)smtp.google.com64.233.184.27A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:45.647589922 CEST1.1.1.1192.168.2.40x856eNo error (0)smtp.google.com142.251.173.27A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:06:05.655879974 CEST1.1.1.1192.168.2.40xe9eNo error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:06:05.664890051 CEST1.1.1.1192.168.2.40xdb4No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:06:05.664890051 CEST1.1.1.1192.168.2.40xdb4No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:07:05.348556995 CEST1.1.1.1192.168.2.40x7010No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:07:05.348556995 CEST1.1.1.1192.168.2.40x7010No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:07:05.348556995 CEST1.1.1.1192.168.2.40x7010No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:07:05.348556995 CEST1.1.1.1192.168.2.40x7010No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false

                                                                                          Click to jump to process

                                                                                          Click to jump to process

                                                                                          Click to dive into process behavior distribution

                                                                                          Click to jump to process

                                                                                          Target ID:0
                                                                                          Start time:13:04:59
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Users\user\Desktop\knkduwqg.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\knkduwqg.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:12'330'496 bytes
                                                                                          MD5 hash:B32F61C5C47E9473CF4A0AC98E8143C1
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1721874433.000000000061A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.1687417430.0000000002240000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.1687417430.0000000002240000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.1687417430.0000000002240000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          Target ID:1
                                                                                          Start time:13:05:00
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gtdjtffe\
                                                                                          Imagebase:0x240000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:2
                                                                                          Start time:13:05:00
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:3
                                                                                          Start time:13:05:01
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\ubezyssm.exe" C:\Windows\SysWOW64\gtdjtffe\
                                                                                          Imagebase:0x240000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:4
                                                                                          Start time:13:05:01
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:5
                                                                                          Start time:13:05:02
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" create gtdjtffe binPath= "C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d\"C:\Users\user\Desktop\knkduwqg.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                          Imagebase:0x8c0000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:6
                                                                                          Start time:13:05:02
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:7
                                                                                          Start time:13:05:02
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" description gtdjtffe "wifi internet conection"
                                                                                          Imagebase:0x8c0000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:8
                                                                                          Start time:13:05:02
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:9
                                                                                          Start time:13:05:03
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" start gtdjtffe
                                                                                          Imagebase:0x8c0000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:10
                                                                                          Start time:13:05:03
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:11
                                                                                          Start time:13:05:03
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe /d"C:\Users\user\Desktop\knkduwqg.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:11'193'856 bytes
                                                                                          MD5 hash:3B676A4B7350880B5593DF595D075E81
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.1724774915.00000000007F2000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1724915958.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1724915958.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.1724915958.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000003.1723770489.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000003.1723770489.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000003.1723770489.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          Target ID:12
                                                                                          Start time:13:05:03
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                          Imagebase:0x1560000
                                                                                          File size:82'432 bytes
                                                                                          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:13
                                                                                          Start time:13:05:03
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Target ID:14
                                                                                          Start time:13:05:04
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:svchost.exe
                                                                                          Imagebase:0x510000
                                                                                          File size:46'504 bytes
                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Has exited:false

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:3.7%
                                                                                            Dynamic/Decrypted Code Coverage:30.4%
                                                                                            Signature Coverage:27.4%
                                                                                            Total number of Nodes:1582
                                                                                            Total number of Limit Nodes:19
                                                                                            execution_graph 14882 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15000 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14882->15000 14884 409a95 14885 409aa3 GetModuleHandleA GetModuleFileNameA 14884->14885 14891 40a3c7 14884->14891 14899 409ac4 14885->14899 14886 40a41c CreateThread WSAStartup 15169 40e52e 14886->15169 16047 40405e CreateEventA 14886->16047 14888 409afd GetCommandLineA 14897 409b22 14888->14897 14889 40a406 DeleteFileA 14889->14891 14892 40a40d 14889->14892 14890 40a445 15188 40eaaf 14890->15188 14891->14886 14891->14889 14891->14892 14894 40a3ed GetLastError 14891->14894 14892->14886 14894->14892 14896 40a3f8 Sleep 14894->14896 14895 40a44d 15192 401d96 14895->15192 14896->14889 14902 409c0c 14897->14902 14911 409b47 14897->14911 14899->14888 14900 40a457 15240 4080c9 14900->15240 15001 4096aa 14902->15001 14908 40a1d2 14918 40a1e3 GetCommandLineA 14908->14918 14909 409c39 14912 40a167 GetModuleHandleA GetModuleFileNameA 14909->14912 15007 404280 CreateEventA 14909->15007 14914 409b96 lstrlenA 14911->14914 14917 409b58 14911->14917 14915 409c05 ExitProcess 14912->14915 14916 40a189 14912->14916 14914->14917 14916->14915 14926 40a1b2 GetDriveTypeA 14916->14926 14917->14915 14924 40675c 21 API calls 14917->14924 14943 40a205 14918->14943 14927 409be3 14924->14927 14926->14915 14928 40a1c5 14926->14928 14927->14915 15106 406a60 CreateFileA 14927->15106 15150 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14928->15150 14934 40a491 14935 40a49f GetTickCount 14934->14935 14937 40a4be Sleep 14934->14937 14942 40a4b7 GetTickCount 14934->14942 15286 40c913 14934->15286 14935->14934 14935->14937 14937->14934 14939 409ca0 GetTempPathA 14940 409e3e 14939->14940 14941 409cba 14939->14941 14946 409e6b GetEnvironmentVariableA 14940->14946 14951 409e04 14940->14951 15062 4099d2 lstrcpyA 14941->15062 14942->14937 14947 40a285 lstrlenA 14943->14947 14950 40a239 14943->14950 14946->14951 14952 409e7d 14946->14952 14947->14950 15158 406ec3 14950->15158 15145 40ec2e 14951->15145 14953 4099d2 16 API calls 14952->14953 14955 409e9d 14953->14955 14954 409cf6 15069 409326 14954->15069 14955->14951 14961 409eb0 lstrcpyA lstrlenA 14955->14961 14957 409d5f 15125 406cc9 14957->15125 14959 40a3c2 15162 4098f2 14959->15162 14964 409ef4 14961->14964 14965 406dc2 6 API calls 14964->14965 14968 409f03 14964->14968 14965->14968 14966 40a39d StartServiceCtrlDispatcherA 14966->14959 14969 409f32 RegOpenKeyExA 14968->14969 14971 409f48 RegSetValueExA RegCloseKey 14969->14971 14974 409f70 14969->14974 14970 40a37b 14970->14966 14971->14974 14980 409f9d GetModuleHandleA GetModuleFileNameA 14974->14980 14975 409e0c DeleteFileA 14975->14940 14976 409dde GetFileAttributesExA 14976->14975 14978 409df7 14976->14978 14978->14951 14979 409dff 14978->14979 15135 4096ff 14979->15135 14982 409fc2 14980->14982 14983 40a093 14980->14983 14982->14983 14989 409ff1 GetDriveTypeA 14982->14989 14984 40a103 CreateProcessA 14983->14984 14987 40a0a4 wsprintfA 14983->14987 14985 40a13a 14984->14985 14986 40a12a DeleteFileA 14984->14986 14985->14951 14993 4096ff 3 API calls 14985->14993 14986->14985 15141 402544 14987->15141 14989->14983 14991 40a00d 14989->14991 14995 40a02d lstrcatA 14991->14995 14993->14951 14996 40a046 14995->14996 14997 40a052 lstrcatA 14996->14997 14998 40a064 lstrcatA 14996->14998 14997->14998 14998->14983 14999 40a081 lstrcatA 14998->14999 14999->14983 15000->14884 15002 4096b9 15001->15002 15389 4073ff 15002->15389 15004 4096e2 15006 4096f7 15004->15006 15409 40704c 15004->15409 15006->14908 15006->14909 15008 4042a5 15007->15008 15009 40429d 15007->15009 15434 403ecd 15008->15434 15009->14912 15034 40675c 15009->15034 15011 4042b0 15438 404000 15011->15438 15014 4043c1 CloseHandle 15014->15009 15015 4042ce 15444 403f18 WriteFile 15015->15444 15020 4043ba CloseHandle 15020->15014 15021 404318 15022 403f18 4 API calls 15021->15022 15023 404331 15022->15023 15024 403f18 4 API calls 15023->15024 15025 40434a 15024->15025 15452 40ebcc GetProcessHeap RtlAllocateHeap 15025->15452 15028 403f18 4 API calls 15029 404389 15028->15029 15030 40ec2e codecvt 4 API calls 15029->15030 15031 40438f 15030->15031 15032 403f8c 4 API calls 15031->15032 15033 40439f CloseHandle CloseHandle 15032->15033 15033->15009 15035 406784 CreateFileA 15034->15035 15036 40677a SetFileAttributesA 15034->15036 15037 4067a4 CreateFileA 15035->15037 15038 4067b5 15035->15038 15036->15035 15037->15038 15039 4067c5 15038->15039 15040 4067ba SetFileAttributesA 15038->15040 15041 406977 15039->15041 15042 4067cf GetFileSize 15039->15042 15040->15039 15041->14912 15041->14939 15041->14940 15043 4067e5 15042->15043 15061 406965 15042->15061 15044 4067ed ReadFile 15043->15044 15043->15061 15046 406811 SetFilePointer 15044->15046 15044->15061 15045 40696e FindCloseChangeNotification 15045->15041 15047 40682a ReadFile 15046->15047 15046->15061 15048 406848 SetFilePointer 15047->15048 15047->15061 15049 406867 15048->15049 15048->15061 15050 4068d5 15049->15050 15051 406878 ReadFile 15049->15051 15050->15045 15053 40ebcc 4 API calls 15050->15053 15052 4068d0 15051->15052 15055 406891 15051->15055 15052->15050 15054 4068f8 15053->15054 15056 406900 SetFilePointer 15054->15056 15054->15061 15055->15051 15055->15052 15057 40695a 15056->15057 15058 40690d ReadFile 15056->15058 15060 40ec2e codecvt 4 API calls 15057->15060 15058->15057 15059 406922 15058->15059 15059->15045 15060->15061 15061->15045 15063 4099eb 15062->15063 15064 409a2f lstrcatA 15063->15064 15065 40ee2a 15064->15065 15066 409a4b lstrcatA 15065->15066 15067 406a60 13 API calls 15066->15067 15068 409a60 15067->15068 15068->14940 15068->14954 15119 406dc2 15068->15119 15458 401910 15069->15458 15072 40934a GetModuleHandleA GetModuleFileNameA 15074 40937f 15072->15074 15075 4093a4 15074->15075 15076 4093d9 15074->15076 15077 4093c3 wsprintfA 15075->15077 15078 409401 wsprintfA 15076->15078 15080 409415 15077->15080 15078->15080 15079 4094a0 15460 406edd 15079->15460 15080->15079 15083 406cc9 5 API calls 15080->15083 15082 4094ac 15084 40962f 15082->15084 15085 4094e8 RegOpenKeyExA 15082->15085 15089 409439 15083->15089 15091 409646 15084->15091 15488 401820 15084->15488 15087 409502 15085->15087 15088 4094fb 15085->15088 15094 40951f RegQueryValueExA 15087->15094 15088->15084 15093 40958a 15088->15093 15473 40ef1e lstrlenA 15089->15473 15100 4095d6 15091->15100 15468 4091eb 15091->15468 15093->15091 15098 409593 15093->15098 15095 409530 15094->15095 15096 409539 15094->15096 15099 40956e RegCloseKey 15095->15099 15101 409556 RegQueryValueExA 15096->15101 15097 409462 15102 40947e wsprintfA 15097->15102 15098->15100 15475 40f0e4 15098->15475 15099->15088 15100->14975 15100->14976 15101->15095 15101->15099 15102->15079 15104 4095bb 15104->15100 15482 4018e0 15104->15482 15107 406b8c GetLastError 15106->15107 15108 406a8f GetDiskFreeSpaceA 15106->15108 15117 406b86 15107->15117 15109 406ac5 15108->15109 15118 406ad7 15108->15118 15536 40eb0e 15109->15536 15113 406b56 FindCloseChangeNotification 15116 406b65 GetLastError CloseHandle 15113->15116 15113->15117 15114 406b36 GetLastError CloseHandle 15115 406b7f DeleteFileA 15114->15115 15115->15117 15116->15115 15117->14915 15530 406987 15118->15530 15120 406e24 15119->15120 15121 406dd7 15119->15121 15120->14957 15122 406cc9 5 API calls 15121->15122 15123 406ddc 15122->15123 15123->15120 15123->15123 15124 406e02 GetVolumeInformationA 15123->15124 15124->15120 15126 406cdc GetModuleHandleA GetProcAddress 15125->15126 15127 406dbe lstrcpyA lstrcatA lstrcatA 15125->15127 15128 406d12 GetSystemDirectoryA 15126->15128 15129 406cfd 15126->15129 15127->14954 15130 406d27 GetWindowsDirectoryA 15128->15130 15131 406d1e 15128->15131 15129->15128 15133 406d8b 15129->15133 15132 406d42 15130->15132 15131->15130 15131->15133 15134 40ef1e lstrlenA 15132->15134 15133->15127 15134->15133 15136 402544 15135->15136 15137 40972d RegOpenKeyExA 15136->15137 15138 409740 15137->15138 15139 409765 15137->15139 15140 40974f RegDeleteValueA RegCloseKey 15138->15140 15139->14951 15140->15139 15142 402554 lstrcatA 15141->15142 15143 40ee2a 15142->15143 15144 40a0ec lstrcatA 15143->15144 15144->14984 15146 40ec37 15145->15146 15147 40a15d 15145->15147 15544 40eba0 15146->15544 15147->14912 15147->14915 15151 402544 15150->15151 15152 40919e wsprintfA 15151->15152 15153 4091bb 15152->15153 15547 409064 GetTempPathA 15153->15547 15156 4091d5 ShellExecuteA 15157 4091e7 15156->15157 15157->14915 15159 406ed5 15158->15159 15160 406ecc 15158->15160 15159->14959 15159->14970 15161 406e36 2 API calls 15160->15161 15161->15159 15163 4098f6 15162->15163 15164 404280 30 API calls 15163->15164 15165 409904 Sleep 15163->15165 15166 409915 15163->15166 15164->15163 15165->15163 15165->15166 15168 409947 15166->15168 15554 40977c 15166->15554 15168->14891 15576 40dd05 GetTickCount 15169->15576 15171 40e538 15583 40dbcf 15171->15583 15173 40e544 15174 40e555 GetFileSize 15173->15174 15178 40e5b8 15173->15178 15175 40e5b1 CloseHandle 15174->15175 15176 40e566 15174->15176 15175->15178 15593 40db2e 15176->15593 15602 40e3ca RegOpenKeyExA 15178->15602 15180 40e576 ReadFile 15180->15175 15182 40e58d 15180->15182 15597 40e332 15182->15597 15184 40e5f2 15186 40e3ca 19 API calls 15184->15186 15187 40e629 15184->15187 15186->15187 15187->14890 15189 40eabe 15188->15189 15191 40eaba 15188->15191 15190 40dd05 6 API calls 15189->15190 15189->15191 15190->15191 15191->14895 15193 40ee2a 15192->15193 15194 401db4 GetVersionExA 15193->15194 15195 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15194->15195 15197 401e24 15195->15197 15198 401e16 GetCurrentProcess 15195->15198 15655 40e819 15197->15655 15198->15197 15200 401e3d 15201 40e819 11 API calls 15200->15201 15202 401e4e 15201->15202 15203 401e77 15202->15203 15662 40df70 15202->15662 15671 40ea84 15203->15671 15206 401e6c 15208 40df70 12 API calls 15206->15208 15208->15203 15209 40e819 11 API calls 15210 401e93 15209->15210 15675 40199c inet_addr LoadLibraryA 15210->15675 15213 40e819 11 API calls 15214 401eb9 15213->15214 15215 401ed8 15214->15215 15216 40f04e 4 API calls 15214->15216 15217 40e819 11 API calls 15215->15217 15218 401ec9 15216->15218 15219 401eee 15217->15219 15220 40ea84 30 API calls 15218->15220 15221 401f0a 15219->15221 15688 401b71 15219->15688 15220->15215 15222 40e819 11 API calls 15221->15222 15224 401f23 15222->15224 15234 401f3f 15224->15234 15692 401bdf 15224->15692 15225 401efd 15226 40ea84 30 API calls 15225->15226 15226->15221 15228 40e819 11 API calls 15231 401f5e 15228->15231 15230 40ea84 30 API calls 15230->15234 15232 401f77 15231->15232 15235 40ea84 30 API calls 15231->15235 15699 4030b5 15232->15699 15234->15228 15235->15232 15237 406ec3 2 API calls 15239 401f8e GetTickCount 15237->15239 15239->14900 15241 406ec3 2 API calls 15240->15241 15242 4080eb 15241->15242 15243 4080f9 15242->15243 15244 4080ef 15242->15244 15246 40704c 16 API calls 15243->15246 15747 407ee6 15244->15747 15248 408110 15246->15248 15247 4080f4 15249 40675c 21 API calls 15247->15249 15258 408269 CreateThread 15247->15258 15248->15247 15250 408156 RegOpenKeyExA 15248->15250 15253 408244 15249->15253 15250->15247 15251 40816d RegQueryValueExA 15250->15251 15252 4081f7 15251->15252 15257 40818d 15251->15257 15254 40820d RegCloseKey 15252->15254 15256 40ec2e codecvt 4 API calls 15252->15256 15255 40ec2e codecvt 4 API calls 15253->15255 15253->15258 15254->15247 15255->15258 15264 4081dd 15256->15264 15257->15252 15259 40ebcc 4 API calls 15257->15259 15265 405e6c 15258->15265 16076 40877e 15258->16076 15260 4081a0 15259->15260 15260->15254 15261 4081aa RegQueryValueExA 15260->15261 15261->15252 15262 4081c4 15261->15262 15263 40ebcc 4 API calls 15262->15263 15263->15264 15264->15254 15815 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15265->15815 15267 405e71 15816 40e654 15267->15816 15269 405ec1 15270 403132 15269->15270 15271 40df70 12 API calls 15270->15271 15272 40313b 15271->15272 15273 40c125 15272->15273 15827 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15273->15827 15275 40c12d 15276 40e654 13 API calls 15275->15276 15277 40c2bd 15276->15277 15278 40e654 13 API calls 15277->15278 15279 40c2c9 15278->15279 15280 40e654 13 API calls 15279->15280 15281 40a47a 15280->15281 15282 408db1 15281->15282 15283 408dbc 15282->15283 15284 40e654 13 API calls 15283->15284 15285 408dec Sleep 15284->15285 15285->14934 15287 40c92f 15286->15287 15288 40c93c 15287->15288 15828 40c517 15287->15828 15290 40ca2b 15288->15290 15291 40e819 11 API calls 15288->15291 15290->14934 15292 40c96a 15291->15292 15293 40e819 11 API calls 15292->15293 15294 40c97d 15293->15294 15295 40e819 11 API calls 15294->15295 15296 40c990 15295->15296 15297 40c9aa 15296->15297 15298 40ebcc 4 API calls 15296->15298 15297->15290 15845 402684 15297->15845 15298->15297 15303 40ca26 15852 40c8aa 15303->15852 15306 40ca44 15307 40ca4b closesocket 15306->15307 15308 40ca83 15306->15308 15307->15303 15309 40ea84 30 API calls 15308->15309 15310 40caac 15309->15310 15311 40f04e 4 API calls 15310->15311 15312 40cab2 15311->15312 15313 40ea84 30 API calls 15312->15313 15314 40caca 15313->15314 15315 40ea84 30 API calls 15314->15315 15316 40cad9 15315->15316 15860 40c65c 15316->15860 15319 40cb60 closesocket 15319->15290 15321 40dad2 closesocket 15322 40e318 23 API calls 15321->15322 15322->15290 15323 40df4c 20 API calls 15384 40cb70 15323->15384 15328 40e654 13 API calls 15328->15384 15334 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15334->15384 15335 40cc1c GetTempPathA 15335->15384 15336 40ea84 30 API calls 15336->15384 15337 40d569 closesocket Sleep 15907 40e318 15337->15907 15338 40d815 wsprintfA 15338->15384 15339 407ead 6 API calls 15339->15384 15340 40c517 23 API calls 15340->15384 15342 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15342->15384 15343 40e8a1 30 API calls 15343->15384 15344 40d582 ExitProcess 15345 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15345->15384 15346 40cfe3 GetSystemDirectoryA 15346->15384 15347 40675c 21 API calls 15347->15384 15348 40d027 GetSystemDirectoryA 15348->15384 15349 40cfad GetEnvironmentVariableA 15349->15384 15350 40d105 lstrcatA 15350->15384 15351 40ef1e lstrlenA 15351->15384 15352 40cc9f CreateFileA 15354 40ccc6 WriteFile 15352->15354 15352->15384 15353 40d15b CreateFileA 15355 40d182 WriteFile CloseHandle 15353->15355 15353->15384 15356 40cdcc CloseHandle 15354->15356 15357 40cced CloseHandle 15354->15357 15355->15384 15356->15384 15363 40cd2f 15357->15363 15358 40d149 SetFileAttributesA 15358->15353 15359 40cd16 wsprintfA 15359->15363 15360 40d36e GetEnvironmentVariableA 15360->15384 15361 40d1bf SetFileAttributesA 15361->15384 15362 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15362->15384 15363->15359 15889 407fcf 15363->15889 15364 40d22d GetEnvironmentVariableA 15364->15384 15366 40d3af lstrcatA 15369 40d3f2 CreateFileA 15366->15369 15366->15384 15368 407fcf 64 API calls 15368->15384 15372 40d415 WriteFile CloseHandle 15369->15372 15369->15384 15370 40cd81 WaitForSingleObject CloseHandle CloseHandle 15373 40f04e 4 API calls 15370->15373 15371 40cda5 15374 407ee6 64 API calls 15371->15374 15372->15384 15373->15371 15375 40cdbd DeleteFileA 15374->15375 15375->15384 15376 40d4b1 CreateProcessA 15379 40d4e8 CloseHandle CloseHandle 15376->15379 15376->15384 15377 40d3e0 SetFileAttributesA 15377->15369 15378 40d26e lstrcatA 15380 40d2b1 CreateFileA 15378->15380 15378->15384 15379->15384 15381 40d2d8 WriteFile CloseHandle 15380->15381 15380->15384 15381->15384 15382 407ee6 64 API calls 15382->15384 15383 40d452 SetFileAttributesA 15383->15384 15384->15321 15384->15323 15384->15328 15384->15334 15384->15335 15384->15336 15384->15337 15384->15338 15384->15339 15384->15340 15384->15342 15384->15343 15384->15345 15384->15346 15384->15347 15384->15348 15384->15349 15384->15350 15384->15351 15384->15352 15384->15353 15384->15358 15384->15360 15384->15361 15384->15362 15384->15364 15384->15366 15384->15368 15384->15369 15384->15376 15384->15377 15384->15378 15384->15380 15384->15382 15384->15383 15385 40d29f SetFileAttributesA 15384->15385 15388 40d31d SetFileAttributesA 15384->15388 15868 40c75d 15384->15868 15880 407e2f 15384->15880 15902 407ead 15384->15902 15912 4031d0 15384->15912 15929 403c09 15384->15929 15939 403a00 15384->15939 15943 40e7b4 15384->15943 15946 40c06c 15384->15946 15952 406f5f GetUserNameA 15384->15952 15963 40e854 15384->15963 15973 407dd6 15384->15973 15385->15380 15388->15384 15390 40741b 15389->15390 15391 406dc2 6 API calls 15390->15391 15392 40743f 15391->15392 15393 407469 RegOpenKeyExA 15392->15393 15395 4077f9 15393->15395 15404 407487 ___ascii_stricmp 15393->15404 15394 407703 RegEnumKeyA 15396 407714 RegCloseKey 15394->15396 15394->15404 15395->15004 15396->15395 15397 4074d2 RegOpenKeyExA 15397->15404 15398 40772c 15400 407742 RegCloseKey 15398->15400 15401 40774b 15398->15401 15399 407521 RegQueryValueExA 15399->15404 15400->15401 15402 4077ec RegCloseKey 15401->15402 15402->15395 15403 4076e4 RegCloseKey 15403->15404 15404->15394 15404->15397 15404->15398 15404->15399 15404->15403 15405 407769 15404->15405 15407 40f1a5 lstrlenA 15404->15407 15408 40777e GetFileAttributesExA 15404->15408 15406 4077e3 RegCloseKey 15405->15406 15406->15402 15407->15404 15408->15405 15410 407073 15409->15410 15411 4070b9 RegOpenKeyExA 15410->15411 15412 4070d0 15411->15412 15426 4071b8 15411->15426 15413 406dc2 6 API calls 15412->15413 15416 4070d5 15413->15416 15414 40719b RegEnumValueA 15415 4071af RegCloseKey 15414->15415 15414->15416 15415->15426 15416->15414 15418 4071d0 15416->15418 15432 40f1a5 lstrlenA 15416->15432 15419 407205 RegCloseKey 15418->15419 15420 407227 15418->15420 15419->15426 15421 4072b8 ___ascii_stricmp 15420->15421 15422 40728e RegCloseKey 15420->15422 15423 4072cd RegCloseKey 15421->15423 15424 4072dd 15421->15424 15422->15426 15423->15426 15425 407311 RegCloseKey 15424->15425 15428 407335 15424->15428 15425->15426 15426->15006 15427 4073d5 RegCloseKey 15429 4073e4 15427->15429 15428->15427 15430 40737e GetFileAttributesExA 15428->15430 15431 407397 15428->15431 15430->15431 15431->15427 15433 40f1c3 15432->15433 15433->15416 15435 403edc 15434->15435 15437 403ee2 15434->15437 15436 406dc2 6 API calls 15435->15436 15436->15437 15437->15011 15439 40400b CreateFileA 15438->15439 15440 40402c GetLastError 15439->15440 15441 404052 15439->15441 15440->15441 15442 404037 15440->15442 15441->15009 15441->15014 15441->15015 15442->15441 15443 404041 Sleep 15442->15443 15443->15439 15443->15441 15445 403f7c 15444->15445 15446 403f4e GetLastError 15444->15446 15448 403f8c ReadFile 15445->15448 15446->15445 15447 403f5b WaitForSingleObject GetOverlappedResult 15446->15447 15447->15445 15449 403ff0 15448->15449 15450 403fc2 GetLastError 15448->15450 15449->15020 15449->15021 15450->15449 15451 403fcf WaitForSingleObject GetOverlappedResult 15450->15451 15451->15449 15455 40eb74 15452->15455 15456 40eb7b GetProcessHeap HeapSize 15455->15456 15457 404350 15455->15457 15456->15457 15457->15028 15459 401924 GetVersionExA 15458->15459 15459->15072 15461 406f55 15460->15461 15462 406eef AllocateAndInitializeSid 15460->15462 15461->15082 15463 406f44 15462->15463 15464 406f1c CheckTokenMembership 15462->15464 15463->15461 15494 406e36 GetUserNameW 15463->15494 15465 406f3b FreeSid 15464->15465 15466 406f2e 15464->15466 15465->15463 15466->15465 15469 409308 15468->15469 15471 40920e 15468->15471 15469->15100 15470 4092f1 Sleep 15470->15471 15471->15469 15471->15470 15471->15471 15472 4092bf ShellExecuteA 15471->15472 15472->15469 15472->15471 15474 40ef32 15473->15474 15474->15097 15476 40f0f1 15475->15476 15477 40f0ed 15475->15477 15478 40f119 15476->15478 15479 40f0fa lstrlenA SysAllocStringByteLen 15476->15479 15477->15104 15481 40f11c MultiByteToWideChar 15478->15481 15480 40f117 15479->15480 15479->15481 15480->15104 15481->15480 15483 401820 17 API calls 15482->15483 15484 4018f2 15483->15484 15485 4018f9 15484->15485 15497 401280 15484->15497 15485->15100 15487 401908 15487->15100 15509 401000 15488->15509 15490 401839 15491 401851 GetCurrentProcess 15490->15491 15492 40183d 15490->15492 15493 401864 15491->15493 15492->15091 15493->15091 15495 406e97 15494->15495 15496 406e5f LookupAccountNameW 15494->15496 15495->15461 15496->15495 15498 4012e1 15497->15498 15499 4016f9 GetLastError 15498->15499 15506 4013a8 15498->15506 15500 401699 15499->15500 15500->15487 15501 401570 lstrlenW 15501->15506 15502 4015be GetStartupInfoW 15502->15506 15503 4015ff CreateProcessWithLogonW 15504 4016bf GetLastError 15503->15504 15505 40163f WaitForSingleObject 15503->15505 15504->15500 15505->15506 15507 401659 CloseHandle 15505->15507 15506->15500 15506->15501 15506->15502 15506->15503 15508 401668 CloseHandle 15506->15508 15507->15506 15508->15506 15510 40100d LoadLibraryA 15509->15510 15525 401023 15509->15525 15511 401021 15510->15511 15510->15525 15511->15490 15512 4010b5 GetProcAddress 15513 4010d1 GetProcAddress 15512->15513 15514 40127b 15512->15514 15513->15514 15515 4010f0 GetProcAddress 15513->15515 15514->15490 15515->15514 15516 401110 GetProcAddress 15515->15516 15516->15514 15517 401130 GetProcAddress 15516->15517 15517->15514 15518 40114f GetProcAddress 15517->15518 15518->15514 15519 40116f GetProcAddress 15518->15519 15519->15514 15520 40118f GetProcAddress 15519->15520 15520->15514 15521 4011ae GetProcAddress 15520->15521 15521->15514 15522 4011ce GetProcAddress 15521->15522 15522->15514 15523 4011ee GetProcAddress 15522->15523 15523->15514 15524 401209 GetProcAddress 15523->15524 15524->15514 15526 401225 GetProcAddress 15524->15526 15525->15512 15529 4010ae 15525->15529 15526->15514 15527 401241 GetProcAddress 15526->15527 15527->15514 15528 40125c GetProcAddress 15527->15528 15528->15514 15529->15490 15532 4069b9 WriteFile 15530->15532 15533 406a3c 15532->15533 15535 4069ff 15532->15535 15533->15113 15533->15114 15534 406a10 WriteFile 15534->15533 15534->15535 15535->15533 15535->15534 15537 40eb17 15536->15537 15539 40eb21 15536->15539 15540 40eae4 15537->15540 15539->15118 15541 40eb02 GetProcAddress 15540->15541 15542 40eaed LoadLibraryA 15540->15542 15541->15539 15542->15541 15543 40eb01 15542->15543 15543->15539 15545 40eba7 GetProcessHeap HeapSize 15544->15545 15546 40ebbf GetProcessHeap HeapFree 15544->15546 15545->15546 15546->15147 15548 40908d 15547->15548 15549 4090e2 wsprintfA 15548->15549 15550 40ee2a 15549->15550 15551 4090fd CreateFileA 15550->15551 15552 40911a lstrlenA WriteFile CloseHandle 15551->15552 15553 40913f 15551->15553 15552->15553 15553->15156 15553->15157 15555 40ee2a 15554->15555 15556 409794 CreateProcessA 15555->15556 15557 4097c2 15556->15557 15558 4097bb 15556->15558 15559 4097d4 GetThreadContext 15557->15559 15558->15168 15560 409801 15559->15560 15561 4097f5 15559->15561 15568 40637c 15560->15568 15562 4097f6 TerminateProcess 15561->15562 15562->15558 15564 409816 15564->15562 15565 40981e WriteProcessMemory 15564->15565 15565->15561 15566 40983b SetThreadContext 15565->15566 15566->15561 15567 409858 ResumeThread 15566->15567 15567->15558 15569 406386 15568->15569 15570 40638a GetModuleHandleA VirtualAlloc 15568->15570 15569->15564 15571 4063b6 15570->15571 15575 4063f5 15570->15575 15572 4063be VirtualAllocEx 15571->15572 15573 4063d6 15572->15573 15572->15575 15574 4063df WriteProcessMemory 15573->15574 15574->15575 15575->15564 15577 40dd41 InterlockedExchange 15576->15577 15578 40dd20 GetCurrentThreadId 15577->15578 15582 40dd4a 15577->15582 15579 40dd53 GetCurrentThreadId 15578->15579 15580 40dd2e GetTickCount 15578->15580 15579->15171 15581 40dd39 Sleep 15580->15581 15580->15582 15581->15577 15582->15579 15584 40dbf0 15583->15584 15616 40db67 GetEnvironmentVariableA 15584->15616 15586 40dc19 15587 40dcda 15586->15587 15588 40db67 3 API calls 15586->15588 15587->15173 15589 40dc5c 15588->15589 15589->15587 15590 40db67 3 API calls 15589->15590 15591 40dc9b 15590->15591 15591->15587 15592 40db67 3 API calls 15591->15592 15592->15587 15594 40db55 15593->15594 15595 40db3a 15593->15595 15594->15175 15594->15180 15620 40ebed 15595->15620 15629 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15597->15629 15599 40e3be 15599->15175 15600 40e342 15600->15599 15632 40de24 15600->15632 15603 40e528 15602->15603 15604 40e3f4 15602->15604 15603->15184 15605 40e434 RegQueryValueExA 15604->15605 15606 40e458 15605->15606 15607 40e51d RegCloseKey 15605->15607 15608 40e46e RegQueryValueExA 15606->15608 15607->15603 15608->15606 15609 40e488 15608->15609 15609->15607 15610 40db2e 8 API calls 15609->15610 15611 40e499 15610->15611 15611->15607 15612 40e4b9 RegQueryValueExA 15611->15612 15613 40e4e8 15611->15613 15612->15611 15612->15613 15613->15607 15614 40e332 14 API calls 15613->15614 15615 40e513 15614->15615 15615->15607 15617 40db89 lstrcpyA CreateFileA 15616->15617 15618 40dbca 15616->15618 15617->15586 15618->15586 15621 40ec01 15620->15621 15622 40ebf6 15620->15622 15624 40eba0 codecvt 2 API calls 15621->15624 15623 40ebcc 4 API calls 15622->15623 15625 40ebfe 15623->15625 15626 40ec0a GetProcessHeap HeapReAlloc 15624->15626 15625->15594 15627 40eb74 2 API calls 15626->15627 15628 40ec28 15627->15628 15628->15594 15643 40eb41 15629->15643 15633 40de3a 15632->15633 15636 40de4e 15633->15636 15647 40dd84 15633->15647 15636->15600 15637 40de76 15651 40ddcf 15637->15651 15638 40ebed 8 API calls 15641 40def6 15638->15641 15640 40de9e 15640->15636 15640->15638 15641->15636 15642 40ddcf lstrcmpA 15641->15642 15642->15636 15644 40eb54 15643->15644 15645 40eb4a 15643->15645 15644->15600 15646 40eae4 2 API calls 15645->15646 15646->15644 15648 40dd96 15647->15648 15649 40ddc5 15647->15649 15648->15649 15650 40ddad lstrcmpiA 15648->15650 15649->15637 15649->15640 15650->15648 15650->15649 15652 40de20 15651->15652 15653 40dddd 15651->15653 15652->15636 15653->15652 15654 40ddfa lstrcmpA 15653->15654 15654->15653 15656 40dd05 6 API calls 15655->15656 15657 40e821 15656->15657 15658 40dd84 lstrcmpiA 15657->15658 15659 40e82c 15658->15659 15661 40e844 15659->15661 15703 402480 15659->15703 15661->15200 15663 40dd05 6 API calls 15662->15663 15664 40df7c 15663->15664 15665 40dd84 lstrcmpiA 15664->15665 15668 40df89 15665->15668 15666 40dfc4 15666->15206 15667 40ddcf lstrcmpA 15667->15668 15668->15666 15668->15667 15669 40ec2e codecvt 4 API calls 15668->15669 15670 40dd84 lstrcmpiA 15668->15670 15669->15668 15670->15668 15672 40ea98 15671->15672 15712 40e8a1 15672->15712 15674 401e84 15674->15209 15676 4019d5 GetProcAddress GetProcAddress GetProcAddress 15675->15676 15679 4019ce 15675->15679 15677 401ab3 FreeLibrary 15676->15677 15678 401a04 15676->15678 15677->15679 15678->15677 15680 401a14 GetProcessHeap 15678->15680 15679->15213 15680->15679 15682 401a2e HeapAlloc 15680->15682 15682->15679 15683 401a42 15682->15683 15684 401a52 HeapReAlloc 15683->15684 15686 401a62 15683->15686 15684->15686 15685 401aa1 FreeLibrary 15685->15679 15686->15685 15687 401a96 HeapFree 15686->15687 15687->15685 15740 401ac3 LoadLibraryA 15688->15740 15691 401bcf 15691->15225 15693 401ac3 12 API calls 15692->15693 15694 401c09 15693->15694 15695 401c41 15694->15695 15696 401c0d GetComputerNameA 15694->15696 15695->15230 15697 401c45 GetVolumeInformationA 15696->15697 15698 401c1f 15696->15698 15697->15695 15698->15695 15698->15697 15700 40ee2a 15699->15700 15701 4030d0 gethostname gethostbyname 15700->15701 15702 401f82 15701->15702 15702->15237 15702->15239 15706 402419 lstrlenA 15703->15706 15705 402491 15705->15661 15707 402474 15706->15707 15708 40243d lstrlenA 15706->15708 15707->15705 15709 402464 lstrlenA 15708->15709 15710 40244e lstrcmpiA 15708->15710 15709->15707 15709->15708 15710->15709 15711 40245c 15710->15711 15711->15707 15711->15709 15713 40dd05 6 API calls 15712->15713 15714 40e8b4 15713->15714 15715 40dd84 lstrcmpiA 15714->15715 15716 40e8c0 15715->15716 15717 40e90a 15716->15717 15718 40e8c8 lstrcpynA 15716->15718 15719 402419 4 API calls 15717->15719 15728 40ea27 15717->15728 15720 40e8f5 15718->15720 15721 40e926 lstrlenA lstrlenA 15719->15721 15733 40df4c 15720->15733 15722 40e96a 15721->15722 15723 40e94c lstrlenA 15721->15723 15727 40ebcc 4 API calls 15722->15727 15722->15728 15723->15722 15725 40e901 15726 40dd84 lstrcmpiA 15725->15726 15726->15717 15729 40e98f 15727->15729 15728->15674 15729->15728 15730 40df4c 20 API calls 15729->15730 15731 40ea1e 15730->15731 15732 40ec2e codecvt 4 API calls 15731->15732 15732->15728 15734 40dd05 6 API calls 15733->15734 15735 40df51 15734->15735 15736 40f04e 4 API calls 15735->15736 15737 40df58 15736->15737 15738 40de24 10 API calls 15737->15738 15739 40df63 15738->15739 15739->15725 15741 401ae2 GetProcAddress 15740->15741 15744 401b68 GetComputerNameA GetVolumeInformationA 15740->15744 15742 401af5 15741->15742 15741->15744 15743 40ebed 8 API calls 15742->15743 15745 401b29 15742->15745 15743->15742 15744->15691 15745->15744 15745->15745 15746 40ec2e codecvt 4 API calls 15745->15746 15746->15744 15748 406ec3 2 API calls 15747->15748 15749 407ef4 15748->15749 15750 4073ff 17 API calls 15749->15750 15751 407fc9 15749->15751 15752 407f16 15750->15752 15751->15247 15752->15751 15760 407809 GetUserNameA 15752->15760 15754 407f63 15754->15751 15755 40ef1e lstrlenA 15754->15755 15756 407fa6 15755->15756 15757 40ef1e lstrlenA 15756->15757 15758 407fb7 15757->15758 15784 407a95 RegOpenKeyExA 15758->15784 15761 40783d LookupAccountNameA 15760->15761 15762 407a8d 15760->15762 15761->15762 15763 407874 GetLengthSid GetFileSecurityA 15761->15763 15762->15754 15763->15762 15764 4078a8 GetSecurityDescriptorOwner 15763->15764 15765 4078c5 EqualSid 15764->15765 15766 40791d GetSecurityDescriptorDacl 15764->15766 15765->15766 15767 4078dc LocalAlloc 15765->15767 15766->15762 15772 407941 15766->15772 15767->15766 15768 4078ef InitializeSecurityDescriptor 15767->15768 15770 407916 LocalFree 15768->15770 15771 4078fb SetSecurityDescriptorOwner 15768->15771 15769 40795b GetAce 15769->15772 15770->15766 15771->15770 15773 40790b SetFileSecurityA 15771->15773 15772->15762 15772->15769 15774 407980 EqualSid 15772->15774 15775 407a3d 15772->15775 15776 4079be EqualSid 15772->15776 15777 40799d DeleteAce 15772->15777 15773->15770 15774->15772 15775->15762 15778 407a43 LocalAlloc 15775->15778 15776->15772 15777->15772 15778->15762 15779 407a56 InitializeSecurityDescriptor 15778->15779 15780 407a62 SetSecurityDescriptorDacl 15779->15780 15781 407a86 LocalFree 15779->15781 15780->15781 15782 407a73 SetFileSecurityA 15780->15782 15781->15762 15782->15781 15783 407a83 15782->15783 15783->15781 15785 407ac4 15784->15785 15786 407acb GetUserNameA 15784->15786 15785->15751 15787 407da7 RegCloseKey 15786->15787 15788 407aed LookupAccountNameA 15786->15788 15787->15785 15788->15787 15789 407b24 RegGetKeySecurity 15788->15789 15789->15787 15790 407b49 GetSecurityDescriptorOwner 15789->15790 15791 407b63 EqualSid 15790->15791 15792 407bb8 GetSecurityDescriptorDacl 15790->15792 15791->15792 15793 407b74 LocalAlloc 15791->15793 15794 407da6 15792->15794 15801 407bdc 15792->15801 15793->15792 15795 407b8a InitializeSecurityDescriptor 15793->15795 15794->15787 15796 407bb1 LocalFree 15795->15796 15797 407b96 SetSecurityDescriptorOwner 15795->15797 15796->15792 15797->15796 15799 407ba6 RegSetKeySecurity 15797->15799 15798 407bf8 GetAce 15798->15801 15799->15796 15800 407c1d EqualSid 15800->15801 15801->15794 15801->15798 15801->15800 15802 407cd9 15801->15802 15803 407c5f EqualSid 15801->15803 15804 407c3a DeleteAce 15801->15804 15802->15794 15805 407d5a LocalAlloc 15802->15805 15806 407cf2 RegOpenKeyExA 15802->15806 15803->15801 15804->15801 15805->15794 15807 407d70 InitializeSecurityDescriptor 15805->15807 15806->15805 15812 407d0f 15806->15812 15808 407d7c SetSecurityDescriptorDacl 15807->15808 15809 407d9f LocalFree 15807->15809 15808->15809 15810 407d8c RegSetKeySecurity 15808->15810 15809->15794 15810->15809 15811 407d9c 15810->15811 15811->15809 15813 407d43 RegSetValueExA 15812->15813 15813->15805 15814 407d54 15813->15814 15814->15805 15815->15267 15817 40dd05 6 API calls 15816->15817 15821 40e65f 15817->15821 15818 40e6a5 15819 40ebcc 4 API calls 15818->15819 15826 40e6f5 15818->15826 15820 40e6b0 15819->15820 15823 40e6b7 15820->15823 15825 40e6e0 lstrcpynA 15820->15825 15820->15826 15821->15818 15822 40e68c lstrcmpA 15821->15822 15822->15821 15823->15269 15824 40e71d lstrcmpA 15824->15826 15825->15826 15826->15823 15826->15824 15827->15275 15829 40c525 15828->15829 15830 40c532 15828->15830 15829->15830 15833 40ec2e codecvt 4 API calls 15829->15833 15831 40c548 15830->15831 15980 40e7ff 15830->15980 15834 40e7ff lstrcmpiA 15831->15834 15842 40c54f 15831->15842 15833->15830 15835 40c615 15834->15835 15836 40ebcc 4 API calls 15835->15836 15835->15842 15836->15842 15837 40c5d1 15840 40ebcc 4 API calls 15837->15840 15839 40e819 11 API calls 15841 40c5b7 15839->15841 15840->15842 15843 40f04e 4 API calls 15841->15843 15842->15288 15844 40c5bf 15843->15844 15844->15831 15844->15837 15846 402692 inet_addr 15845->15846 15847 40268e 15845->15847 15846->15847 15848 40269e gethostbyname 15846->15848 15849 40f428 15847->15849 15848->15847 15983 40f315 15849->15983 15854 40c8d2 15852->15854 15853 40c907 15853->15290 15854->15853 15855 40c517 23 API calls 15854->15855 15855->15853 15856 40f43e 15857 40f473 recv 15856->15857 15858 40f47c 15857->15858 15859 40f458 15857->15859 15858->15306 15859->15857 15859->15858 15861 40c670 15860->15861 15862 40c67d 15860->15862 15863 40ebcc 4 API calls 15861->15863 15864 40ebcc 4 API calls 15862->15864 15866 40c699 15862->15866 15863->15862 15864->15866 15865 40c6f3 15865->15319 15865->15384 15866->15865 15867 40c73c send 15866->15867 15867->15865 15869 40c770 15868->15869 15870 40c77d 15868->15870 15871 40ebcc 4 API calls 15869->15871 15872 40c799 15870->15872 15873 40ebcc 4 API calls 15870->15873 15871->15870 15874 40c7b5 15872->15874 15875 40ebcc 4 API calls 15872->15875 15873->15872 15876 40f43e recv 15874->15876 15875->15874 15877 40c7cb 15876->15877 15878 40c7d3 15877->15878 15879 40f43e recv 15877->15879 15878->15384 15879->15878 15996 407db7 15880->15996 15883 40f04e 4 API calls 15886 407e4c 15883->15886 15884 407e96 15884->15384 15885 407e70 15885->15884 15887 40f04e 4 API calls 15885->15887 15886->15885 15888 40f04e 4 API calls 15886->15888 15887->15884 15888->15885 15890 406ec3 2 API calls 15889->15890 15891 407fdd 15890->15891 15892 4073ff 17 API calls 15891->15892 15901 4080c2 CreateProcessA 15891->15901 15893 407fff 15892->15893 15894 407809 21 API calls 15893->15894 15893->15901 15895 40804d 15894->15895 15896 40ef1e lstrlenA 15895->15896 15895->15901 15897 40809e 15896->15897 15898 40ef1e lstrlenA 15897->15898 15899 4080af 15898->15899 15900 407a95 24 API calls 15899->15900 15900->15901 15901->15370 15901->15371 15903 407db7 2 API calls 15902->15903 15904 407eb8 15903->15904 15905 40f04e 4 API calls 15904->15905 15906 407ece DeleteFileA 15905->15906 15906->15384 15908 40dd05 6 API calls 15907->15908 15909 40e31d 15908->15909 16000 40e177 15909->16000 15911 40e326 15911->15344 15913 4031f3 15912->15913 15914 4031ec 15912->15914 15915 40ebcc 4 API calls 15913->15915 15914->15384 15928 4031fc 15915->15928 15916 403459 15919 40f04e 4 API calls 15916->15919 15917 40349d 15918 40ec2e codecvt 4 API calls 15917->15918 15918->15914 15920 40345f 15919->15920 15921 4030fa 4 API calls 15920->15921 15921->15914 15922 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15922->15928 15923 40344d 15924 40ec2e codecvt 4 API calls 15923->15924 15925 40344b 15924->15925 15925->15916 15925->15917 15927 403141 lstrcmpiA 15927->15928 15928->15914 15928->15922 15928->15923 15928->15925 15928->15927 16026 4030fa GetTickCount 15928->16026 15930 4030fa 4 API calls 15929->15930 15931 403c1a 15930->15931 15932 403ce6 15931->15932 16031 403a72 15931->16031 15932->15384 15935 403a72 9 API calls 15937 403c5e 15935->15937 15936 403a72 9 API calls 15936->15937 15937->15932 15937->15936 15938 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15937->15938 15938->15937 15940 403a10 15939->15940 15941 4030fa 4 API calls 15940->15941 15942 403a1a 15941->15942 15942->15384 15944 40dd05 6 API calls 15943->15944 15945 40e7be 15944->15945 15945->15384 15947 40c105 15946->15947 15948 40c07e wsprintfA 15946->15948 15947->15384 16040 40bfce GetTickCount wsprintfA 15948->16040 15950 40c0ef 16041 40bfce GetTickCount wsprintfA 15950->16041 15953 407047 15952->15953 15954 406f88 15952->15954 15953->15384 15954->15954 15955 406f94 LookupAccountNameA 15954->15955 15956 407025 15955->15956 15957 406fcb 15955->15957 15958 406edd 5 API calls 15956->15958 15959 406fdb ConvertSidToStringSidA 15957->15959 15960 40702a wsprintfA 15958->15960 15959->15956 15961 406ff1 15959->15961 15960->15953 15962 407013 LocalFree 15961->15962 15962->15956 15964 40dd05 6 API calls 15963->15964 15965 40e85c 15964->15965 15966 40dd84 lstrcmpiA 15965->15966 15967 40e867 15966->15967 15968 40e885 lstrcpyA 15967->15968 16042 4024a5 15967->16042 16045 40dd69 15968->16045 15974 407db7 2 API calls 15973->15974 15975 407de1 15974->15975 15976 40f04e 4 API calls 15975->15976 15979 407e16 15975->15979 15977 407df2 15976->15977 15978 40f04e 4 API calls 15977->15978 15977->15979 15978->15979 15979->15384 15981 40dd84 lstrcmpiA 15980->15981 15982 40c58e 15981->15982 15982->15831 15982->15837 15982->15839 15984 40ca1d 15983->15984 15985 40f33b 15983->15985 15984->15303 15984->15856 15986 40f347 htons socket 15985->15986 15987 40f382 ioctlsocket 15986->15987 15988 40f374 closesocket 15986->15988 15989 40f3aa connect select 15987->15989 15990 40f39d 15987->15990 15988->15984 15989->15984 15992 40f3f2 __WSAFDIsSet 15989->15992 15991 40f39f closesocket 15990->15991 15991->15984 15992->15991 15993 40f403 ioctlsocket 15992->15993 15995 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15993->15995 15995->15984 15997 407dc8 InterlockedExchange 15996->15997 15998 407dc0 Sleep 15997->15998 15999 407dd4 15997->15999 15998->15997 15999->15883 15999->15885 16001 40e184 16000->16001 16002 40e2e4 16001->16002 16003 40e223 16001->16003 16016 40dfe2 16001->16016 16002->15911 16003->16002 16005 40dfe2 8 API calls 16003->16005 16009 40e23c 16005->16009 16006 40e1be 16006->16003 16007 40dbcf 3 API calls 16006->16007 16010 40e1d6 16007->16010 16008 40e21a CloseHandle 16008->16003 16009->16002 16020 40e095 RegCreateKeyExA 16009->16020 16010->16003 16010->16008 16011 40e1f9 WriteFile 16010->16011 16011->16008 16013 40e213 16011->16013 16013->16008 16014 40e2a3 16014->16002 16015 40e095 4 API calls 16014->16015 16015->16002 16017 40dffc 16016->16017 16019 40e024 16016->16019 16018 40db2e 8 API calls 16017->16018 16017->16019 16018->16019 16019->16006 16021 40e172 16020->16021 16024 40e0c0 16020->16024 16021->16014 16022 40e13d 16023 40e14e RegDeleteValueA RegCloseKey 16022->16023 16023->16021 16024->16022 16025 40e115 RegSetValueExA 16024->16025 16025->16022 16025->16024 16027 403122 InterlockedExchange 16026->16027 16028 40312e 16027->16028 16029 40310f GetTickCount 16027->16029 16028->15928 16029->16028 16030 40311a Sleep 16029->16030 16030->16027 16032 40f04e 4 API calls 16031->16032 16033 403a83 16032->16033 16036 403bc0 16033->16036 16037 403ac1 16033->16037 16039 403b66 lstrlenA 16033->16039 16034 403be6 16038 40ec2e codecvt 4 API calls 16034->16038 16035 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16035->16036 16036->16034 16036->16035 16037->15932 16037->15935 16038->16037 16039->16033 16039->16037 16040->15950 16041->15947 16043 402419 4 API calls 16042->16043 16044 4024b6 16043->16044 16044->15968 16046 40dd79 lstrlenA 16045->16046 16046->15384 16048 404084 16047->16048 16049 40407d 16047->16049 16050 403ecd 6 API calls 16048->16050 16051 40408f 16050->16051 16052 404000 3 API calls 16051->16052 16054 404095 16052->16054 16053 404130 16055 403ecd 6 API calls 16053->16055 16054->16053 16059 403f18 4 API calls 16054->16059 16056 404159 CreateNamedPipeA 16055->16056 16057 404167 Sleep 16056->16057 16058 404188 ConnectNamedPipe 16056->16058 16057->16053 16061 404176 CloseHandle 16057->16061 16060 404195 GetLastError 16058->16060 16072 4041ab 16058->16072 16062 4040da 16059->16062 16063 40425e DisconnectNamedPipe 16060->16063 16060->16072 16061->16058 16064 403f8c 4 API calls 16062->16064 16063->16058 16065 4040ec 16064->16065 16066 404127 CloseHandle 16065->16066 16067 404101 16065->16067 16066->16053 16068 403f18 4 API calls 16067->16068 16069 40411c ExitProcess 16068->16069 16070 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16070->16072 16071 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16071->16072 16072->16058 16072->16063 16072->16070 16072->16071 16073 40426a CloseHandle CloseHandle 16072->16073 16074 40e318 23 API calls 16073->16074 16075 40427b 16074->16075 16075->16075 16077 408791 16076->16077 16078 40879f 16076->16078 16079 40f04e 4 API calls 16077->16079 16080 4087bc 16078->16080 16082 40f04e 4 API calls 16078->16082 16079->16078 16081 40e819 11 API calls 16080->16081 16083 4087d7 16081->16083 16082->16080 16095 408803 16083->16095 16097 4026b2 gethostbyaddr 16083->16097 16085 4087eb 16087 40e8a1 30 API calls 16085->16087 16085->16095 16087->16095 16090 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16090->16095 16091 40e819 11 API calls 16091->16095 16092 4088a0 Sleep 16092->16095 16094 4026b2 2 API calls 16094->16095 16095->16090 16095->16091 16095->16092 16095->16094 16096 40e8a1 30 API calls 16095->16096 16102 40c4d6 16095->16102 16105 40c4e2 16095->16105 16108 402011 16095->16108 16143 408328 16095->16143 16096->16095 16098 4026fb 16097->16098 16099 4026cd 16097->16099 16098->16085 16100 4026e1 inet_ntoa 16099->16100 16101 4026de 16099->16101 16100->16101 16101->16085 16195 40c2dc 16102->16195 16106 40c2dc 142 API calls 16105->16106 16107 40c4ec 16106->16107 16107->16095 16109 402020 16108->16109 16110 40202e 16108->16110 16111 40f04e 4 API calls 16109->16111 16112 40204b 16110->16112 16114 40f04e 4 API calls 16110->16114 16111->16110 16113 40206e GetTickCount 16112->16113 16115 40f04e 4 API calls 16112->16115 16116 4020db GetTickCount 16113->16116 16126 402090 16113->16126 16114->16112 16118 402068 16115->16118 16117 402132 GetTickCount GetTickCount 16116->16117 16128 4020e7 16116->16128 16121 40f04e 4 API calls 16117->16121 16118->16113 16119 4020d4 GetTickCount 16119->16116 16120 40212b GetTickCount 16120->16117 16122 402159 16121->16122 16124 4021b4 16122->16124 16127 40e854 13 API calls 16122->16127 16123 402684 2 API calls 16123->16126 16129 40f04e 4 API calls 16124->16129 16126->16119 16126->16123 16133 4020ce 16126->16133 16532 401978 16126->16532 16130 40218e 16127->16130 16128->16120 16135 401978 15 API calls 16128->16135 16136 402125 16128->16136 16537 402ef8 16128->16537 16132 4021d1 16129->16132 16134 40e819 11 API calls 16130->16134 16137 4021f2 16132->16137 16139 40ea84 30 API calls 16132->16139 16133->16119 16138 40219c 16134->16138 16135->16128 16136->16120 16137->16095 16138->16124 16545 401c5f 16138->16545 16140 4021ec 16139->16140 16141 40f04e 4 API calls 16140->16141 16141->16137 16144 407dd6 6 API calls 16143->16144 16145 40833c 16144->16145 16146 406ec3 2 API calls 16145->16146 16168 408340 16145->16168 16147 40834f 16146->16147 16148 40835c 16147->16148 16151 40846b 16147->16151 16149 4073ff 17 API calls 16148->16149 16170 408373 16149->16170 16150 4085df 16153 408626 GetTempPathA 16150->16153 16161 408762 16150->16161 16169 408638 16150->16169 16154 4084a7 RegOpenKeyExA 16151->16154 16181 408450 16151->16181 16152 40675c 21 API calls 16152->16150 16153->16169 16156 4084c0 RegQueryValueExA 16154->16156 16157 40852f 16154->16157 16159 408521 RegCloseKey 16156->16159 16160 4084dd 16156->16160 16163 408564 RegOpenKeyExA 16157->16163 16173 4085a5 16157->16173 16158 4086ad 16158->16161 16162 407e2f 6 API calls 16158->16162 16159->16157 16160->16159 16167 40ebcc 4 API calls 16160->16167 16166 40ec2e codecvt 4 API calls 16161->16166 16161->16168 16174 4086bb 16162->16174 16164 408573 RegSetValueExA RegCloseKey 16163->16164 16163->16173 16164->16173 16165 40875b DeleteFileA 16165->16161 16166->16168 16172 4084f0 16167->16172 16168->16095 16617 406ba7 IsBadCodePtr 16169->16617 16170->16168 16175 4083ea RegOpenKeyExA 16170->16175 16170->16181 16172->16159 16176 4084f8 RegQueryValueExA 16172->16176 16178 40ec2e codecvt 4 API calls 16173->16178 16173->16181 16174->16165 16182 4086e0 lstrcpyA lstrlenA 16174->16182 16179 4083fd RegQueryValueExA 16175->16179 16175->16181 16176->16159 16177 408515 16176->16177 16180 40ec2e codecvt 4 API calls 16177->16180 16178->16181 16183 40842d RegSetValueExA 16179->16183 16184 40841e 16179->16184 16185 40851d 16180->16185 16181->16150 16181->16152 16186 407fcf 64 API calls 16182->16186 16187 408447 RegCloseKey 16183->16187 16184->16183 16184->16187 16185->16159 16188 408719 CreateProcessA 16186->16188 16187->16181 16189 40873d CloseHandle CloseHandle 16188->16189 16190 40874f 16188->16190 16189->16161 16191 407ee6 64 API calls 16190->16191 16192 408754 16191->16192 16193 407ead 6 API calls 16192->16193 16194 40875a 16193->16194 16194->16165 16211 40a4c7 GetTickCount 16195->16211 16198 40c45e 16203 40c4d2 16198->16203 16204 40c4ab InterlockedIncrement CreateThread 16198->16204 16199 40c300 GetTickCount 16201 40c337 16199->16201 16200 40c326 16200->16201 16202 40c32b GetTickCount 16200->16202 16201->16198 16206 40c363 GetTickCount 16201->16206 16202->16201 16203->16095 16204->16203 16205 40c4cb CloseHandle 16204->16205 16216 40b535 16204->16216 16205->16203 16206->16198 16207 40c373 16206->16207 16208 40c378 GetTickCount 16207->16208 16209 40c37f 16207->16209 16208->16209 16210 40c43b GetTickCount 16209->16210 16210->16198 16212 40a4f7 InterlockedExchange 16211->16212 16213 40a500 16212->16213 16214 40a4e4 GetTickCount 16212->16214 16213->16198 16213->16199 16213->16200 16214->16213 16215 40a4ef Sleep 16214->16215 16215->16212 16217 40b566 16216->16217 16218 40ebcc 4 API calls 16217->16218 16219 40b587 16218->16219 16220 40ebcc 4 API calls 16219->16220 16247 40b590 16220->16247 16221 40bdcd InterlockedDecrement 16222 40bde2 16221->16222 16224 40ec2e codecvt 4 API calls 16222->16224 16225 40bdea 16224->16225 16227 40ec2e codecvt 4 API calls 16225->16227 16226 40bdb7 Sleep 16226->16247 16228 40bdf2 16227->16228 16230 40be05 16228->16230 16231 40ec2e codecvt 4 API calls 16228->16231 16229 40bdcc 16229->16221 16231->16230 16232 40ebed 8 API calls 16232->16247 16235 40b6b6 lstrlenA 16235->16247 16236 4030b5 2 API calls 16236->16247 16237 40e819 11 API calls 16237->16247 16238 40b6ed lstrcpyA 16291 405ce1 16238->16291 16241 40b731 lstrlenA 16241->16247 16242 40b71f lstrcmpA 16242->16241 16242->16247 16243 40b772 GetTickCount 16243->16247 16244 40bd49 InterlockedIncrement 16388 40a628 16244->16388 16247->16221 16247->16226 16247->16229 16247->16232 16247->16235 16247->16236 16247->16237 16247->16238 16247->16241 16247->16242 16247->16243 16247->16244 16248 40b7ce InterlockedIncrement 16247->16248 16249 40bc5b InterlockedIncrement 16247->16249 16252 40b912 GetTickCount 16247->16252 16253 40b932 GetTickCount 16247->16253 16254 40bcdc closesocket 16247->16254 16255 40b826 InterlockedIncrement 16247->16255 16257 405ce1 23 API calls 16247->16257 16258 4038f0 6 API calls 16247->16258 16260 40a7c1 22 API calls 16247->16260 16262 40bba6 InterlockedIncrement 16247->16262 16264 40bc4c closesocket 16247->16264 16267 40ba71 wsprintfA 16247->16267 16268 405ded 12 API calls 16247->16268 16270 40ab81 lstrcpynA InterlockedIncrement 16247->16270 16271 40ef1e lstrlenA 16247->16271 16273 403e10 16247->16273 16276 403e4f 16247->16276 16279 40384f 16247->16279 16299 40a7a3 inet_ntoa 16247->16299 16306 40abee 16247->16306 16318 401feb GetTickCount 16247->16318 16319 40a688 16247->16319 16342 403cfb 16247->16342 16345 40b3c5 16247->16345 16376 40ab81 16247->16376 16301 40acd7 16248->16301 16249->16247 16252->16247 16253->16247 16256 40bc6d InterlockedIncrement 16253->16256 16254->16247 16255->16243 16256->16247 16257->16247 16258->16247 16260->16247 16262->16247 16264->16247 16322 40a7c1 16267->16322 16268->16247 16270->16247 16271->16247 16274 4030fa 4 API calls 16273->16274 16275 403e1d 16274->16275 16275->16247 16277 4030fa 4 API calls 16276->16277 16278 403e5c 16277->16278 16278->16247 16280 4030fa 4 API calls 16279->16280 16282 403863 16280->16282 16281 4038b2 16281->16247 16282->16281 16283 4038b9 16282->16283 16284 403889 16282->16284 16397 4035f9 16283->16397 16391 403718 16284->16391 16289 4035f9 6 API calls 16289->16281 16290 403718 6 API calls 16290->16281 16292 405cf4 16291->16292 16293 405cec 16291->16293 16295 404bd1 4 API calls 16292->16295 16403 404bd1 GetTickCount 16293->16403 16296 405d02 16295->16296 16408 405472 16296->16408 16300 40a7b9 16299->16300 16300->16247 16302 40f315 14 API calls 16301->16302 16303 40aceb 16302->16303 16304 40acff 16303->16304 16305 40f315 14 API calls 16303->16305 16304->16247 16305->16304 16307 40abfb 16306->16307 16310 40ac65 16307->16310 16473 402f22 16307->16473 16309 40f315 14 API calls 16309->16310 16310->16309 16311 40ac8a 16310->16311 16312 40ac6f 16310->16312 16311->16247 16314 40ab81 2 API calls 16312->16314 16313 40ac23 16313->16310 16316 402684 2 API calls 16313->16316 16315 40ac81 16314->16315 16481 4038f0 16315->16481 16316->16313 16318->16247 16495 40a63d 16319->16495 16321 40a696 16321->16247 16323 40a87d lstrlenA send 16322->16323 16324 40a7df 16322->16324 16325 40a899 16323->16325 16326 40a8bf 16323->16326 16324->16323 16331 40a7fa wsprintfA 16324->16331 16332 40a80a 16324->16332 16334 40a8f2 16324->16334 16327 40a8a5 wsprintfA 16325->16327 16335 40a89e 16325->16335 16328 40a8c4 send 16326->16328 16326->16334 16327->16335 16330 40a8d8 wsprintfA 16328->16330 16328->16334 16329 40a978 recv 16329->16334 16336 40a982 16329->16336 16330->16335 16331->16332 16332->16323 16333 40a9b0 wsprintfA 16333->16335 16334->16329 16334->16333 16334->16336 16335->16247 16336->16335 16337 4030b5 2 API calls 16336->16337 16338 40ab05 16337->16338 16339 40e819 11 API calls 16338->16339 16340 40ab17 16339->16340 16341 40a7a3 inet_ntoa 16340->16341 16341->16335 16343 4030fa 4 API calls 16342->16343 16344 403d0b 16343->16344 16344->16247 16346 405ce1 23 API calls 16345->16346 16347 40b3e6 16346->16347 16348 405ce1 23 API calls 16347->16348 16350 40b404 16348->16350 16349 40b440 16352 40ef7c 3 API calls 16349->16352 16350->16349 16351 40ef7c 3 API calls 16350->16351 16353 40b42b 16351->16353 16354 40b458 wsprintfA 16352->16354 16355 40ef7c 3 API calls 16353->16355 16356 40ef7c 3 API calls 16354->16356 16355->16349 16357 40b480 16356->16357 16358 40ef7c 3 API calls 16357->16358 16359 40b493 16358->16359 16360 40ef7c 3 API calls 16359->16360 16361 40b4bb 16360->16361 16500 40ad89 GetLocalTime SystemTimeToFileTime 16361->16500 16365 40b4cc 16366 40ef7c 3 API calls 16365->16366 16367 40b4dd 16366->16367 16368 40b211 7 API calls 16367->16368 16369 40b4ec 16368->16369 16370 40ef7c 3 API calls 16369->16370 16371 40b4fd 16370->16371 16372 40b211 7 API calls 16371->16372 16373 40b509 16372->16373 16374 40ef7c 3 API calls 16373->16374 16375 40b51a 16374->16375 16375->16247 16377 40ab8c 16376->16377 16379 40abe9 GetTickCount 16376->16379 16378 40aba8 lstrcpynA 16377->16378 16377->16379 16380 40abe1 InterlockedIncrement 16377->16380 16378->16377 16381 40a51d 16379->16381 16380->16377 16382 40a4c7 4 API calls 16381->16382 16383 40a52c 16382->16383 16384 40a542 GetTickCount 16383->16384 16385 40a539 GetTickCount 16383->16385 16384->16385 16387 40a56c 16385->16387 16387->16247 16389 40a4c7 4 API calls 16388->16389 16390 40a633 16389->16390 16390->16247 16392 40f04e 4 API calls 16391->16392 16394 40372a 16392->16394 16393 403847 16393->16281 16393->16290 16394->16393 16395 4037b3 GetCurrentThreadId 16394->16395 16395->16394 16396 4037c8 GetCurrentThreadId 16395->16396 16396->16394 16398 40f04e 4 API calls 16397->16398 16402 40360c 16398->16402 16399 4036f1 16399->16281 16399->16289 16400 4036da GetCurrentThreadId 16400->16399 16401 4036e5 GetCurrentThreadId 16400->16401 16401->16399 16402->16399 16402->16400 16404 404bff InterlockedExchange 16403->16404 16405 404c08 16404->16405 16406 404bec GetTickCount 16404->16406 16405->16292 16406->16405 16407 404bf7 Sleep 16406->16407 16407->16404 16429 404763 16408->16429 16410 405b58 16439 404699 16410->16439 16413 404763 lstrlenA 16414 405b6e 16413->16414 16460 404f9f 16414->16460 16416 405b79 16416->16247 16418 405549 lstrlenA 16428 40548a 16418->16428 16420 40558d lstrcpynA 16420->16428 16421 405a9f lstrcpyA 16421->16428 16422 404ae6 8 API calls 16422->16428 16423 405935 lstrcpynA 16423->16428 16424 404ae6 8 API calls 16425 405643 LoadLibraryW 16424->16425 16425->16428 16426 405472 13 API calls 16426->16428 16427 4058e7 lstrcpyA 16427->16428 16428->16410 16428->16420 16428->16421 16428->16422 16428->16423 16428->16424 16428->16426 16428->16427 16433 404ae6 16428->16433 16437 40ef7c lstrlenA lstrlenA lstrlenA 16428->16437 16431 40477a 16429->16431 16430 404859 16430->16428 16431->16430 16432 40480d lstrlenA 16431->16432 16432->16431 16434 404af3 16433->16434 16436 404b03 16433->16436 16435 40ebed 8 API calls 16434->16435 16435->16436 16436->16418 16438 40efb4 16437->16438 16438->16428 16465 4045b3 16439->16465 16442 4045b3 7 API calls 16443 4046c6 16442->16443 16444 4045b3 7 API calls 16443->16444 16445 4046d8 16444->16445 16446 4045b3 7 API calls 16445->16446 16447 4046ea 16446->16447 16448 4045b3 7 API calls 16447->16448 16449 4046ff 16448->16449 16450 4045b3 7 API calls 16449->16450 16451 404711 16450->16451 16452 4045b3 7 API calls 16451->16452 16453 404723 16452->16453 16454 40ef7c 3 API calls 16453->16454 16455 404735 16454->16455 16456 40ef7c 3 API calls 16455->16456 16457 40474a 16456->16457 16458 40ef7c 3 API calls 16457->16458 16459 40475c 16458->16459 16459->16413 16461 404fac 16460->16461 16464 404fb0 16460->16464 16461->16416 16462 404ffd 16462->16416 16463 404fd5 IsBadCodePtr 16463->16464 16464->16462 16464->16463 16466 4045c1 16465->16466 16467 4045c8 16465->16467 16468 40ebcc 4 API calls 16466->16468 16469 40ebcc 4 API calls 16467->16469 16471 4045e1 16467->16471 16468->16467 16469->16471 16470 404691 16470->16442 16471->16470 16472 40ef7c 3 API calls 16471->16472 16472->16471 16488 402d21 GetModuleHandleA 16473->16488 16476 402fcf GetProcessHeap HeapFree 16480 402f44 16476->16480 16477 402f4f 16479 402f6b GetProcessHeap HeapFree 16477->16479 16478 402f85 16478->16476 16478->16478 16479->16480 16480->16313 16482 403900 16481->16482 16483 403980 16481->16483 16484 4030fa 4 API calls 16482->16484 16483->16311 16487 40390a 16484->16487 16485 40391b GetCurrentThreadId 16485->16487 16486 403939 GetCurrentThreadId 16486->16487 16487->16483 16487->16485 16487->16486 16489 402d46 LoadLibraryA 16488->16489 16490 402d5b GetProcAddress 16488->16490 16489->16490 16492 402d54 16489->16492 16491 402d6b 16490->16491 16490->16492 16491->16492 16493 402d97 GetProcessHeap HeapAlloc 16491->16493 16494 402db5 lstrcpynA 16491->16494 16492->16477 16492->16478 16492->16480 16493->16491 16493->16492 16494->16491 16496 40a645 16495->16496 16497 40a64d 16495->16497 16496->16321 16498 40a66e 16497->16498 16499 40a65e GetTickCount 16497->16499 16498->16321 16499->16498 16501 40adbf 16500->16501 16525 40ad08 gethostname 16501->16525 16504 4030b5 2 API calls 16505 40add3 16504->16505 16506 40a7a3 inet_ntoa 16505->16506 16507 40ade4 16505->16507 16506->16507 16508 40ae85 wsprintfA 16507->16508 16511 40ae36 wsprintfA wsprintfA 16507->16511 16509 40ef7c 3 API calls 16508->16509 16510 40aebb 16509->16510 16512 40ef7c 3 API calls 16510->16512 16513 40ef7c 3 API calls 16511->16513 16514 40aed2 16512->16514 16513->16507 16515 40b211 16514->16515 16516 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16515->16516 16517 40b2af GetLocalTime 16515->16517 16518 40b2d2 16516->16518 16517->16518 16519 40b2d9 SystemTimeToFileTime 16518->16519 16520 40b31c GetTimeZoneInformation 16518->16520 16521 40b2ec 16519->16521 16522 40b33a wsprintfA 16520->16522 16523 40b312 FileTimeToSystemTime 16521->16523 16522->16365 16523->16520 16526 40ad71 16525->16526 16531 40ad26 lstrlenA 16525->16531 16528 40ad85 16526->16528 16529 40ad79 lstrcpyA 16526->16529 16528->16504 16529->16528 16530 40ad68 lstrlenA 16530->16526 16531->16526 16531->16530 16533 40f428 14 API calls 16532->16533 16534 40198a 16533->16534 16535 401990 closesocket 16534->16535 16536 401998 16534->16536 16535->16536 16536->16126 16538 402d21 6 API calls 16537->16538 16539 402f01 16538->16539 16540 402f0f 16539->16540 16553 402df2 GetModuleHandleA 16539->16553 16542 402684 2 API calls 16540->16542 16544 402f1f 16540->16544 16543 402f1d 16542->16543 16543->16128 16544->16128 16549 401c80 16545->16549 16546 401cc2 wsprintfA 16548 402684 2 API calls 16546->16548 16547 401d1c 16547->16547 16550 401d47 wsprintfA 16547->16550 16548->16549 16549->16546 16549->16547 16551 401d79 16549->16551 16552 402684 2 API calls 16550->16552 16551->16124 16552->16551 16554 402e10 LoadLibraryA 16553->16554 16555 402e0b 16553->16555 16556 402e17 16554->16556 16555->16554 16555->16556 16557 402ef1 16556->16557 16558 402e28 GetProcAddress 16556->16558 16557->16540 16558->16557 16559 402e3e GetProcessHeap HeapAlloc 16558->16559 16560 402e62 16559->16560 16560->16557 16561 402ede GetProcessHeap HeapFree 16560->16561 16562 402e7f htons inet_addr 16560->16562 16563 402ea5 gethostbyname 16560->16563 16565 402ceb 16560->16565 16561->16557 16562->16560 16562->16563 16563->16560 16566 402cf2 16565->16566 16568 402d1c 16566->16568 16569 402d0e Sleep 16566->16569 16570 402a62 GetProcessHeap HeapAlloc 16566->16570 16568->16560 16569->16566 16569->16568 16571 402a92 16570->16571 16572 402a99 socket 16570->16572 16571->16566 16573 402cd3 GetProcessHeap HeapFree 16572->16573 16574 402ab4 16572->16574 16573->16571 16574->16573 16584 402abd 16574->16584 16575 402adb htons 16590 4026ff 16575->16590 16577 402b04 select 16577->16584 16578 402ca4 16579 402cb3 GetProcessHeap HeapFree closesocket 16578->16579 16579->16571 16580 402b3f recv 16580->16584 16581 402b66 htons 16581->16578 16581->16584 16582 402b87 htons 16582->16578 16582->16584 16584->16575 16584->16577 16584->16578 16584->16579 16584->16580 16584->16581 16584->16582 16586 402bf3 GetProcessHeap HeapAlloc 16584->16586 16587 402c17 htons 16584->16587 16589 402c4d GetProcessHeap HeapFree 16584->16589 16597 402923 16584->16597 16609 402904 16584->16609 16586->16584 16605 402871 16587->16605 16589->16584 16591 40271d 16590->16591 16592 402717 16590->16592 16594 40272b GetTickCount htons 16591->16594 16593 40ebcc 4 API calls 16592->16593 16593->16591 16595 4027cc htons htons sendto 16594->16595 16596 40278a 16594->16596 16595->16584 16596->16595 16598 402944 16597->16598 16600 40293d 16597->16600 16613 402816 htons 16598->16613 16600->16584 16601 402871 htons 16604 402950 16601->16604 16602 4029bd htons htons htons 16602->16600 16603 4029f6 GetProcessHeap HeapAlloc 16602->16603 16603->16600 16603->16604 16604->16600 16604->16601 16604->16602 16606 4028e3 16605->16606 16608 402889 16605->16608 16606->16584 16607 4028c3 htons 16607->16606 16607->16608 16608->16606 16608->16607 16610 402908 16609->16610 16612 402921 16609->16612 16611 402909 GetProcessHeap HeapFree 16610->16611 16611->16611 16611->16612 16612->16584 16614 40286b 16613->16614 16615 402836 16613->16615 16614->16604 16615->16614 16616 40285c htons 16615->16616 16616->16614 16616->16615 16618 406bc0 16617->16618 16619 406bbc 16617->16619 16620 40ebcc 4 API calls 16618->16620 16622 406bd4 16618->16622 16619->16158 16621 406be4 16620->16621 16621->16622 16623 406c07 CreateFileA 16621->16623 16624 406bfc 16621->16624 16622->16158 16626 406c34 WriteFile 16623->16626 16627 406c2a 16623->16627 16625 40ec2e codecvt 4 API calls 16624->16625 16625->16622 16629 406c49 CloseHandle DeleteFileA 16626->16629 16630 406c5a CloseHandle 16626->16630 16628 40ec2e codecvt 4 API calls 16627->16628 16628->16622 16629->16627 16631 40ec2e codecvt 4 API calls 16630->16631 16631->16622 14807 720920 TerminateProcess 14839 720005 14844 72092b GetPEB 14839->14844 14841 720030 14846 72003c 14841->14846 14845 720972 14844->14845 14845->14841 14847 720049 14846->14847 14861 720e0f SetErrorMode SetErrorMode 14847->14861 14852 720265 14853 7202ce VirtualProtect 14852->14853 14855 72030b 14853->14855 14854 720439 VirtualFree 14859 7204be 14854->14859 14860 7205f4 LoadLibraryA 14854->14860 14855->14854 14856 7204e3 LoadLibraryA 14856->14859 14858 7208c7 14859->14856 14859->14860 14860->14858 14862 720223 14861->14862 14863 720d90 14862->14863 14864 720dad 14863->14864 14865 720dbb GetPEB 14864->14865 14866 720238 VirtualAlloc 14864->14866 14865->14866 14866->14852 14808 407a95 RegOpenKeyExA 14809 407ac4 14808->14809 14810 407acb GetUserNameA 14808->14810 14811 407da7 RegCloseKey 14810->14811 14812 407aed LookupAccountNameA 14810->14812 14811->14809 14812->14811 14813 407b24 RegGetKeySecurity 14812->14813 14813->14811 14814 407b49 GetSecurityDescriptorOwner 14813->14814 14815 407b63 EqualSid 14814->14815 14816 407bb8 GetSecurityDescriptorDacl 14814->14816 14815->14816 14817 407b74 LocalAlloc 14815->14817 14818 407da6 14816->14818 14825 407bdc 14816->14825 14817->14816 14819 407b8a InitializeSecurityDescriptor 14817->14819 14818->14811 14820 407bb1 LocalFree 14819->14820 14821 407b96 SetSecurityDescriptorOwner 14819->14821 14820->14816 14821->14820 14823 407ba6 RegSetKeySecurity 14821->14823 14822 407bf8 GetAce 14822->14825 14823->14820 14824 407c1d EqualSid 14824->14825 14825->14818 14825->14822 14825->14824 14826 407cd9 14825->14826 14827 407c5f EqualSid 14825->14827 14828 407c3a DeleteAce 14825->14828 14826->14818 14829 407d5a LocalAlloc 14826->14829 14830 407cf2 RegOpenKeyExA 14826->14830 14827->14825 14828->14825 14829->14818 14831 407d70 InitializeSecurityDescriptor 14829->14831 14830->14829 14836 407d0f 14830->14836 14832 407d7c SetSecurityDescriptorDacl 14831->14832 14833 407d9f LocalFree 14831->14833 14832->14833 14834 407d8c RegSetKeySecurity 14832->14834 14833->14818 14834->14833 14835 407d9c 14834->14835 14835->14833 14837 407d43 RegSetValueExA 14836->14837 14837->14829 14838 407d54 14837->14838 14838->14829 14867 629988 14868 629997 14867->14868 14871 62a128 14868->14871 14872 62a143 14871->14872 14873 62a14c CreateToolhelp32Snapshot 14872->14873 14874 62a168 Module32First 14872->14874 14873->14872 14873->14874 14875 62a177 14874->14875 14877 6299a0 14874->14877 14878 629de7 14875->14878 14879 629e12 14878->14879 14880 629e23 VirtualAlloc 14879->14880 14881 629e5b 14879->14881 14880->14881 14881->14881
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                            • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                            • API String ID: 2089075347-2824936573
                                                                                            • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                            • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 264 407a95-407ac2 RegOpenKeyExA 265 407ac4-407ac6 264->265 266 407acb-407ae7 GetUserNameA 264->266 267 407db4-407db6 265->267 268 407da7-407db3 RegCloseKey 266->268 269 407aed-407b1e LookupAccountNameA 266->269 268->267 269->268 270 407b24-407b43 RegGetKeySecurity 269->270 270->268 271 407b49-407b61 GetSecurityDescriptorOwner 270->271 272 407b63-407b72 EqualSid 271->272 273 407bb8-407bd6 GetSecurityDescriptorDacl 271->273 272->273 274 407b74-407b88 LocalAlloc 272->274 275 407da6 273->275 276 407bdc-407be1 273->276 274->273 277 407b8a-407b94 InitializeSecurityDescriptor 274->277 275->268 276->275 278 407be7-407bf2 276->278 279 407bb1-407bb2 LocalFree 277->279 280 407b96-407ba4 SetSecurityDescriptorOwner 277->280 278->275 281 407bf8-407c08 GetAce 278->281 279->273 280->279 284 407ba6-407bab RegSetKeySecurity 280->284 282 407cc6 281->282 283 407c0e-407c1b 281->283 285 407cc9-407cd3 282->285 286 407c1d-407c2f EqualSid 283->286 287 407c4f-407c52 283->287 284->279 285->281 288 407cd9-407cdc 285->288 289 407c31-407c34 286->289 290 407c36-407c38 286->290 291 407c54-407c5e 287->291 292 407c5f-407c71 EqualSid 287->292 288->275 293 407ce2-407ce8 288->293 289->286 289->290 290->287 294 407c3a-407c4d DeleteAce 290->294 291->292 295 407c73-407c84 292->295 296 407c86 292->296 297 407d5a-407d6e LocalAlloc 293->297 298 407cea-407cf0 293->298 294->285 299 407c8b-407c8e 295->299 296->299 297->275 303 407d70-407d7a InitializeSecurityDescriptor 297->303 298->297 300 407cf2-407d0d RegOpenKeyExA 298->300 301 407c90-407c96 299->301 302 407c9d-407c9f 299->302 300->297 304 407d0f-407d16 300->304 301->302 305 407ca1-407ca5 302->305 306 407ca7-407cc3 302->306 307 407d7c-407d8a SetSecurityDescriptorDacl 303->307 308 407d9f-407da0 LocalFree 303->308 309 407d19-407d1e 304->309 305->282 305->306 306->282 307->308 310 407d8c-407d9a RegSetKeySecurity 307->310 308->275 309->309 311 407d20-407d52 call 402544 RegSetValueExA 309->311 310->308 312 407d9c 310->312 311->297 315 407d54 311->315 312->308 315->297
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2976863881-1403908072
                                                                                            • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                            • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 549 409326-409348 call 401910 GetVersionExA 552 409358-40935c 549->552 553 40934a-409356 549->553 554 409360-40937d GetModuleHandleA GetModuleFileNameA 552->554 553->554 555 409385-4093a2 554->555 556 40937f 554->556 557 4093a4-4093d7 call 402544 wsprintfA 555->557 558 4093d9-409412 call 402544 wsprintfA 555->558 556->555 563 409415-40942c call 40ee2a 557->563 558->563 566 4094a3-4094b3 call 406edd 563->566 567 40942e-409432 563->567 572 4094b9-4094f9 call 402544 RegOpenKeyExA 566->572 573 40962f-409632 566->573 567->566 569 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 567->569 569->566 584 409502-40952e call 402544 RegQueryValueExA 572->584 585 4094fb-409500 572->585 575 409634-409637 573->575 578 409639-40964a call 401820 575->578 579 40967b-409682 575->579 596 40964c-409662 578->596 597 40966d-409679 578->597 582 409683 call 4091eb 579->582 593 409688-409690 582->593 599 409530-409537 584->599 600 409539-409565 call 402544 RegQueryValueExA 584->600 589 40957a-40957f 585->589 594 409581-409584 589->594 595 40958a-40958d 589->595 602 409692 593->602 603 409698-4096a0 593->603 594->575 594->595 595->579 604 409593-40959a 595->604 605 409664-40966b 596->605 606 40962b-40962d 596->606 597->582 607 40956e-409577 RegCloseKey 599->607 600->607 617 409567 600->617 602->603 610 4096a2-4096a9 603->610 611 40961a-40961f 604->611 612 40959c-4095a1 604->612 605->606 606->610 607->589 615 409625 611->615 612->611 616 4095a3-4095c0 call 40f0e4 612->616 615->606 622 4095c2-4095db call 4018e0 616->622 623 40960c-409618 616->623 617->607 622->610 626 4095e1-4095f9 622->626 623->615 626->610 627 4095ff-409607 626->627 627->610
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: PromptOnSecureDesktop$runas
                                                                                            • API String ID: 3696105349-2220793183
                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 666 406a60-406a89 CreateFileA 667 406b8c-406ba1 GetLastError 666->667 668 406a8f-406ac3 GetDiskFreeSpaceA 666->668 671 406ba3-406ba6 667->671 669 406ac5-406adc call 40eb0e 668->669 670 406b1d-406b34 call 406987 668->670 669->670 678 406ade 669->678 676 406b56-406b63 FindCloseChangeNotification 670->676 677 406b36-406b54 GetLastError CloseHandle 670->677 680 406b65-406b7d GetLastError CloseHandle 676->680 681 406b86-406b8a 676->681 679 406b7f-406b80 DeleteFileA 677->679 682 406ae0-406ae5 678->682 683 406ae7-406afb call 40eca5 678->683 679->681 680->679 681->671 682->683 684 406afd-406aff 682->684 683->670 684->670 686 406b01 684->686 688 406b03-406b08 686->688 689 406b0a-406b17 call 40eca5 686->689 688->670 688->689 689->670
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1251348514-2980165447
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 821 72092b-720970 GetPEB 822 720972-720978 821->822 823 72097a-72098a call 720d35 822->823 824 72098c-72098e 822->824 823->824 830 720992-720994 823->830 824->822 825 720990 824->825 827 720996-720998 825->827 829 720a3b-720a3e 827->829 830->827 831 72099d-7209d3 830->831 832 7209dc-7209ee call 720d0c 831->832 835 7209f0-720a3a 832->835 836 7209d5-7209d8 832->836 835->829 836->832
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .$GetProcAddress.$l
                                                                                            • API String ID: 0-2784972518
                                                                                            • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                            • Instruction ID: 9248be7a0968b3dbe9a1f9f8590bfd1b4edbc9b954090c5527be1aa7a1347cb6
                                                                                            • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                            • Instruction Fuzzy Hash: 90317AB6901619CFDB10CF99D884AAEBBF9FF08324F24404AD441A7312D775EA85CBA4

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 880 62a128-62a141 881 62a143-62a145 880->881 882 62a147 881->882 883 62a14c-62a158 CreateToolhelp32Snapshot 881->883 882->883 884 62a15a-62a160 883->884 885 62a168-62a175 Module32First 883->885 884->885 890 62a162-62a166 884->890 886 62a177-62a178 call 629de7 885->886 887 62a17e-62a186 885->887 891 62a17d 886->891 890->881 890->885 891->887
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0062A150
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 0062A170
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721874433.000000000061A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0061A000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_61a000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 3833638111-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: 5d5200758fea0a6b218dee739dd937d82df33859059cbb1973bef6d39009f191
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: C1F09631500B256BD7203BF9BC8DBAF76E9AF49734F100568E642D55C0DBB0EC458E62
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                              • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                              • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                            • String ID:
                                                                                            • API String ID: 2559512979-0
                                                                                            • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                            • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 316 4073ff-407419 317 40741b 316->317 318 40741d-407422 316->318 317->318 319 407424 318->319 320 407426-40742b 318->320 319->320 321 407430-407435 320->321 322 40742d 320->322 323 407437 321->323 324 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 321->324 322->321 323->324 329 407487-40749d call 40ee2a 324->329 330 4077f9-4077fe call 40ee2a 324->330 335 407703-40770e RegEnumKeyA 329->335 336 407801 330->336 337 4074a2-4074b1 call 406cad 335->337 338 407714-40771d RegCloseKey 335->338 339 407804-407808 336->339 342 4074b7-4074cc call 40f1a5 337->342 343 4076ed-407700 337->343 338->336 342->343 346 4074d2-4074f8 RegOpenKeyExA 342->346 343->335 347 407727-40772a 346->347 348 4074fe-407530 call 402544 RegQueryValueExA 346->348 349 407755-407764 call 40ee2a 347->349 350 40772c-407740 call 40ef00 347->350 348->347 357 407536-40753c 348->357 361 4076df-4076e2 349->361 358 407742-407745 RegCloseKey 350->358 359 40774b-40774e 350->359 360 40753f-407544 357->360 358->359 363 4077ec-4077f7 RegCloseKey 359->363 360->360 362 407546-40754b 360->362 361->343 364 4076e4-4076e7 RegCloseKey 361->364 362->349 365 407551-40756b call 40ee95 362->365 363->339 364->343 365->349 368 407571-407593 call 402544 call 40ee95 365->368 373 407753 368->373 374 407599-4075a0 368->374 373->349 375 4075a2-4075c6 call 40ef00 call 40ed03 374->375 376 4075c8-4075d7 call 40ed03 374->376 381 4075d8-4075da 375->381 376->381 383 4075dc 381->383 384 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 381->384 383->384 394 407626-40762b 384->394 394->394 395 40762d-407634 394->395 396 407637-40763c 395->396 396->396 397 40763e-407642 396->397 398 407644-407656 call 40ed77 397->398 399 40765c-407673 call 40ed23 397->399 398->399 404 407769-40777c call 40ef00 398->404 405 407680 399->405 406 407675-40767e 399->406 411 4077e3-4077e6 RegCloseKey 404->411 408 407683-40768e call 406cad 405->408 406->408 413 407722-407725 408->413 414 407694-4076bf call 40f1a5 call 406c96 408->414 411->363 415 4076dd 413->415 420 4076c1-4076c7 414->420 421 4076d8 414->421 415->361 420->421 422 4076c9-4076d2 420->422 421->415 422->421 423 40777e-407797 GetFileAttributesExA 422->423 424 407799 423->424 425 40779a-40779f 423->425 424->425 426 4077a1 425->426 427 4077a3-4077a8 425->427 426->427 428 4077c4-4077c8 427->428 429 4077aa-4077c0 call 40ee08 427->429 430 4077d7-4077dc 428->430 431 4077ca-4077d6 call 40ef00 428->431 429->428 435 4077e0-4077e2 430->435 436 4077de 430->436 431->430 435->411 436->435
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 3433985886-3108538426
                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 438 40704c-407071 439 407073 438->439 440 407075-40707a 438->440 439->440 441 40707c 440->441 442 40707e-407083 440->442 441->442 443 407085 442->443 444 407087-40708c 442->444 443->444 445 407090-4070ca call 402544 RegOpenKeyExA 444->445 446 40708e 444->446 449 4070d0-4070f6 call 406dc2 445->449 450 4071b8-4071c8 call 40ee2a 445->450 446->445 455 40719b-4071a9 RegEnumValueA 449->455 456 4071cb-4071cf 450->456 457 4070fb-4070fd 455->457 458 4071af-4071b2 RegCloseKey 455->458 459 40716e-407194 457->459 460 4070ff-407102 457->460 458->450 459->455 460->459 461 407104-407107 460->461 461->459 462 407109-40710d 461->462 462->459 463 40710f-407133 call 402544 call 40eed1 462->463 468 4071d0-407203 call 402544 call 40ee95 call 40ee2a 463->468 469 407139-407145 call 406cad 463->469 484 407205-407212 RegCloseKey 468->484 485 407227-40722e 468->485 475 407147-40715c call 40f1a5 469->475 476 40715e-40716b call 40ee2a 469->476 475->468 475->476 476->459 486 407222-407225 484->486 487 407214-407221 call 40ef00 484->487 488 407230-407256 call 40ef00 call 40ed23 485->488 489 40725b-40728c call 402544 call 40ee95 call 40ee2a 485->489 486->456 487->486 488->489 500 407258 488->500 503 4072b8-4072cb call 40ed77 489->503 504 40728e-40729a RegCloseKey 489->504 500->489 510 4072dd-4072f4 call 40ed23 503->510 511 4072cd-4072d8 RegCloseKey 503->511 506 4072aa-4072b3 504->506 507 40729c-4072a9 call 40ef00 504->507 506->456 507->506 515 407301 510->515 516 4072f6-4072ff 510->516 511->456 517 407304-40730f call 406cad 515->517 516->517 520 407311-40731d RegCloseKey 517->520 521 407335-40735d call 406c96 517->521 523 40732d-407330 520->523 524 40731f-40732c call 40ef00 520->524 527 4073d5-4073e2 RegCloseKey 521->527 528 40735f-407365 521->528 523->506 524->523 531 4073f2-4073f7 527->531 532 4073e4-4073f1 call 40ef00 527->532 528->527 530 407367-407370 528->530 530->527 533 407372-40737c 530->533 532->531 535 40739d-4073a2 533->535 536 40737e-407395 GetFileAttributesExA 533->536 539 4073a4 535->539 540 4073a6-4073a9 535->540 536->535 538 407397 536->538 538->535 539->540 541 4073b9-4073bc 540->541 542 4073ab-4073b8 call 40ef00 540->542 544 4073cb-4073cd 541->544 545 4073be-4073ca call 40ef00 541->545 542->541 544->527 545->544
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                                            • RegEnumValueA.KERNELBASE(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                                            • RegCloseKey.KERNELBASE(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"$PromptOnSecureDesktop
                                                                                            • API String ID: 4293430545-98143240
                                                                                            • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                            • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 628 40675c-406778 629 406784-4067a2 CreateFileA 628->629 630 40677a-40677e SetFileAttributesA 628->630 631 4067a4-4067b2 CreateFileA 629->631 632 4067b5-4067b8 629->632 630->629 631->632 633 4067c5-4067c9 632->633 634 4067ba-4067bf SetFileAttributesA 632->634 635 406977-406986 633->635 636 4067cf-4067df GetFileSize 633->636 634->633 637 4067e5-4067e7 636->637 638 40696b 636->638 637->638 639 4067ed-40680b ReadFile 637->639 640 40696e-406971 FindCloseChangeNotification 638->640 639->638 641 406811-406824 SetFilePointer 639->641 640->635 641->638 642 40682a-406842 ReadFile 641->642 642->638 643 406848-406861 SetFilePointer 642->643 643->638 644 406867-406876 643->644 645 4068d5-4068df 644->645 646 406878-40688f ReadFile 644->646 645->640 647 4068e5-4068eb 645->647 648 406891-40689e 646->648 649 4068d2 646->649 650 4068f0-4068fe call 40ebcc 647->650 651 4068ed 647->651 652 4068a0-4068b5 648->652 653 4068b7-4068ba 648->653 649->645 650->638 659 406900-40690b SetFilePointer 650->659 651->650 655 4068bd-4068c3 652->655 653->655 657 4068c5 655->657 658 4068c8-4068ce 655->658 657->658 658->646 660 4068d0 658->660 661 40695a-406969 call 40ec2e 659->661 662 40690d-406920 ReadFile 659->662 660->645 661->640 662->661 663 406922-406958 662->663 663->640
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                                            • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                                            • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 1400801100-0
                                                                                            • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                            • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 692 72003c-720047 693 720049 692->693 694 72004c-720263 call 720a3f call 720e0f call 720d90 VirtualAlloc 692->694 693->694 709 720265-720289 call 720a69 694->709 710 72028b-720292 694->710 715 7202ce-7203c2 VirtualProtect call 720cce call 720ce7 709->715 712 7202a1-7202b0 710->712 714 7202b2-7202cc 712->714 712->715 714->712 721 7203d1-7203e0 715->721 722 7203e2-720437 call 720ce7 721->722 723 720439-7204b8 VirtualFree 721->723 722->721 725 7205f4-7205fe 723->725 726 7204be-7204cd 723->726 729 720604-72060d 725->729 730 72077f-720789 725->730 728 7204d3-7204dd 726->728 728->725 734 7204e3-720505 LoadLibraryA 728->734 729->730 735 720613-720637 729->735 732 7207a6-7207b0 730->732 733 72078b-7207a3 730->733 736 7207b6-7207cb 732->736 737 72086e-7208be LoadLibraryA 732->737 733->732 738 720517-720520 734->738 739 720507-720515 734->739 740 72063e-720648 735->740 741 7207d2-7207d5 736->741 744 7208c7-7208f9 737->744 742 720526-720547 738->742 739->742 740->730 743 72064e-72065a 740->743 745 7207d7-7207e0 741->745 746 720824-720833 741->746 747 72054d-720550 742->747 743->730 748 720660-72066a 743->748 749 720902-72091d 744->749 750 7208fb-720901 744->750 751 7207e2 745->751 752 7207e4-720822 745->752 756 720839-72083c 746->756 753 7205e0-7205ef 747->753 754 720556-72056b 747->754 755 72067a-720689 748->755 750->749 751->746 752->741 753->728 757 72056f-72057a 754->757 758 72056d 754->758 759 720750-72077a 755->759 760 72068f-7206b2 755->760 756->737 761 72083e-720847 756->761 767 72059b-7205bb 757->767 768 72057c-720599 757->768 758->753 759->740 762 7206b4-7206ed 760->762 763 7206ef-7206fc 760->763 764 72084b-72086c 761->764 765 720849 761->765 762->763 769 72074b 763->769 770 7206fe-720748 763->770 764->756 765->737 775 7205bd-7205db 767->775 768->775 769->755 770->769 775->747
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0072024D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID: cess$kernel32.dll
                                                                                            • API String ID: 4275171209-1230238691
                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction ID: b8812dad7fe1ca0bb043ed187b53687dad4eb9db5f569f0ec4c3fa07ccda18af
                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction Fuzzy Hash: 97527A74A00229DFDB64CF58D984BA8BBB1BF09304F1480D9E50DAB352DB34AE94DF64

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                            • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                            • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                              • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                              • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                              • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                              • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                              • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4131120076-2980165447
                                                                                            • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                            • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                            • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                            • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 791 404000-404008 792 40400b-40402a CreateFileA 791->792 793 404057 792->793 794 40402c-404035 GetLastError 792->794 797 404059-40405c 793->797 795 404052 794->795 796 404037-40403a 794->796 799 404054-404056 795->799 796->795 798 40403c-40403f 796->798 797->799 798->797 800 404041-404050 Sleep 798->800 800->792 800->795
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 408151869-2980165447
                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 801 406987-4069b7 802 4069e0 801->802 803 4069b9-4069be 801->803 805 4069e4-4069fd WriteFile 802->805 803->802 804 4069c0-4069d0 803->804 806 4069d2 804->806 807 4069d5-4069de 804->807 808 406a4d-406a51 805->808 809 4069ff-406a02 805->809 806->807 807->805 810 406a53-406a56 808->810 811 406a59 808->811 809->808 812 406a04-406a08 809->812 810->811 815 406a5b-406a5f 811->815 813 406a0a-406a0d 812->813 814 406a3c-406a3e 812->814 816 406a10-406a2e WriteFile 813->816 814->815 817 406a40-406a4b 816->817 818 406a30-406a33 816->818 817->815 818->817 819 406a35-406a3a 818->819 819->814 819->816
                                                                                            APIs
                                                                                            • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                            • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,k@
                                                                                            • API String ID: 3934441357-1053005162
                                                                                            • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                            • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 838 4091eb-409208 839 409308 838->839 840 40920e-40921c call 40ed03 838->840 841 40930b-40930f 839->841 844 40921e-40922c call 40ed03 840->844 845 40923f-409249 840->845 844->845 851 40922e-409230 844->851 847 409250-409270 call 40ee08 845->847 848 40924b 845->848 854 409272-40927f 847->854 855 4092dd-4092e1 847->855 848->847 853 409233-409238 851->853 853->853 856 40923a-40923c 853->856 857 409281-409285 854->857 858 40929b-40929e 854->858 859 4092e3-4092e5 855->859 860 4092e7-4092e8 855->860 856->845 857->857 863 409287 857->863 861 4092a0 858->861 862 40928e-409293 858->862 859->860 864 4092ea-4092ef 859->864 860->855 867 4092a8-4092ab 861->867 868 409295-409298 862->868 869 409289-40928c 862->869 863->858 865 4092f1-4092f6 Sleep 864->865 866 4092fc-409302 864->866 865->866 866->839 866->840 871 4092a2-4092a5 867->871 872 4092ad-4092b0 867->872 868->867 870 40929a 868->870 869->862 869->870 870->858 873 4092b2 871->873 874 4092a7 871->874 872->873 875 4092bd 872->875 876 4092b5-4092b9 873->876 874->867 877 4092bf-4092db ShellExecuteA 875->877 876->876 878 4092bb 876->878 877->855 879 409310-409324 877->879 878->877 879->841
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                            • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-0
                                                                                            • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                            • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                            • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                            • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 893 720e0f-720e24 SetErrorMode * 2 894 720e26 893->894 895 720e2b-720e2c 893->895 894->895
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,00720223,?,?), ref: 00720E19
                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,00720223,?,?), ref: 00720E1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction ID: cfa6968bfae5348f77af3aa7adfeb525760b97280b12a26551987611985b10e1
                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction Fuzzy Hash: BFD0123154512877D7003AA4DC09BCD7B1CDF05B62F008411FB0DD9081C774994046E5
                                                                                            APIs
                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1823874839-0
                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                            APIs
                                                                                            • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00720929
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessTerminate
                                                                                            • String ID:
                                                                                            • API String ID: 560597551-0
                                                                                            • Opcode ID: cf8f02fdaed65286ce872f3570c8b88d6c4cb2f13aa03d0d20e57ddf82142f08
                                                                                            • Instruction ID: c020644df524c2f76e0858e256880dd47cc8058b9a19a2f123197d7715fd106d
                                                                                            • Opcode Fuzzy Hash: cf8f02fdaed65286ce872f3570c8b88d6c4cb2f13aa03d0d20e57ddf82142f08
                                                                                            • Instruction Fuzzy Hash: DA90026024516011D820259D0C01B5500122747634F3117507270B92D1C44197004115
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00629E38
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721874433.000000000061A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0061A000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_61a000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: 1ec67611468c70628b871cb2b289f8bbb2a20fb78731181a674ddeb0663f4404
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: 8D113F79A00208EFDB01DF98C985E99BBF5AF08750F058094F9489B362D771EA50DF95
                                                                                            APIs
                                                                                            • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                            • closesocket.WS2_32(?), ref: 0040CB63
                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                            • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                            • wsprintfA.USER32 ref: 0040CD21
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                            • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                            • closesocket.WS2_32(?), ref: 0040D56C
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                            • ExitProcess.KERNEL32 ref: 0040D583
                                                                                            • wsprintfA.USER32 ref: 0040D81F
                                                                                              • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                            • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                            • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                            • API String ID: 562065436-3791576231
                                                                                            • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                            • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                            • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                            • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                            • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                            • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                            • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                            • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                            • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                            • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                            • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                            • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                            • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                            • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                            • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-179334549
                                                                                            • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                            • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                            • select.WS2_32 ref: 00402B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2404124870-2980165447
                                                                                            • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                            • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                            • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *p@
                                                                                            • API String ID: 3429775523-2474123842
                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                            • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 007265F6
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00726610
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00726631
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00726652
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction ID: 99b631fe0286e62b68c850d6ec0ce371abb2290a998e9b5417751d10cf082b6c
                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction Fuzzy Hash: 711173B1600228FFDB219F65EC4AF9B3FA8EB057A5F104035F908E7251D7B5DD1086A4
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                            • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                              • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                              • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3754425949-0
                                                                                            • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                            • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                            • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                            • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                            • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                            • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                            • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721874433.000000000061A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0061A000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_61a000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction ID: 57c20de7e2c138a36d09df7dd680f3b438e39fc272c49c68aa764f5575260491
                                                                                            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction Fuzzy Hash: 3E1170723406109FD744DE59EC91EA673EAFBC9360B298065ED04CB355D675EC02CB60
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                            • Instruction ID: 5b73c2960222beac1885d921750ed65aca91a7b389827e70e2e72963492b3e6c
                                                                                            • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                            • Instruction Fuzzy Hash: 6701F776B016108FDF21DF60E804BAA33F5FB85305F0544A4D50697243E378A8418BE0
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32 ref: 00729E6D
                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00729FE1
                                                                                            • lstrcat.KERNEL32(?,?), ref: 00729FF2
                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 0072A004
                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0072A054
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0072A09F
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0072A0D6
                                                                                            • lstrcpy.KERNEL32 ref: 0072A12F
                                                                                            • lstrlen.KERNEL32(00000022), ref: 0072A13C
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00729F13
                                                                                              • Part of subcall function 00727029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00727081
                                                                                              • Part of subcall function 00726F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\reoueqqp,00727043), ref: 00726F4E
                                                                                              • Part of subcall function 00726F30: GetProcAddress.KERNEL32(00000000), ref: 00726F55
                                                                                              • Part of subcall function 00726F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00726F7B
                                                                                              • Part of subcall function 00726F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00726F92
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0072A1A2
                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0072A1C5
                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0072A214
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0072A21B
                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 0072A265
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0072A29F
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0072A2C5
                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 0072A2D9
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0072A2F4
                                                                                            • wsprintfA.USER32 ref: 0072A31D
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0072A345
                                                                                            • lstrcat.KERNEL32(?,?), ref: 0072A364
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0072A387
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0072A398
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0072A1D1
                                                                                              • Part of subcall function 00729966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0072999D
                                                                                              • Part of subcall function 00729966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 007299BD
                                                                                              • Part of subcall function 00729966: RegCloseKey.ADVAPI32(?), ref: 007299C6
                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0072A3DB
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0072A3E2
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0072A41D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                            • String ID: "$"$"$D$P$\
                                                                                            • API String ID: 1653845638-2605685093
                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction ID: 0304255d19b870f160655702371576d0796d292e0c2bab35d2f031d928f15cda
                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction Fuzzy Hash: 41F122B1D40269FFDF21DBA09C49EEF77BCAB08300F1444A5F605E2142E7799A858F65
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00727D21
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00727D46
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00727D7D
                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00727DA2
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00727DC0
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00727DD1
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00727DE5
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00727DF3
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00727E03
                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00727E12
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00727E19
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00727E35
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2976863881-1403908072
                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction ID: e960b6e5ae886ab9fc148462f4f41f5ae7d3c12dc9cc42e7825355235072d160
                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction Fuzzy Hash: B2A15071D04229AFDB21CFA1ED48FEEBBB9FB08300F048069E515E2150DB799A85CB65
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                            • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                            • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00727A96
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00727ACD
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00727ADF
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00727B01
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00727B1F
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00727B39
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00727B4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00727B58
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00727B68
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00727B77
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00727B7E
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00727B9A
                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 00727BCA
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00727BF1
                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 00727C0A
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00727C2C
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00727CB1
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00727CBF
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00727CD0
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00727CE0
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00727CEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: 87c3297186cfd75fd375c04c63ee0d9fa7f7bd40cb0ffd0612ead4a79c1c2374
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: F9814E71904229AFDB25CFA5EE44FEEBBBCFF08300F14816AE505E6150D7799A81CB64
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: PromptOnSecureDesktop$localcfg
                                                                                            • API String ID: 237177642-1678164370
                                                                                            • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                            • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 835516345-270533642
                                                                                            • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                            • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0072865A
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0072867B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 007286A8
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 007286B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 237177642-3108538426
                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction ID: 5474521790e2e03aa461074f8185146795184524aed6783c523b2a5040147a00
                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction Fuzzy Hash: 2DC1C371901158FFEB51ABA4ED89EEF7BBCEB04300F144076F600E2151EB7A4E948B66
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 00721601
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 007217D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $<$@$D
                                                                                            • API String ID: 1628651668-1974347203
                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction ID: 6e333ff007a785d40c93c8d677b3ea24415bca007cdb1ba2d385a3ad764c359b
                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction Fuzzy Hash: ADF19DB15083919FD720CF64D888BABB7E4FB98300F50892DF59697390D7B8D984CB52
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 007276D9
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00727757
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0072778F
                                                                                            • ___ascii_stricmp.LIBCMT ref: 007278B4
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0072794E
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0072796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0072797E
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 007279AC
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00727A56
                                                                                              • Part of subcall function 0072F40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,0072772A,?), ref: 0072F414
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 007279F6
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00727A4D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 3433985886-3108538426
                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction ID: b8f9c39557f4aac98616d39186947d664951a3fa2c3d76785aff70f6dbdaa648
                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction Fuzzy Hash: 3BC1C171904229EFEB25DFA4ED49FEE7BB8EF05310F1040A5F544E6191EB789A84CB60
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00722CED
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00722D07
                                                                                            • htons.WS2_32(00000000), ref: 00722D42
                                                                                            • select.WS2_32 ref: 00722D8F
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00722DB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00722E62
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 127016686-0
                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction ID: 25367e3750bc55d477c49ef4eeb057452fecbf0f8ed3983c2548c69658a2e435
                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction Fuzzy Hash: 5D61E071904325BBC320AF60EC0CB6BBBF8EB48751F154819F98497152D7BDD8829BA6
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                            • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                            • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?), ref: 007295A7
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007295D5
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 007295DC
                                                                                            • wsprintfA.USER32 ref: 00729635
                                                                                            • wsprintfA.USER32 ref: 00729673
                                                                                            • wsprintfA.USER32 ref: 007296F4
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00729758
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0072978D
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 007297D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3696105349-2980165447
                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction ID: 56dbbae3a6b0425e25370bc1e0f696becd7dd1422fe12373a31be40de606056d
                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction Fuzzy Hash: 44A170B190026CFFEB21DFA0EC45FDA3BACEB04740F144026FA1596152E779D984CBA5
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-142018493
                                                                                            • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                            • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                            • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                            • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                            APIs
                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                            APIs
                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                            • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00723068
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00723078
                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 00723095
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 007230B6
                                                                                            • htons.WS2_32(00000035), ref: 007230EF
                                                                                            • inet_addr.WS2_32(?), ref: 007230FA
                                                                                            • gethostbyname.WS2_32(?), ref: 0072310D
                                                                                            • HeapFree.KERNEL32(00000000), ref: 0072314D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: iphlpapi.dll
                                                                                            • API String ID: 2869546040-3565520932
                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction ID: 125d86faaebb80c475b894abfc6665ec7884afcd28586a6de6bb18c3108c5fa9
                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction Fuzzy Hash: 57318831A0071AABDB119BB8AC48AAE7778EF04761F144125F518E7290DB7CDE518B54
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 3560063639-3847274415
                                                                                            • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                            • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                            • API String ID: 1082366364-2834986871
                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2981417381-1403908072
                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 007267C3
                                                                                            • htonl.WS2_32(?), ref: 007267DF
                                                                                            • htonl.WS2_32(?), ref: 007267EE
                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 007268F1
                                                                                            • ExitProcess.KERNEL32 ref: 007269BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Processhtonl$CurrentExitHugeRead
                                                                                            • String ID: except_info$localcfg
                                                                                            • API String ID: 1150517154-3605449297
                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction ID: f998e8983be0df5b9704c5afecac26c88d8ecaa3eedac632671f528c08856f36
                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction Fuzzy Hash: 9A617F71940218EFDB609FB4DC45FEA77E9FB08300F14806AF96DD2161DA75A9908F14
                                                                                            APIs
                                                                                            • htons.WS2_32(0072CC84), ref: 0072F5B4
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0072F5CE
                                                                                            • closesocket.WS2_32(00000000), ref: 0072F5DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction ID: 7be2747eb1bf52a0757db699898c8b159d6a4cf96142554ee8fc320cb3d75bba
                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction Fuzzy Hash: 9D316C72900129ABDB10DFA5EC89DEF7BBCEF88310F10457AF915E3150E7749A858BA4
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 00722FA1
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00722FB1
                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00722FC8
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00723000
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00723007
                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00723032
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: dnsapi.dll
                                                                                            • API String ID: 1242400761-3175542204
                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction ID: 14fc246d564a97bb094455ca457163c59ebfacd8f7090fddf54a9c0197bdd3e8
                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction Fuzzy Hash: F2216071901629BBCB219B55EC48AEEBBB9FF08B50F104421F905E7151D7B8DE8287E4
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3609698214-2980165447
                                                                                            • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                            • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\reoueqqp,00727043), ref: 00726F4E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00726F55
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00726F7B
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00726F92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\reoueqqp
                                                                                            • API String ID: 1082366364-1352806930
                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction ID: faf02bf1ec20032baf312b97a70bec65820b31874e87e16575f2fb2d5a84d767
                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction Fuzzy Hash: FD213821744364BAF7325731BD8DFFB2E5C8B56710F1840A5F904E5182DADD88DAC2AD
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2439722600-2980165447
                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 007292E2
                                                                                            • wsprintfA.USER32 ref: 00729350
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00729375
                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 00729389
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 00729394
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0072939B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2439722600-2980165447
                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction ID: 56b20768e098d942ea01bf10c87b0234d3da2f353472741e21a1d94c34b66362
                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction Fuzzy Hash: CF1184B1740124BBE7606B31ED0EFEF3A6DDBC8B10F008065BB09E5095EAB84A4586A4
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00729A18
                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 00729A52
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 00729A60
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00729A98
                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 00729AB5
                                                                                            • ResumeThread.KERNEL32(?), ref: 00729AC2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction ID: f51581a32a60cd16e192075c0d9d200cb92ca5b8a86f62d10956644cbea8df70
                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction Fuzzy Hash: 2C213D71D01229BBDF119BA1EC09EEF7BBCEF04750F448061FA19E1050E7758A44CBA4
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(004102D8), ref: 00721C18
                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 00721C26
                                                                                            • GetProcessHeap.KERNEL32 ref: 00721C84
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00721C9D
                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00721CC1
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 00721D02
                                                                                            • FreeLibrary.KERNEL32(?), ref: 00721D0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID:
                                                                                            • API String ID: 2324436984-0
                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction ID: ad29e143c1c8af874217c322d5f8a831965ce1e33b26226517b96459e29c88b7
                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction Fuzzy Hash: B4314135E00229FFCB119FE4EC888FEBBB9FB55711B64447AE501A2110D7B94E80DBA4
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1586453840-2980165447
                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1371578007-2980165447
                                                                                            • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                            • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00726CE4
                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00726D22
                                                                                            • GetLastError.KERNEL32 ref: 00726DA7
                                                                                            • CloseHandle.KERNEL32(?), ref: 00726DB5
                                                                                            • GetLastError.KERNEL32 ref: 00726DD6
                                                                                            • DeleteFileA.KERNEL32(?), ref: 00726DE7
                                                                                            • GetLastError.KERNEL32 ref: 00726DFD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3873183294-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: e594923ce62fe1fb7fd44f98ea583e209e67f20be6d6056cd84176b95d8775a3
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 5731F076A0025DBFCF01EFA4ED48ADE7F79EB48300F148066E211E3251D7749A858B61
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0072E50A,00000000,00000000,00000000,00020106,00000000,0072E50A,00000000,000000E4), ref: 0072E319
                                                                                            • RegSetValueExA.ADVAPI32(0072E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0072E38E
                                                                                            • RegDeleteValueA.ADVAPI32(0072E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dr), ref: 0072E3BF
                                                                                            • RegCloseKey.ADVAPI32(0072E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dr,0072E50A), ref: 0072E3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: PromptOnSecureDesktop$Dr
                                                                                            • API String ID: 2667537340-2751667076
                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction ID: 5cc94279a0cc0780841674e58ef9e72285fe37333629677521f12ccec6920815
                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction Fuzzy Hash: 2C215C71A0022DBBDF209FA5EC89EEE7F79EF08760F008031F904E6152E2718A54D7A0
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3857584221-2980165447
                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007293C6
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 007293CD
                                                                                            • CharToOemA.USER32(?,?), ref: 007293DB
                                                                                            • wsprintfA.USER32 ref: 00729410
                                                                                              • Part of subcall function 007292CB: GetTempPathA.KERNEL32(00000400,?), ref: 007292E2
                                                                                              • Part of subcall function 007292CB: wsprintfA.USER32 ref: 00729350
                                                                                              • Part of subcall function 007292CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00729375
                                                                                              • Part of subcall function 007292CB: lstrlen.KERNEL32(?,?,00000000), ref: 00729389
                                                                                              • Part of subcall function 007292CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00729394
                                                                                              • Part of subcall function 007292CB: CloseHandle.KERNEL32(00000000), ref: 0072939B
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00729448
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3857584221-2980165447
                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction ID: b8eccc29efd3927bf5d550db20090e5c52ac300da8837207bdf486d7c1a6c4d3
                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction Fuzzy Hash: C00152F6900168BBD721A7619D4DEDF377CDB95701F0040A1BB49E2080DAB89BC58F75
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen
                                                                                            • String ID: $localcfg
                                                                                            • API String ID: 1659193697-2018645984
                                                                                            • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                            • Instruction ID: 07e70429d677a651424bd1951c1ff55594dab3f7f93efde4ce45fc5bd0fbd8ba
                                                                                            • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                            • Instruction Fuzzy Hash: 35711871A00338BBDF318B58FC86FEE3769AB00705F244476F904A6091DA6E9EC48767
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                            APIs
                                                                                              • Part of subcall function 0072DF6C: GetCurrentThreadId.KERNEL32 ref: 0072DFBA
                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 0072E8FA
                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00726128), ref: 0072E950
                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 0072E989
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 2920362961-1846390581
                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction ID: 92a8fc61ed853b982a33df494778ebe6d44e4e0fc1352c99d2a8c7fd501eba95
                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction Fuzzy Hash: 30319C31600725DBDB718F24E888BAA7BE8EB15720F10892BE5D687551D378FCC0CB86
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction ID: f1a750c30286a498f04c63cb3155421b420d7fc90d0b107c93661e1f7c39e10a
                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction Fuzzy Hash: D7217276905125FFDB109B70FC49EDF3FADEB49760B228426F502D1091EB78DA409674
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0072C6B4
                                                                                            • InterlockedIncrement.KERNEL32(0072C74B), ref: 0072C715
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0072C747), ref: 0072C728
                                                                                            • CloseHandle.KERNEL32(00000000,?,0072C747,00413588,00728A77), ref: 0072C733
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1026198776-1857712256
                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction ID: c44eb9d57c2167a2c888d16492135c91560a87dc6670e700ce6bf04feb0b6996
                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction Fuzzy Hash: 58515EB1A01B518FD7358F6AD5C562ABBE9FB58300B60593EE18BC7A90D778F840CB50
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 124786226-2980165447
                                                                                            • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                            • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2667537340-2980165447
                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 007271E1
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00727228
                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 00727286
                                                                                            • wsprintfA.USER32 ref: 0072729D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                            • String ID: |
                                                                                            • API String ID: 2539190677-2343686810
                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction ID: 299efffa3993ee5198f362af500abe36e778b8bd17a4d4fb57c3a3fd3ee2192d
                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction Fuzzy Hash: E3313C72904218FBDB01DFA4ED49ADA3BBCEF04310F148066F959DB101EA79D648CB94
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0072B51A
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0072B529
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0072B548
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0072B590
                                                                                            • wsprintfA.USER32 ref: 0072B61E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4026320513-0
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: aa89fb443e8e3a41e2b6b1e025301d86efa6ee0c02857de980164f89b55e765a
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: 1C5100B1D0021DAACF14DFD5D8895EEBBB9BF48304F10816AF505A6150E7B84AC9CF98
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00726303
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 0072632A
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 007263B1
                                                                                            • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00726405
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: HugeRead$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 3498078134-0
                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction ID: 13ddbab4615d3023f17b2544f214623e367554dcee8b291d96510b809a3cbac3
                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction Fuzzy Hash: F5418EB1A00225EFDB14CF58E884BA9B7B4FF04314F24807AE945D7291E738EE40CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: A$ A
                                                                                            • API String ID: 3343386518-686259309
                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1128258776-0
                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                            • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,Dr,00000000,00000000,00000000), ref: 0072E470
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0072E484
                                                                                              • Part of subcall function 0072E2FC: RegCreateKeyExA.ADVAPI32(80000001,0072E50A,00000000,00000000,00000000,00020106,00000000,0072E50A,00000000,000000E4), ref: 0072E319
                                                                                              • Part of subcall function 0072E2FC: RegSetValueExA.ADVAPI32(0072E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0072E38E
                                                                                              • Part of subcall function 0072E2FC: RegDeleteValueA.ADVAPI32(0072E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dr), ref: 0072E3BF
                                                                                              • Part of subcall function 0072E2FC: RegCloseKey.ADVAPI32(0072E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dr,0072E50A), ref: 0072E3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: PromptOnSecureDesktop$Dr
                                                                                            • API String ID: 4151426672-2751667076
                                                                                            • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction ID: eada3472c12f35d5953dc8625bfeff23e6384bc267de5d69ac6426282fbe1fd7
                                                                                            • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction Fuzzy Hash: 5F41AB71D00264FAEF20AF51AC4AFEB3B6CEB14764F148035FA0994192E7B9CA50D6B5
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                            • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3683885500-2980165447
                                                                                            • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                            • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                            • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                            • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                            APIs
                                                                                              • Part of subcall function 0072DF6C: GetCurrentThreadId.KERNEL32 ref: 0072DFBA
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,0072A6AC), ref: 0072E7BF
                                                                                            • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,0072A6AC), ref: 0072E7EA
                                                                                            • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,0072A6AC), ref: 0072E819
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1396056608-2980165447
                                                                                            • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                            • Instruction ID: 7ba37aa38457574453713e2794237cf6f2fa8b72609143111a5fe0af56e87a12
                                                                                            • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                            • Instruction Fuzzy Hash: 0021B6B1A44220BAE2207B217C0AFAB3E1CDB65B60F101025FA09A5193EA6DD95081B5
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 2574300362-1087626847
                                                                                            • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                            • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 007276D9
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0072796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0072797E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEnumOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1332880857-2980165447
                                                                                            • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                            • Instruction ID: b1ce35dbba74b9d3dfb77ff089b0046f904ecde797faf7ae28e8edd41339ff5a
                                                                                            • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                            • Instruction Fuzzy Hash: BD11EE30A04129AFDB118FA9EC49FEFBF78EF81710F144165F510E6291E2B88D80CB60
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2777991786-2393279970
                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                            • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                            • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 849931509-2980165447
                                                                                            • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                            • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                            • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                            • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0072999D
                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000), ref: 007299BD
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 007299C6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 849931509-2980165447
                                                                                            • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                            • Instruction ID: 015ef27e494634648b7440b5ef9d33a5cb14b6359231c840567b94eee04f68ea
                                                                                            • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                            • Instruction Fuzzy Hash: EDF0F6B2680218BBF7106B50FC0BFDB3A2CDB94B10F100070FA05B5092F6E99F9182B9
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$u6A
                                                                                            • API String ID: 1594361348-1940331995
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: f6d934e0dbbc1ec3f841e2afaf8c5c6a6b59a91e6ec2d12432e441ee677d570d
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 4BE0C230604121AFCB108B2CF848AC537E4EF0A330F008180F080D31A1C738DCC29740
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 007269E5
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 00726A26
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 00726A3A
                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 00726BD8
                                                                                              • Part of subcall function 0072EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00721DCF,?), ref: 0072EEA8
                                                                                              • Part of subcall function 0072EE95: HeapFree.KERNEL32(00000000), ref: 0072EEAF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 3384756699-0
                                                                                            • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction ID: 635b7433c97936177607205b8e6977a6c742069f9a2bbc19d3e06e8356a22e7f
                                                                                            • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction Fuzzy Hash: 9F7116B1D0022DEFDB109FA4DC84AEEBBB9FB04314F2045AAE515E6190D7349E92DB60
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 007241AB
                                                                                            • GetLastError.KERNEL32 ref: 007241B5
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 007241C6
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 007241D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 8570c54fc31322c16a49d32daf174bcde36c2673a4b8d36e88e1a031d00bc027
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B501E576A1111EABDF01DF90ED84BEE7BACEB18355F108061F901E2050D7749AA48BBA
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0072421F
                                                                                            • GetLastError.KERNEL32 ref: 00724229
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 0072423A
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0072424D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: edbdda3662540df2f63bb019f99bb3ff57756a63c3b285709723d477a87d7aee
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: FE01E272911219ABDF02DF91EE84BEE7BACFB08356F108065F901E2050D774AA548BB6
                                                                                            APIs
                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 0072E066
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 1534048567-1846390581
                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction ID: bca13ac585ee194528fec873dc734a6c262e07952c36fc579ce1b651a5b26556
                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction Fuzzy Hash: 56F062316007229BCB30CF25E884A92B7E9FB05321B64862AE154C3060D3B8A89ACB51
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                              • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                              • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                              • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                              • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4151426672-2980165447
                                                                                            • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                            • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                            • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                            • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 007283C6
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00728477
                                                                                              • Part of subcall function 007269C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 007269E5
                                                                                              • Part of subcall function 007269C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00726A26
                                                                                              • Part of subcall function 007269C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00726A3A
                                                                                              • Part of subcall function 0072EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00721DCF,?), ref: 0072EEA8
                                                                                              • Part of subcall function 0072EE95: HeapFree.KERNEL32(00000000), ref: 0072EEAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 359188348-2980165447
                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction ID: 36b335297a53332152ef548fa77d6f3d4736eea53a9b416d967c7bdf8067c5eb
                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction Fuzzy Hash: F941A1B2C02169BFEB50EFA0AE85DFF777CEB04300F14446AF504D2011FAB95A948B65
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0072E859,00000000,00020119,0072E859,PromptOnSecureDesktop), ref: 0072E64D
                                                                                            • RegCloseKey.ADVAPI32(0072E859,?,?,?,?,000000C8,000000E4), ref: 0072E787
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 47109696-2980165447
                                                                                            • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                            • Instruction ID: 46be2a7615bbe3bfa4401326517ab791cc2b497c7169e233066bd152c80bd2e4
                                                                                            • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                            • Instruction Fuzzy Hash: 814115B2D0022DBFDF11EF94EC85DEEBBB9EB14304F104476EA00B6261E3759A559B60
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0072AFFF
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0072B00D
                                                                                              • Part of subcall function 0072AF6F: gethostname.WS2_32(?,00000080), ref: 0072AF83
                                                                                              • Part of subcall function 0072AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0072AFE6
                                                                                              • Part of subcall function 0072331C: gethostname.WS2_32(?,00000080), ref: 0072333F
                                                                                              • Part of subcall function 0072331C: gethostbyname.WS2_32(?), ref: 00723349
                                                                                              • Part of subcall function 0072AA0A: inet_ntoa.WS2_32(00000000), ref: 0072AA10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %OUTLOOK_BND_
                                                                                            • API String ID: 1981676241-3684217054
                                                                                            • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                            • Instruction ID: 966737a21fdf0c3aee51d947d40e33408d3335b52c883983431350147432238a
                                                                                            • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                            • Instruction Fuzzy Hash: D841017290025CEBDB25EFA0EC4AEEF3B6CFF08304F144426F92592152EB79D6548B54
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00729536
                                                                                            • Sleep.KERNEL32(000001F4), ref: 0072955D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-3916222277
                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction ID: 78ec1cb0c6b8271c410bfe5ce9570551ebf14cfc3e95a050a78adc15830b7720
                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction Fuzzy Hash: 50411571A043A46FEB379A65F89C7F63BA49B02310F2C00A5D286971D2E67C4D818711
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0072B9D9
                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 0072BA3A
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0072BA94
                                                                                            • GetTickCount.KERNEL32 ref: 0072BB79
                                                                                            • GetTickCount.KERNEL32 ref: 0072BB99
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0072BE15
                                                                                            • closesocket.WS2_32(00000000), ref: 0072BEB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 1869671989-2903620461
                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction ID: d2fc495c60edd7bfc521179a0ad0aaf3864158d59243a6d6218831ac2d3123c2
                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction Fuzzy Hash: 0431B471900258DFDF25DFA4EC88EED77B8EB48700F20405AFA2492151DB39DA85CF10
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                            APIs
                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                            • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 007270BC
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 007270F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID: |
                                                                                            • API String ID: 2370142434-2343686810
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: 86975ab840e3c91af3f1a0f9091650c7108cf329be7314dd7116686e1f16c9f4
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 57112A7290413CEBDF15CBD4ED84ADFB7BCAF44301F1441A6E501E6090E6749B88CBA0
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2777991786-1857712256
                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                            APIs
                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1721601015.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1721601015.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                            • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                            APIs
                                                                                              • Part of subcall function 00722F88: GetModuleHandleA.KERNEL32(?), ref: 00722FA1
                                                                                              • Part of subcall function 00722F88: LoadLibraryA.KERNEL32(?), ref: 00722FB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007231DA
                                                                                            • HeapFree.KERNEL32(00000000), ref: 007231E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1722037787.0000000000720000.00000040.00001000.00020000.00000000.sdmp, Offset: 00720000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_720000_knkduwqg.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction ID: 4660b7af557126291554c4d0571bac3f72722b016b27d07129137b0bcf1673fb
                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction Fuzzy Hash: 7151AA3190026AEFCB11DF64E8889EAB7B5FF15300F244169EC9687211E73ADB19CB90

                                                                                            Execution Graph

                                                                                            Execution Coverage:3.1%
                                                                                            Dynamic/Decrypted Code Coverage:29.9%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:1596
                                                                                            Total number of Limit Nodes:15
                                                                                            execution_graph 14791 409961 RegisterServiceCtrlHandlerA 14792 40997d 14791->14792 14793 4099cb 14791->14793 14801 409892 14792->14801 14795 40999a 14796 4099ba 14795->14796 14797 409892 SetServiceStatus 14795->14797 14796->14793 14799 409892 SetServiceStatus 14796->14799 14798 4099aa 14797->14798 14798->14796 14804 4098f2 14798->14804 14799->14793 14802 4098c2 SetServiceStatus 14801->14802 14802->14795 14805 4098f6 14804->14805 14807 409904 Sleep 14805->14807 14809 409917 14805->14809 14812 404280 CreateEventA 14805->14812 14807->14805 14808 409915 14807->14808 14808->14809 14811 409947 14809->14811 14839 40977c 14809->14839 14811->14796 14813 4042a5 14812->14813 14819 40429d 14812->14819 14853 403ecd 14813->14853 14815 4042b0 14857 404000 14815->14857 14818 4043c1 FindCloseChangeNotification 14818->14819 14819->14805 14820 4042ce 14863 403f18 WriteFile 14820->14863 14825 4043ba CloseHandle 14825->14818 14826 404318 14827 403f18 4 API calls 14826->14827 14828 404331 14827->14828 14829 403f18 4 API calls 14828->14829 14830 40434a 14829->14830 14871 40ebcc GetProcessHeap HeapAlloc 14830->14871 14833 403f18 4 API calls 14834 404389 14833->14834 14874 40ec2e 14834->14874 14837 403f8c 4 API calls 14838 40439f CloseHandle CloseHandle 14837->14838 14838->14819 14903 40ee2a 14839->14903 14842 4097c2 14844 4097d4 Wow64GetThreadContext 14842->14844 14843 4097bb 14843->14811 14845 409801 14844->14845 14846 4097f5 14844->14846 14905 40637c 14845->14905 14847 4097f6 TerminateProcess 14846->14847 14847->14843 14849 409816 14849->14847 14850 40981e WriteProcessMemory 14849->14850 14850->14846 14851 40983b Wow64SetThreadContext 14850->14851 14851->14846 14852 409858 ResumeThread 14851->14852 14852->14843 14854 403edc 14853->14854 14856 403ee2 14853->14856 14879 406dc2 14854->14879 14856->14815 14858 40400b CreateFileA 14857->14858 14859 40402c GetLastError 14858->14859 14860 404052 14858->14860 14859->14860 14861 404037 14859->14861 14860->14818 14860->14819 14860->14820 14861->14860 14862 404041 Sleep 14861->14862 14862->14858 14862->14860 14864 403f7c 14863->14864 14865 403f4e GetLastError 14863->14865 14867 403f8c ReadFile 14864->14867 14865->14864 14866 403f5b WaitForSingleObject GetOverlappedResult 14865->14866 14866->14864 14868 403ff0 14867->14868 14869 403fc2 GetLastError 14867->14869 14868->14825 14868->14826 14869->14868 14870 403fcf WaitForSingleObject GetOverlappedResult 14869->14870 14870->14868 14897 40eb74 14871->14897 14875 40ec37 14874->14875 14876 40438f 14874->14876 14900 40eba0 14875->14900 14876->14837 14880 406dd7 14879->14880 14884 406e24 14879->14884 14885 406cc9 14880->14885 14882 406ddc 14883 406e02 GetVolumeInformationA 14882->14883 14882->14884 14883->14884 14884->14856 14886 406cdc GetModuleHandleA GetProcAddress 14885->14886 14887 406dbe 14885->14887 14888 406d12 GetSystemDirectoryA 14886->14888 14889 406cfd 14886->14889 14887->14882 14890 406d27 GetWindowsDirectoryA 14888->14890 14891 406d1e 14888->14891 14889->14888 14892 406d8b 14889->14892 14894 406d42 14890->14894 14891->14890 14891->14892 14892->14887 14895 40ef1e lstrlenA 14894->14895 14896 40ef32 14895->14896 14896->14892 14898 40eb7b GetProcessHeap HeapSize 14897->14898 14899 404350 14897->14899 14898->14899 14899->14833 14901 40eba7 GetProcessHeap HeapSize 14900->14901 14902 40ebbf GetProcessHeap HeapFree 14900->14902 14901->14902 14902->14876 14904 409794 CreateProcessA 14903->14904 14904->14842 14904->14843 14906 406386 14905->14906 14907 40638a GetModuleHandleA VirtualAlloc 14905->14907 14906->14849 14908 4063f5 14907->14908 14909 4063b6 14907->14909 14908->14849 14910 4063be VirtualAllocEx 14909->14910 14910->14908 14911 4063d6 14910->14911 14912 4063df WriteProcessMemory 14911->14912 14912->14908 14960 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15077 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14960->15077 14962 409a95 14963 409aa3 GetModuleHandleA GetModuleFileNameA 14962->14963 14968 40a3c7 14962->14968 14977 409ac4 14963->14977 14964 40a41c CreateThread WSAStartup 15188 40e52e 14964->15188 16015 40405e CreateEventA 14964->16015 14966 409afd GetCommandLineA 14975 409b22 14966->14975 14967 40a406 DeleteFileA 14967->14968 14969 40a40d 14967->14969 14968->14964 14968->14967 14968->14969 14972 40a3ed GetLastError 14968->14972 14969->14964 14970 40a445 15207 40eaaf 14970->15207 14972->14969 14973 40a3f8 Sleep 14972->14973 14973->14967 14974 40a44d 15211 401d96 14974->15211 14980 409c0c 14975->14980 14987 409b47 14975->14987 14977->14966 14978 40a457 15259 4080c9 14978->15259 15078 4096aa 14980->15078 14991 409b96 lstrlenA 14987->14991 14997 409b58 14987->14997 14988 40a1d2 14998 40a1e3 GetCommandLineA 14988->14998 14989 409c39 14992 40a167 GetModuleHandleA GetModuleFileNameA 14989->14992 14996 409c4b 14989->14996 14991->14997 14994 409c05 ExitProcess 14992->14994 14995 40a189 14992->14995 14995->14994 15006 40a1b2 GetDriveTypeA 14995->15006 14996->14992 15000 404280 30 API calls 14996->15000 14997->14994 15001 409bd2 14997->15001 15024 40a205 14998->15024 15003 409c5b 15000->15003 15090 40675c 15001->15090 15003->14992 15009 40675c 21 API calls 15003->15009 15006->14994 15008 40a1c5 15006->15008 15180 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15008->15180 15011 409c79 15009->15011 15011->14992 15018 409ca0 GetTempPathA 15011->15018 15019 409e3e 15011->15019 15012 409bff 15012->14994 15014 40a491 15015 40a49f GetTickCount 15014->15015 15016 40a4be Sleep 15014->15016 15023 40a4b7 GetTickCount 15014->15023 15305 40c913 15014->15305 15015->15014 15015->15016 15016->15014 15018->15019 15020 409cba 15018->15020 15027 409e6b GetEnvironmentVariableA 15019->15027 15029 409e04 15019->15029 15128 4099d2 lstrcpyA 15020->15128 15022 40ec2e codecvt 4 API calls 15026 40a15d 15022->15026 15023->15016 15028 40a285 lstrlenA 15024->15028 15037 40a239 15024->15037 15026->14992 15026->14994 15027->15029 15030 409e7d 15027->15030 15028->15037 15029->15022 15031 4099d2 16 API calls 15030->15031 15033 409e9d 15031->15033 15032 406dc2 6 API calls 15034 409d5f 15032->15034 15033->15029 15036 409eb0 lstrcpyA lstrlenA 15033->15036 15040 406cc9 5 API calls 15034->15040 15039 409ef4 15036->15039 15086 406ec3 15037->15086 15038 40a3c2 15041 4098f2 41 API calls 15038->15041 15042 406dc2 6 API calls 15039->15042 15045 409f03 15039->15045 15044 409d72 lstrcpyA lstrcatA lstrcatA 15040->15044 15041->14968 15042->15045 15043 40a39d StartServiceCtrlDispatcherA 15043->15038 15049 409cf6 15044->15049 15046 409f32 RegOpenKeyExA 15045->15046 15048 409f48 RegSetValueExA RegCloseKey 15046->15048 15052 409f70 15046->15052 15047 40a35f 15047->15038 15047->15043 15048->15052 15135 409326 15049->15135 15057 409f9d GetModuleHandleA GetModuleFileNameA 15052->15057 15053 409e0c DeleteFileA 15053->15019 15054 409dde GetFileAttributesExA 15054->15053 15055 409df7 15054->15055 15055->15029 15172 4096ff 15055->15172 15059 409fc2 15057->15059 15076 40a093 15057->15076 15064 409ff1 GetDriveTypeA 15059->15064 15059->15076 15060 40a103 CreateProcessA 15062 40a12a DeleteFileA 15060->15062 15067 40a13a 15060->15067 15061 40a0a4 wsprintfA 15178 402544 15061->15178 15062->15067 15066 40a00d 15064->15066 15064->15076 15071 40a02d lstrcatA 15066->15071 15067->15029 15069 4096ff 3 API calls 15067->15069 15068 40ee2a 15070 40a0ec lstrcatA 15068->15070 15069->15029 15070->15060 15072 40a046 15071->15072 15073 40a052 lstrcatA 15072->15073 15074 40a064 lstrcatA 15072->15074 15073->15074 15075 40a081 lstrcatA 15074->15075 15074->15076 15075->15076 15076->15060 15076->15061 15077->14962 15079 4096b9 15078->15079 15408 4073ff 15079->15408 15081 4096e2 15082 4096e9 15081->15082 15083 4096fa 15081->15083 15428 40704c 15082->15428 15083->14988 15083->14989 15085 4096f7 15085->15083 15087 406ed5 15086->15087 15088 406ecc 15086->15088 15087->15047 15453 406e36 GetUserNameW 15088->15453 15091 406784 CreateFileA 15090->15091 15092 40677a SetFileAttributesA 15090->15092 15093 4067a4 CreateFileA 15091->15093 15094 4067b5 15091->15094 15092->15091 15093->15094 15095 4067c5 15094->15095 15096 4067ba SetFileAttributesA 15094->15096 15097 406977 15095->15097 15098 4067cf GetFileSize 15095->15098 15096->15095 15097->14994 15115 406a60 CreateFileA 15097->15115 15099 4067e5 15098->15099 15113 406922 15098->15113 15101 4067ed ReadFile 15099->15101 15099->15113 15100 40696e CloseHandle 15100->15097 15102 406811 SetFilePointer 15101->15102 15101->15113 15103 40682a ReadFile 15102->15103 15102->15113 15104 406848 SetFilePointer 15103->15104 15103->15113 15105 406867 15104->15105 15104->15113 15106 406878 ReadFile 15105->15106 15110 4068d0 15105->15110 15106->15105 15106->15110 15107 40ebcc 4 API calls 15108 4068f8 15107->15108 15109 406900 SetFilePointer 15108->15109 15108->15113 15111 40695a 15109->15111 15112 40690d ReadFile 15109->15112 15110->15100 15110->15107 15114 40ec2e codecvt 4 API calls 15111->15114 15112->15111 15112->15113 15113->15100 15114->15113 15116 406b8c GetLastError 15115->15116 15117 406a8f GetDiskFreeSpaceA 15115->15117 15118 406b86 15116->15118 15119 406ac5 15117->15119 15127 406ad7 15117->15127 15118->15012 15456 40eb0e 15119->15456 15123 406b56 CloseHandle 15123->15118 15126 406b65 GetLastError CloseHandle 15123->15126 15124 406b36 GetLastError CloseHandle 15125 406b7f DeleteFileA 15124->15125 15125->15118 15126->15125 15460 406987 15127->15460 15129 4099eb 15128->15129 15130 409a2f lstrcatA 15129->15130 15131 40ee2a 15130->15131 15132 409a4b lstrcatA 15131->15132 15133 406a60 13 API calls 15132->15133 15134 409a60 15133->15134 15134->15019 15134->15032 15134->15049 15470 401910 15135->15470 15138 40934a GetModuleHandleA GetModuleFileNameA 15140 40937f 15138->15140 15141 4093a4 15140->15141 15142 4093d9 15140->15142 15143 4093c3 wsprintfA 15141->15143 15144 409401 wsprintfA 15142->15144 15146 409415 15143->15146 15144->15146 15145 4094a0 15472 406edd 15145->15472 15146->15145 15149 406cc9 5 API calls 15146->15149 15148 4094ac 15150 40962f 15148->15150 15151 4094e8 RegOpenKeyExA 15148->15151 15155 409439 15149->15155 15157 409646 15150->15157 15493 401820 15150->15493 15153 409502 15151->15153 15154 4094fb 15151->15154 15158 40951f RegQueryValueExA 15153->15158 15154->15150 15160 40958a 15154->15160 15159 40ef1e lstrlenA 15155->15159 15166 4095d6 15157->15166 15499 4091eb 15157->15499 15161 409530 15158->15161 15162 409539 15158->15162 15163 409462 15159->15163 15160->15157 15164 409593 15160->15164 15165 40956e RegCloseKey 15161->15165 15167 409556 RegQueryValueExA 15162->15167 15168 40947e wsprintfA 15163->15168 15164->15166 15480 40f0e4 15164->15480 15165->15154 15166->15053 15166->15054 15167->15161 15167->15165 15168->15145 15170 4095bb 15170->15166 15487 4018e0 15170->15487 15173 402544 15172->15173 15174 40972d RegOpenKeyExA 15173->15174 15175 409740 15174->15175 15176 409765 15174->15176 15177 40974f RegDeleteValueA RegCloseKey 15175->15177 15176->15029 15177->15176 15179 402554 lstrcatA 15178->15179 15179->15068 15181 402544 15180->15181 15182 40919e wsprintfA 15181->15182 15183 4091bb 15182->15183 15537 409064 GetTempPathA 15183->15537 15186 4091d5 ShellExecuteA 15187 4091e7 15186->15187 15187->15012 15544 40dd05 GetTickCount 15188->15544 15190 40e538 15551 40dbcf 15190->15551 15192 40e544 15193 40e555 GetFileSize 15192->15193 15198 40e5b8 15192->15198 15194 40e5b1 CloseHandle 15193->15194 15195 40e566 15193->15195 15194->15198 15561 40db2e 15195->15561 15570 40e3ca RegOpenKeyExA 15198->15570 15199 40e576 ReadFile 15199->15194 15201 40e58d 15199->15201 15565 40e332 15201->15565 15203 40e5f2 15205 40e3ca 19 API calls 15203->15205 15206 40e629 15203->15206 15205->15206 15206->14970 15208 40eabe 15207->15208 15210 40eaba 15207->15210 15209 40dd05 6 API calls 15208->15209 15208->15210 15209->15210 15210->14974 15212 40ee2a 15211->15212 15213 401db4 GetVersionExA 15212->15213 15214 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15213->15214 15216 401e24 15214->15216 15217 401e16 GetCurrentProcess 15214->15217 15623 40e819 15216->15623 15217->15216 15219 401e3d 15220 40e819 11 API calls 15219->15220 15221 401e4e 15220->15221 15222 401e77 15221->15222 15630 40df70 15221->15630 15639 40ea84 15222->15639 15226 401e6c 15228 40df70 12 API calls 15226->15228 15227 40e819 11 API calls 15229 401e93 15227->15229 15228->15222 15643 40199c inet_addr LoadLibraryA 15229->15643 15232 40e819 11 API calls 15233 401eb9 15232->15233 15235 40f04e 4 API calls 15233->15235 15242 401ed8 15233->15242 15234 40e819 11 API calls 15236 401eee 15234->15236 15237 401ec9 15235->15237 15238 401f0a 15236->15238 15656 401b71 15236->15656 15239 40ea84 30 API calls 15237->15239 15241 40e819 11 API calls 15238->15241 15239->15242 15244 401f23 15241->15244 15242->15234 15243 401efd 15245 40ea84 30 API calls 15243->15245 15246 401f3f 15244->15246 15660 401bdf 15244->15660 15245->15238 15247 40e819 11 API calls 15246->15247 15249 401f5e 15247->15249 15251 401f77 15249->15251 15253 40ea84 30 API calls 15249->15253 15667 4030b5 15251->15667 15252 40ea84 30 API calls 15252->15246 15253->15251 15257 406ec3 2 API calls 15258 401f8e GetTickCount 15257->15258 15258->14978 15260 406ec3 2 API calls 15259->15260 15261 4080eb 15260->15261 15262 4080f9 15261->15262 15263 4080ef 15261->15263 15265 40704c 16 API calls 15262->15265 15715 407ee6 15263->15715 15267 408110 15265->15267 15266 408269 CreateThread 15284 405e6c 15266->15284 16044 40877e 15266->16044 15269 408156 RegOpenKeyExA 15267->15269 15270 4080f4 15267->15270 15268 40675c 21 API calls 15274 408244 15268->15274 15269->15270 15271 40816d RegQueryValueExA 15269->15271 15270->15266 15270->15268 15272 4081f7 15271->15272 15273 40818d 15271->15273 15275 40820d RegCloseKey 15272->15275 15277 40ec2e codecvt 4 API calls 15272->15277 15273->15272 15278 40ebcc 4 API calls 15273->15278 15274->15266 15276 40ec2e codecvt 4 API calls 15274->15276 15275->15270 15276->15266 15283 4081dd 15277->15283 15279 4081a0 15278->15279 15279->15275 15280 4081aa RegQueryValueExA 15279->15280 15280->15272 15281 4081c4 15280->15281 15282 40ebcc 4 API calls 15281->15282 15282->15283 15283->15275 15783 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15284->15783 15286 405e71 15784 40e654 15286->15784 15288 405ec1 15289 403132 15288->15289 15290 40df70 12 API calls 15289->15290 15291 40313b 15290->15291 15292 40c125 15291->15292 15795 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15292->15795 15294 40c12d 15295 40e654 13 API calls 15294->15295 15296 40c2bd 15295->15296 15297 40e654 13 API calls 15296->15297 15298 40c2c9 15297->15298 15299 40e654 13 API calls 15298->15299 15300 40a47a 15299->15300 15301 408db1 15300->15301 15302 408dbc 15301->15302 15303 40e654 13 API calls 15302->15303 15304 408dec Sleep 15303->15304 15304->15014 15306 40c92f 15305->15306 15308 40c93c 15306->15308 15796 40c517 15306->15796 15309 40e819 11 API calls 15308->15309 15324 40ca2b 15308->15324 15310 40c96a 15309->15310 15311 40e819 11 API calls 15310->15311 15312 40c97d 15311->15312 15313 40e819 11 API calls 15312->15313 15314 40c990 15313->15314 15315 40c9aa 15314->15315 15316 40ebcc 4 API calls 15314->15316 15315->15324 15813 402684 15315->15813 15316->15315 15321 40ca26 15820 40c8aa 15321->15820 15324->15014 15325 40ca44 15326 40ca4b closesocket 15325->15326 15327 40ca83 15325->15327 15326->15321 15328 40ea84 30 API calls 15327->15328 15329 40caac 15328->15329 15330 40f04e 4 API calls 15329->15330 15331 40cab2 15330->15331 15332 40ea84 30 API calls 15331->15332 15333 40caca 15332->15333 15334 40ea84 30 API calls 15333->15334 15335 40cad9 15334->15335 15828 40c65c 15335->15828 15338 40cb60 closesocket 15338->15324 15340 40dad2 closesocket 15341 40e318 23 API calls 15340->15341 15341->15324 15342 40df4c 20 API calls 15400 40cb70 15342->15400 15347 40e654 13 API calls 15347->15400 15350 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15350->15400 15354 40cc1c GetTempPathA 15354->15400 15355 40ea84 30 API calls 15355->15400 15356 40d569 closesocket Sleep 15875 40e318 15356->15875 15357 40d815 wsprintfA 15357->15400 15358 40c517 23 API calls 15358->15400 15360 40e8a1 30 API calls 15360->15400 15361 40d582 ExitProcess 15362 40cfe3 GetSystemDirectoryA 15362->15400 15363 40675c 21 API calls 15363->15400 15364 40d027 GetSystemDirectoryA 15364->15400 15365 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15365->15400 15366 40cfad GetEnvironmentVariableA 15366->15400 15367 40d105 lstrcatA 15367->15400 15368 40ef1e lstrlenA 15368->15400 15369 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15369->15400 15370 40cc9f CreateFileA 15372 40ccc6 WriteFile 15370->15372 15370->15400 15371 40d15b CreateFileA 15373 40d182 WriteFile CloseHandle 15371->15373 15371->15400 15374 40cdcc CloseHandle 15372->15374 15375 40cced CloseHandle 15372->15375 15373->15400 15374->15400 15381 40cd2f 15375->15381 15376 40d149 SetFileAttributesA 15376->15371 15377 40cd16 wsprintfA 15377->15381 15378 40d36e GetEnvironmentVariableA 15378->15400 15379 40d1bf SetFileAttributesA 15379->15400 15380 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15380->15400 15381->15377 15857 407fcf 15381->15857 15382 407ead 6 API calls 15382->15400 15383 40d22d GetEnvironmentVariableA 15383->15400 15385 40d3af lstrcatA 15388 40d3f2 CreateFileA 15385->15388 15385->15400 15387 407fcf 64 API calls 15387->15400 15391 40d415 WriteFile CloseHandle 15388->15391 15388->15400 15389 40cd81 WaitForSingleObject CloseHandle CloseHandle 15392 40f04e 4 API calls 15389->15392 15390 40cda5 15393 407ee6 64 API calls 15390->15393 15391->15400 15392->15390 15394 40cdbd DeleteFileA 15393->15394 15394->15400 15395 40d4b1 CreateProcessA 15398 40d4e8 CloseHandle CloseHandle 15395->15398 15395->15400 15396 40d3e0 SetFileAttributesA 15396->15388 15397 40d26e lstrcatA 15399 40d2b1 CreateFileA 15397->15399 15397->15400 15398->15400 15399->15400 15401 40d2d8 WriteFile CloseHandle 15399->15401 15400->15340 15400->15342 15400->15347 15400->15350 15400->15354 15400->15355 15400->15356 15400->15357 15400->15358 15400->15360 15400->15362 15400->15363 15400->15364 15400->15365 15400->15366 15400->15367 15400->15368 15400->15369 15400->15370 15400->15371 15400->15376 15400->15378 15400->15379 15400->15380 15400->15382 15400->15383 15400->15385 15400->15387 15400->15388 15400->15395 15400->15396 15400->15397 15400->15399 15402 407ee6 64 API calls 15400->15402 15403 40d452 SetFileAttributesA 15400->15403 15404 40d29f SetFileAttributesA 15400->15404 15407 40d31d SetFileAttributesA 15400->15407 15836 40c75d 15400->15836 15848 407e2f 15400->15848 15870 407ead 15400->15870 15880 4031d0 15400->15880 15897 403c09 15400->15897 15907 403a00 15400->15907 15911 40e7b4 15400->15911 15914 40c06c 15400->15914 15920 406f5f GetUserNameA 15400->15920 15931 40e854 15400->15931 15941 407dd6 15400->15941 15401->15400 15402->15400 15403->15400 15404->15399 15407->15400 15409 40741b 15408->15409 15410 406dc2 6 API calls 15409->15410 15411 40743f 15410->15411 15412 407469 RegOpenKeyExA 15411->15412 15413 4077f9 15412->15413 15424 407487 ___ascii_stricmp 15412->15424 15413->15081 15414 407703 RegEnumKeyA 15415 407714 RegCloseKey 15414->15415 15414->15424 15415->15413 15416 40f1a5 lstrlenA 15416->15424 15417 4074d2 RegOpenKeyExA 15417->15424 15418 40772c 15420 407742 RegCloseKey 15418->15420 15421 40774b 15418->15421 15419 407521 RegQueryValueExA 15419->15424 15420->15421 15423 4077ec RegCloseKey 15421->15423 15422 4076e4 RegCloseKey 15422->15424 15423->15413 15424->15414 15424->15416 15424->15417 15424->15418 15424->15419 15424->15422 15425 407769 15424->15425 15427 40777e GetFileAttributesExA 15424->15427 15426 4077e3 RegCloseKey 15425->15426 15426->15423 15427->15425 15429 407073 15428->15429 15430 4070b9 RegOpenKeyExA 15429->15430 15431 4070d0 15430->15431 15445 4071b8 15430->15445 15432 406dc2 6 API calls 15431->15432 15435 4070d5 15432->15435 15433 40719b RegEnumValueA 15434 4071af RegCloseKey 15433->15434 15433->15435 15434->15445 15435->15433 15437 4071d0 15435->15437 15451 40f1a5 lstrlenA 15435->15451 15438 407205 RegCloseKey 15437->15438 15439 407227 15437->15439 15438->15445 15440 4072b8 ___ascii_stricmp 15439->15440 15441 40728e RegCloseKey 15439->15441 15442 4072cd RegCloseKey 15440->15442 15443 4072dd 15440->15443 15441->15445 15442->15445 15444 407311 RegCloseKey 15443->15444 15447 407335 15443->15447 15444->15445 15445->15085 15446 4073d5 RegCloseKey 15448 4073e4 15446->15448 15447->15446 15449 40737e GetFileAttributesExA 15447->15449 15450 407397 15447->15450 15449->15450 15450->15446 15452 40f1c3 15451->15452 15452->15435 15454 406e97 15453->15454 15455 406e5f LookupAccountNameW 15453->15455 15454->15087 15455->15454 15457 40eb17 15456->15457 15458 40eb21 15456->15458 15466 40eae4 15457->15466 15458->15127 15462 4069b9 WriteFile 15460->15462 15463 406a3c 15462->15463 15464 4069ff 15462->15464 15463->15123 15463->15124 15464->15463 15465 406a10 WriteFile 15464->15465 15465->15463 15465->15464 15467 40eb02 GetProcAddress 15466->15467 15468 40eaed LoadLibraryA 15466->15468 15467->15458 15468->15467 15469 40eb01 15468->15469 15469->15458 15471 401924 GetVersionExA 15470->15471 15471->15138 15473 406f55 15472->15473 15474 406eef AllocateAndInitializeSid 15472->15474 15473->15148 15475 406f44 15474->15475 15476 406f1c CheckTokenMembership 15474->15476 15475->15473 15479 406e36 2 API calls 15475->15479 15477 406f3b FreeSid 15476->15477 15478 406f2e 15476->15478 15477->15475 15478->15477 15479->15473 15481 40f0f1 15480->15481 15482 40f0ed 15480->15482 15483 40f119 15481->15483 15484 40f0fa lstrlenA SysAllocStringByteLen 15481->15484 15482->15170 15485 40f11c MultiByteToWideChar 15483->15485 15484->15485 15486 40f117 15484->15486 15485->15486 15486->15170 15488 401820 17 API calls 15487->15488 15489 4018f2 15488->15489 15490 4018f9 15489->15490 15504 401280 15489->15504 15490->15166 15492 401908 15492->15166 15516 401000 15493->15516 15495 401839 15496 401851 GetCurrentProcess 15495->15496 15497 40183d 15495->15497 15498 401864 15496->15498 15497->15157 15498->15157 15500 409308 15499->15500 15502 40920e 15499->15502 15500->15166 15501 4092f1 Sleep 15501->15502 15502->15500 15502->15501 15503 4092bf ShellExecuteA 15502->15503 15503->15500 15503->15502 15506 4012e1 15504->15506 15505 4016f9 GetLastError 15507 401699 15505->15507 15506->15505 15513 4013a8 15506->15513 15507->15492 15508 401570 lstrlenW 15508->15513 15509 4015be GetStartupInfoW 15509->15513 15510 4015ff CreateProcessWithLogonW 15511 4016bf GetLastError 15510->15511 15512 40163f WaitForSingleObject 15510->15512 15511->15507 15512->15513 15514 401659 CloseHandle 15512->15514 15513->15507 15513->15508 15513->15509 15513->15510 15515 401668 CloseHandle 15513->15515 15514->15513 15515->15513 15517 40100d LoadLibraryA 15516->15517 15519 401023 15516->15519 15518 401021 15517->15518 15517->15519 15518->15495 15520 4010b5 GetProcAddress 15519->15520 15536 4010ae 15519->15536 15521 4010d1 GetProcAddress 15520->15521 15522 40127b 15520->15522 15521->15522 15523 4010f0 GetProcAddress 15521->15523 15522->15495 15523->15522 15524 401110 GetProcAddress 15523->15524 15524->15522 15525 401130 GetProcAddress 15524->15525 15525->15522 15526 40114f GetProcAddress 15525->15526 15526->15522 15527 40116f GetProcAddress 15526->15527 15527->15522 15528 40118f GetProcAddress 15527->15528 15528->15522 15529 4011ae GetProcAddress 15528->15529 15529->15522 15530 4011ce GetProcAddress 15529->15530 15530->15522 15531 4011ee GetProcAddress 15530->15531 15531->15522 15532 401209 GetProcAddress 15531->15532 15532->15522 15533 401225 GetProcAddress 15532->15533 15533->15522 15534 401241 GetProcAddress 15533->15534 15534->15522 15535 40125c GetProcAddress 15534->15535 15535->15522 15536->15495 15538 40908d 15537->15538 15539 4090e2 wsprintfA 15538->15539 15540 40ee2a 15539->15540 15541 4090fd CreateFileA 15540->15541 15542 40911a lstrlenA WriteFile CloseHandle 15541->15542 15543 40913f 15541->15543 15542->15543 15543->15186 15543->15187 15545 40dd41 InterlockedExchange 15544->15545 15546 40dd20 GetCurrentThreadId 15545->15546 15547 40dd4a 15545->15547 15548 40dd53 GetCurrentThreadId 15546->15548 15549 40dd2e GetTickCount 15546->15549 15547->15548 15548->15190 15549->15547 15550 40dd39 Sleep 15549->15550 15550->15545 15552 40dbf0 15551->15552 15584 40db67 GetEnvironmentVariableA 15552->15584 15554 40dc19 15555 40dcda 15554->15555 15556 40db67 3 API calls 15554->15556 15555->15192 15557 40dc5c 15556->15557 15557->15555 15558 40db67 3 API calls 15557->15558 15559 40dc9b 15558->15559 15559->15555 15560 40db67 3 API calls 15559->15560 15560->15555 15562 40db55 15561->15562 15563 40db3a 15561->15563 15562->15194 15562->15199 15588 40ebed 15563->15588 15597 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15565->15597 15567 40e3be 15567->15194 15568 40e342 15568->15567 15600 40de24 15568->15600 15571 40e528 15570->15571 15572 40e3f4 15570->15572 15571->15203 15573 40e434 RegQueryValueExA 15572->15573 15574 40e458 15573->15574 15575 40e51d RegCloseKey 15573->15575 15576 40e46e RegQueryValueExA 15574->15576 15575->15571 15576->15574 15577 40e488 15576->15577 15577->15575 15578 40db2e 8 API calls 15577->15578 15579 40e499 15578->15579 15579->15575 15580 40e4b9 RegQueryValueExA 15579->15580 15581 40e4e8 15579->15581 15580->15579 15580->15581 15581->15575 15582 40e332 14 API calls 15581->15582 15583 40e513 15582->15583 15583->15575 15585 40db89 lstrcpyA CreateFileA 15584->15585 15586 40dbca 15584->15586 15585->15554 15586->15554 15589 40ec01 15588->15589 15590 40ebf6 15588->15590 15592 40eba0 codecvt 2 API calls 15589->15592 15591 40ebcc 4 API calls 15590->15591 15593 40ebfe 15591->15593 15594 40ec0a GetProcessHeap HeapReAlloc 15592->15594 15593->15562 15595 40eb74 2 API calls 15594->15595 15596 40ec28 15595->15596 15596->15562 15611 40eb41 15597->15611 15601 40de3a 15600->15601 15607 40de4e 15601->15607 15615 40dd84 15601->15615 15604 40ebed 8 API calls 15609 40def6 15604->15609 15605 40de9e 15605->15604 15605->15607 15606 40de76 15619 40ddcf 15606->15619 15607->15568 15609->15607 15610 40ddcf lstrcmpA 15609->15610 15610->15607 15612 40eb4a 15611->15612 15614 40eb54 15611->15614 15613 40eae4 2 API calls 15612->15613 15613->15614 15614->15568 15616 40dd96 15615->15616 15617 40ddc5 15615->15617 15616->15617 15618 40ddad lstrcmpiA 15616->15618 15617->15605 15617->15606 15618->15616 15618->15617 15620 40de20 15619->15620 15621 40dddd 15619->15621 15620->15607 15621->15620 15622 40ddfa lstrcmpA 15621->15622 15622->15621 15624 40dd05 6 API calls 15623->15624 15625 40e821 15624->15625 15626 40dd84 lstrcmpiA 15625->15626 15627 40e82c 15626->15627 15628 40e844 15627->15628 15671 402480 15627->15671 15628->15219 15631 40dd05 6 API calls 15630->15631 15632 40df7c 15631->15632 15633 40dd84 lstrcmpiA 15632->15633 15636 40df89 15633->15636 15634 40dfc4 15634->15226 15635 40ddcf lstrcmpA 15635->15636 15636->15634 15636->15635 15637 40ec2e codecvt 4 API calls 15636->15637 15638 40dd84 lstrcmpiA 15636->15638 15637->15636 15638->15636 15640 40ea98 15639->15640 15680 40e8a1 15640->15680 15642 401e84 15642->15227 15644 4019d5 GetProcAddress GetProcAddress GetProcAddress 15643->15644 15645 4019ce 15643->15645 15646 401ab3 FreeLibrary 15644->15646 15647 401a04 15644->15647 15645->15232 15646->15645 15647->15646 15648 401a14 GetProcessHeap 15647->15648 15648->15645 15650 401a2e HeapAlloc 15648->15650 15650->15645 15651 401a42 15650->15651 15652 401a52 HeapReAlloc 15651->15652 15654 401a62 15651->15654 15652->15654 15653 401aa1 FreeLibrary 15653->15645 15654->15653 15655 401a96 HeapFree 15654->15655 15655->15653 15708 401ac3 LoadLibraryA 15656->15708 15659 401bcf 15659->15243 15661 401ac3 12 API calls 15660->15661 15662 401c09 15661->15662 15663 401c41 15662->15663 15664 401c0d GetComputerNameA 15662->15664 15663->15252 15665 401c45 GetVolumeInformationA 15664->15665 15666 401c1f 15664->15666 15665->15663 15666->15663 15666->15665 15668 40ee2a 15667->15668 15669 4030d0 gethostname gethostbyname 15668->15669 15670 401f82 15669->15670 15670->15257 15670->15258 15674 402419 lstrlenA 15671->15674 15673 402491 15673->15628 15675 402474 15674->15675 15676 40243d lstrlenA 15674->15676 15675->15673 15677 402464 lstrlenA 15676->15677 15678 40244e lstrcmpiA 15676->15678 15677->15675 15677->15676 15678->15677 15679 40245c 15678->15679 15679->15675 15679->15677 15681 40dd05 6 API calls 15680->15681 15682 40e8b4 15681->15682 15683 40dd84 lstrcmpiA 15682->15683 15684 40e8c0 15683->15684 15685 40e90a 15684->15685 15686 40e8c8 lstrcpynA 15684->15686 15687 402419 4 API calls 15685->15687 15696 40ea27 15685->15696 15688 40e8f5 15686->15688 15689 40e926 lstrlenA lstrlenA 15687->15689 15701 40df4c 15688->15701 15690 40e96a 15689->15690 15691 40e94c lstrlenA 15689->15691 15695 40ebcc 4 API calls 15690->15695 15690->15696 15691->15690 15693 40e901 15694 40dd84 lstrcmpiA 15693->15694 15694->15685 15697 40e98f 15695->15697 15696->15642 15697->15696 15698 40df4c 20 API calls 15697->15698 15699 40ea1e 15698->15699 15700 40ec2e codecvt 4 API calls 15699->15700 15700->15696 15702 40dd05 6 API calls 15701->15702 15703 40df51 15702->15703 15704 40f04e 4 API calls 15703->15704 15705 40df58 15704->15705 15706 40de24 10 API calls 15705->15706 15707 40df63 15706->15707 15707->15693 15709 401ae2 GetProcAddress 15708->15709 15713 401b68 GetComputerNameA GetVolumeInformationA 15708->15713 15710 401af5 15709->15710 15709->15713 15711 40ebed 8 API calls 15710->15711 15712 401b29 15710->15712 15711->15710 15712->15713 15714 40ec2e codecvt 4 API calls 15712->15714 15713->15659 15714->15713 15716 406ec3 2 API calls 15715->15716 15717 407ef4 15716->15717 15718 4073ff 17 API calls 15717->15718 15719 407fc9 15717->15719 15720 407f16 15718->15720 15719->15270 15720->15719 15720->15720 15728 407809 GetUserNameA 15720->15728 15722 407f63 15722->15719 15723 40ef1e lstrlenA 15722->15723 15724 407fa6 15723->15724 15725 40ef1e lstrlenA 15724->15725 15726 407fb7 15725->15726 15752 407a95 RegOpenKeyExA 15726->15752 15729 40783d LookupAccountNameA 15728->15729 15730 407a8d 15728->15730 15729->15730 15731 407874 GetLengthSid GetFileSecurityA 15729->15731 15730->15722 15731->15730 15732 4078a8 GetSecurityDescriptorOwner 15731->15732 15733 4078c5 EqualSid 15732->15733 15734 40791d GetSecurityDescriptorDacl 15732->15734 15733->15734 15735 4078dc LocalAlloc 15733->15735 15734->15730 15747 407941 15734->15747 15735->15734 15736 4078ef InitializeSecurityDescriptor 15735->15736 15738 407916 LocalFree 15736->15738 15739 4078fb SetSecurityDescriptorOwner 15736->15739 15737 40795b GetAce 15737->15747 15738->15734 15739->15738 15740 40790b SetFileSecurityA 15739->15740 15740->15738 15741 407980 EqualSid 15741->15747 15742 407a3d 15742->15730 15745 407a43 LocalAlloc 15742->15745 15743 4079be EqualSid 15743->15747 15744 40799d DeleteAce 15744->15747 15745->15730 15746 407a56 InitializeSecurityDescriptor 15745->15746 15748 407a62 SetSecurityDescriptorDacl 15746->15748 15749 407a86 LocalFree 15746->15749 15747->15730 15747->15737 15747->15741 15747->15742 15747->15743 15747->15744 15748->15749 15750 407a73 SetFileSecurityA 15748->15750 15749->15730 15750->15749 15751 407a83 15750->15751 15751->15749 15753 407ac4 15752->15753 15754 407acb GetUserNameA 15752->15754 15753->15719 15755 407da7 RegCloseKey 15754->15755 15756 407aed LookupAccountNameA 15754->15756 15755->15753 15756->15755 15757 407b24 RegGetKeySecurity 15756->15757 15757->15755 15758 407b49 GetSecurityDescriptorOwner 15757->15758 15759 407b63 EqualSid 15758->15759 15760 407bb8 GetSecurityDescriptorDacl 15758->15760 15759->15760 15761 407b74 LocalAlloc 15759->15761 15762 407da6 15760->15762 15772 407bdc 15760->15772 15761->15760 15763 407b8a InitializeSecurityDescriptor 15761->15763 15762->15755 15764 407bb1 LocalFree 15763->15764 15765 407b96 SetSecurityDescriptorOwner 15763->15765 15764->15760 15765->15764 15767 407ba6 RegSetKeySecurity 15765->15767 15766 407bf8 GetAce 15766->15772 15767->15764 15768 407c1d EqualSid 15768->15772 15769 407c5f EqualSid 15769->15772 15770 407cd9 15770->15762 15773 407d5a LocalAlloc 15770->15773 15774 407cf2 RegOpenKeyExA 15770->15774 15771 407c3a DeleteAce 15771->15772 15772->15762 15772->15766 15772->15768 15772->15769 15772->15770 15772->15771 15773->15762 15775 407d70 InitializeSecurityDescriptor 15773->15775 15774->15773 15778 407d0f 15774->15778 15776 407d7c SetSecurityDescriptorDacl 15775->15776 15777 407d9f LocalFree 15775->15777 15776->15777 15779 407d8c RegSetKeySecurity 15776->15779 15777->15762 15778->15778 15781 407d43 RegSetValueExA 15778->15781 15779->15777 15780 407d9c 15779->15780 15780->15777 15781->15773 15782 407d54 15781->15782 15782->15773 15783->15286 15785 40dd05 6 API calls 15784->15785 15788 40e65f 15785->15788 15786 40e6a5 15787 40ebcc 4 API calls 15786->15787 15793 40e6f5 15786->15793 15790 40e6b0 15787->15790 15788->15786 15789 40e68c lstrcmpA 15788->15789 15789->15788 15791 40e6b7 15790->15791 15792 40e6e0 lstrcpynA 15790->15792 15790->15793 15791->15288 15792->15793 15793->15791 15794 40e71d lstrcmpA 15793->15794 15794->15793 15795->15294 15797 40c525 15796->15797 15798 40c532 15796->15798 15797->15798 15800 40ec2e codecvt 4 API calls 15797->15800 15799 40c548 15798->15799 15948 40e7ff 15798->15948 15802 40e7ff lstrcmpiA 15799->15802 15810 40c54f 15799->15810 15800->15798 15803 40c615 15802->15803 15806 40ebcc 4 API calls 15803->15806 15803->15810 15804 40c5d1 15808 40ebcc 4 API calls 15804->15808 15806->15810 15807 40e819 11 API calls 15809 40c5b7 15807->15809 15808->15810 15811 40f04e 4 API calls 15809->15811 15810->15308 15812 40c5bf 15811->15812 15812->15799 15812->15804 15814 402692 inet_addr 15813->15814 15815 40268e 15813->15815 15814->15815 15816 40269e gethostbyname 15814->15816 15817 40f428 15815->15817 15816->15815 15951 40f315 15817->15951 15822 40c8d2 15820->15822 15821 40c907 15821->15324 15822->15821 15823 40c517 23 API calls 15822->15823 15823->15821 15824 40f43e 15825 40f473 recv 15824->15825 15826 40f458 15825->15826 15827 40f47c 15825->15827 15826->15825 15826->15827 15827->15325 15829 40c670 15828->15829 15830 40c67d 15828->15830 15831 40ebcc 4 API calls 15829->15831 15832 40ebcc 4 API calls 15830->15832 15833 40c699 15830->15833 15831->15830 15832->15833 15834 40c6f3 15833->15834 15835 40c73c send 15833->15835 15834->15338 15834->15400 15835->15834 15837 40c770 15836->15837 15838 40c77d 15836->15838 15840 40ebcc 4 API calls 15837->15840 15839 40c799 15838->15839 15841 40ebcc 4 API calls 15838->15841 15842 40c7b5 15839->15842 15843 40ebcc 4 API calls 15839->15843 15840->15838 15841->15839 15844 40f43e recv 15842->15844 15843->15842 15845 40c7cb 15844->15845 15846 40f43e recv 15845->15846 15847 40c7d3 15845->15847 15846->15847 15847->15400 15964 407db7 15848->15964 15851 407e96 15851->15400 15852 40f04e 4 API calls 15854 407e4c 15852->15854 15853 40f04e 4 API calls 15853->15851 15855 40f04e 4 API calls 15854->15855 15856 407e70 15854->15856 15855->15856 15856->15851 15856->15853 15858 406ec3 2 API calls 15857->15858 15859 407fdd 15858->15859 15860 4073ff 17 API calls 15859->15860 15861 4080c2 CreateProcessA 15859->15861 15862 407fff 15860->15862 15861->15389 15861->15390 15862->15861 15862->15862 15863 407809 21 API calls 15862->15863 15864 40804d 15863->15864 15864->15861 15865 40ef1e lstrlenA 15864->15865 15866 40809e 15865->15866 15867 40ef1e lstrlenA 15866->15867 15868 4080af 15867->15868 15869 407a95 24 API calls 15868->15869 15869->15861 15871 407db7 2 API calls 15870->15871 15872 407eb8 15871->15872 15873 40f04e 4 API calls 15872->15873 15874 407ece DeleteFileA 15873->15874 15874->15400 15876 40dd05 6 API calls 15875->15876 15877 40e31d 15876->15877 15968 40e177 15877->15968 15879 40e326 15879->15361 15881 4031f3 15880->15881 15890 4031ec 15880->15890 15882 40ebcc 4 API calls 15881->15882 15894 4031fc 15882->15894 15883 403459 15886 40f04e 4 API calls 15883->15886 15884 40349d 15885 40ec2e codecvt 4 API calls 15884->15885 15885->15890 15887 40345f 15886->15887 15888 4030fa 4 API calls 15887->15888 15888->15890 15889 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15889->15894 15890->15400 15891 40344d 15892 40ec2e codecvt 4 API calls 15891->15892 15895 40344b 15892->15895 15894->15889 15894->15890 15894->15891 15894->15895 15896 403141 lstrcmpiA 15894->15896 15994 4030fa GetTickCount 15894->15994 15895->15883 15895->15884 15896->15894 15898 4030fa 4 API calls 15897->15898 15899 403c1a 15898->15899 15900 403ce6 15899->15900 15999 403a72 15899->15999 15900->15400 15903 403a72 9 API calls 15906 403c5e 15903->15906 15904 403a72 9 API calls 15904->15906 15905 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15905->15906 15906->15900 15906->15904 15906->15905 15908 403a10 15907->15908 15909 4030fa 4 API calls 15908->15909 15910 403a1a 15909->15910 15910->15400 15912 40dd05 6 API calls 15911->15912 15913 40e7be 15912->15913 15913->15400 15915 40c105 15914->15915 15916 40c07e wsprintfA 15914->15916 15915->15400 16008 40bfce GetTickCount wsprintfA 15916->16008 15918 40c0ef 16009 40bfce GetTickCount wsprintfA 15918->16009 15921 407047 15920->15921 15922 406f88 LookupAccountNameA 15920->15922 15921->15400 15924 407025 15922->15924 15926 406fcb 15922->15926 15925 406edd 5 API calls 15924->15925 15927 40702a wsprintfA 15925->15927 15928 406fdb ConvertSidToStringSidA 15926->15928 15927->15921 15928->15924 15929 406ff1 15928->15929 15930 407013 LocalFree 15929->15930 15930->15924 15932 40dd05 6 API calls 15931->15932 15933 40e85c 15932->15933 15934 40dd84 lstrcmpiA 15933->15934 15935 40e867 15934->15935 15936 40e885 lstrcpyA 15935->15936 16010 4024a5 15935->16010 16013 40dd69 15936->16013 15942 407db7 2 API calls 15941->15942 15943 407de1 15942->15943 15944 40f04e 4 API calls 15943->15944 15947 407e16 15943->15947 15945 407df2 15944->15945 15946 40f04e 4 API calls 15945->15946 15945->15947 15946->15947 15947->15400 15949 40dd84 lstrcmpiA 15948->15949 15950 40c58e 15949->15950 15950->15799 15950->15804 15950->15807 15952 40ca1d 15951->15952 15953 40f33b 15951->15953 15952->15321 15952->15824 15954 40f347 htons socket 15953->15954 15955 40f382 ioctlsocket 15954->15955 15956 40f374 closesocket 15954->15956 15957 40f3aa connect select 15955->15957 15958 40f39d 15955->15958 15956->15952 15957->15952 15960 40f3f2 __WSAFDIsSet 15957->15960 15959 40f39f closesocket 15958->15959 15959->15952 15960->15959 15961 40f403 ioctlsocket 15960->15961 15963 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15961->15963 15963->15952 15965 407dc8 InterlockedExchange 15964->15965 15966 407dc0 Sleep 15965->15966 15967 407dd4 15965->15967 15966->15965 15967->15852 15967->15856 15969 40e184 15968->15969 15970 40e223 15969->15970 15982 40e2e4 15969->15982 15984 40dfe2 15969->15984 15973 40dfe2 8 API calls 15970->15973 15970->15982 15972 40e1be 15972->15970 15974 40dbcf 3 API calls 15972->15974 15975 40e23c 15973->15975 15976 40e1d6 15974->15976 15975->15982 15988 40e095 RegCreateKeyExA 15975->15988 15976->15970 15977 40e21a CloseHandle 15976->15977 15978 40e1f9 WriteFile 15976->15978 15977->15970 15978->15977 15980 40e213 15978->15980 15980->15977 15981 40e2a3 15981->15982 15983 40e095 4 API calls 15981->15983 15982->15879 15983->15982 15985 40dffc 15984->15985 15987 40e024 15984->15987 15986 40db2e 8 API calls 15985->15986 15985->15987 15986->15987 15987->15972 15989 40e172 15988->15989 15991 40e0c0 15988->15991 15989->15981 15990 40e13d 15992 40e14e RegDeleteValueA RegCloseKey 15990->15992 15991->15990 15993 40e115 RegSetValueExA 15991->15993 15992->15989 15993->15990 15993->15991 15995 403122 InterlockedExchange 15994->15995 15996 40312e 15995->15996 15997 40310f GetTickCount 15995->15997 15996->15894 15997->15996 15998 40311a Sleep 15997->15998 15998->15995 16000 40f04e 4 API calls 15999->16000 16007 403a83 16000->16007 16001 403bc0 16002 403be6 16001->16002 16005 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16001->16005 16004 40ec2e codecvt 4 API calls 16002->16004 16003 403ac1 16003->15900 16003->15903 16004->16003 16005->16001 16006 403b66 lstrlenA 16006->16003 16006->16007 16007->16001 16007->16003 16007->16006 16008->15918 16009->15915 16011 402419 4 API calls 16010->16011 16012 4024b6 16011->16012 16012->15936 16014 40dd79 lstrlenA 16013->16014 16014->15400 16016 404084 16015->16016 16017 40407d 16015->16017 16018 403ecd 6 API calls 16016->16018 16019 40408f 16018->16019 16020 404000 3 API calls 16019->16020 16022 404095 16020->16022 16021 404130 16023 403ecd 6 API calls 16021->16023 16022->16021 16027 403f18 4 API calls 16022->16027 16024 404159 CreateNamedPipeA 16023->16024 16025 404167 Sleep 16024->16025 16026 404188 ConnectNamedPipe 16024->16026 16025->16021 16028 404176 CloseHandle 16025->16028 16030 404195 GetLastError 16026->16030 16038 4041ab 16026->16038 16029 4040da 16027->16029 16028->16026 16031 403f8c 4 API calls 16029->16031 16032 40425e DisconnectNamedPipe 16030->16032 16030->16038 16033 4040ec 16031->16033 16032->16026 16034 404127 CloseHandle 16033->16034 16035 404101 16033->16035 16034->16021 16037 403f18 4 API calls 16035->16037 16036 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16036->16038 16039 40411c ExitProcess 16037->16039 16038->16026 16038->16032 16038->16036 16040 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16038->16040 16041 40426a CloseHandle CloseHandle 16038->16041 16040->16038 16042 40e318 23 API calls 16041->16042 16043 40427b 16042->16043 16043->16043 16045 408791 16044->16045 16046 40879f 16044->16046 16047 40f04e 4 API calls 16045->16047 16048 4087bc 16046->16048 16049 40f04e 4 API calls 16046->16049 16047->16046 16050 40e819 11 API calls 16048->16050 16049->16048 16051 4087d7 16050->16051 16063 408803 16051->16063 16065 4026b2 gethostbyaddr 16051->16065 16053 4087eb 16055 40e8a1 30 API calls 16053->16055 16053->16063 16055->16063 16058 40e819 11 API calls 16058->16063 16059 4088a0 Sleep 16059->16063 16060 4026b2 2 API calls 16060->16063 16061 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16061->16063 16063->16058 16063->16059 16063->16060 16063->16061 16064 40e8a1 30 API calls 16063->16064 16070 40c4d6 16063->16070 16073 40c4e2 16063->16073 16076 402011 16063->16076 16111 408328 16063->16111 16064->16063 16066 4026fb 16065->16066 16067 4026cd 16065->16067 16066->16053 16068 4026e1 inet_ntoa 16067->16068 16069 4026de 16067->16069 16068->16069 16069->16053 16163 40c2dc 16070->16163 16074 40c2dc 142 API calls 16073->16074 16075 40c4ec 16074->16075 16075->16063 16077 402020 16076->16077 16078 40202e 16076->16078 16079 40f04e 4 API calls 16077->16079 16080 40f04e 4 API calls 16078->16080 16082 40204b 16078->16082 16079->16078 16080->16082 16081 40206e GetTickCount 16084 4020db GetTickCount 16081->16084 16092 402090 16081->16092 16082->16081 16083 40f04e 4 API calls 16082->16083 16086 402068 16083->16086 16085 402132 GetTickCount GetTickCount 16084->16085 16097 4020e7 16084->16097 16088 40f04e 4 API calls 16085->16088 16086->16081 16087 4020d4 GetTickCount 16087->16084 16090 402159 16088->16090 16089 40212b GetTickCount 16089->16085 16093 4021b4 16090->16093 16096 40e854 13 API calls 16090->16096 16091 402684 2 API calls 16091->16092 16092->16087 16092->16091 16100 4020ce 16092->16100 16500 401978 16092->16500 16095 40f04e 4 API calls 16093->16095 16099 4021d1 16095->16099 16101 40218e 16096->16101 16097->16089 16102 402125 16097->16102 16105 401978 15 API calls 16097->16105 16505 402ef8 16097->16505 16103 4021f2 16099->16103 16106 40ea84 30 API calls 16099->16106 16100->16087 16104 40e819 11 API calls 16101->16104 16102->16089 16103->16063 16107 40219c 16104->16107 16105->16097 16108 4021ec 16106->16108 16107->16093 16513 401c5f 16107->16513 16109 40f04e 4 API calls 16108->16109 16109->16103 16112 407dd6 6 API calls 16111->16112 16113 40833c 16112->16113 16114 406ec3 2 API calls 16113->16114 16138 408340 16113->16138 16115 40834f 16114->16115 16116 40835c 16115->16116 16118 40846b 16115->16118 16117 4073ff 17 API calls 16116->16117 16140 408373 16117->16140 16122 4084a7 RegOpenKeyExA 16118->16122 16135 408450 16118->16135 16119 4085df 16121 408626 GetTempPathA 16119->16121 16127 408762 16119->16127 16139 408638 16119->16139 16120 40675c 21 API calls 16120->16119 16121->16139 16125 4084c0 RegQueryValueExA 16122->16125 16126 40852f 16122->16126 16124 4086ad 16124->16127 16130 407e2f 6 API calls 16124->16130 16128 408521 RegCloseKey 16125->16128 16129 4084dd 16125->16129 16131 408564 RegOpenKeyExA 16126->16131 16143 4085a5 16126->16143 16134 40ec2e codecvt 4 API calls 16127->16134 16127->16138 16128->16126 16129->16128 16136 40ebcc 4 API calls 16129->16136 16144 4086bb 16130->16144 16132 408573 RegSetValueExA RegCloseKey 16131->16132 16131->16143 16132->16143 16133 40875b DeleteFileA 16133->16127 16134->16138 16135->16119 16135->16120 16137 4084f0 16136->16137 16137->16128 16142 4084f8 RegQueryValueExA 16137->16142 16138->16063 16585 406ba7 IsBadCodePtr 16139->16585 16140->16135 16140->16138 16145 4083ea RegOpenKeyExA 16140->16145 16142->16128 16146 408515 16142->16146 16143->16135 16147 40ec2e codecvt 4 API calls 16143->16147 16144->16133 16150 4086e0 lstrcpyA lstrlenA 16144->16150 16145->16135 16148 4083fd RegQueryValueExA 16145->16148 16149 40ec2e codecvt 4 API calls 16146->16149 16147->16135 16151 40842d RegSetValueExA 16148->16151 16152 40841e 16148->16152 16154 40851d 16149->16154 16155 407fcf 64 API calls 16150->16155 16153 408447 RegCloseKey 16151->16153 16152->16151 16152->16153 16153->16135 16154->16128 16156 408719 CreateProcessA 16155->16156 16157 40873d CloseHandle CloseHandle 16156->16157 16158 40874f 16156->16158 16157->16127 16159 407ee6 64 API calls 16158->16159 16160 408754 16159->16160 16161 407ead 6 API calls 16160->16161 16162 40875a 16161->16162 16162->16133 16179 40a4c7 GetTickCount 16163->16179 16165 40c45e 16171 40c4d2 16165->16171 16172 40c4ab InterlockedIncrement CreateThread 16165->16172 16167 40c300 GetTickCount 16169 40c337 16167->16169 16168 40c326 16168->16169 16170 40c32b GetTickCount 16168->16170 16169->16165 16174 40c363 GetTickCount 16169->16174 16170->16169 16171->16063 16172->16171 16173 40c4cb CloseHandle 16172->16173 16184 40b535 16172->16184 16173->16171 16174->16165 16175 40c373 16174->16175 16176 40c378 GetTickCount 16175->16176 16177 40c37f 16175->16177 16176->16177 16178 40c43b GetTickCount 16177->16178 16178->16165 16180 40a4f7 InterlockedExchange 16179->16180 16181 40a500 16180->16181 16182 40a4e4 GetTickCount 16180->16182 16181->16165 16181->16167 16181->16168 16182->16181 16183 40a4ef Sleep 16182->16183 16183->16180 16185 40b566 16184->16185 16186 40ebcc 4 API calls 16185->16186 16187 40b587 16186->16187 16188 40ebcc 4 API calls 16187->16188 16206 40b590 16188->16206 16189 40bdcd InterlockedDecrement 16190 40bde2 16189->16190 16192 40ec2e codecvt 4 API calls 16190->16192 16193 40bdea 16192->16193 16195 40ec2e codecvt 4 API calls 16193->16195 16194 40bdb7 Sleep 16194->16206 16196 40bdf2 16195->16196 16197 40be05 16196->16197 16199 40ec2e codecvt 4 API calls 16196->16199 16198 40bdcc 16198->16189 16199->16197 16200 40ebed 8 API calls 16200->16206 16203 40b6b6 lstrlenA 16203->16206 16204 4030b5 2 API calls 16204->16206 16205 40e819 11 API calls 16205->16206 16206->16189 16206->16194 16206->16198 16206->16200 16206->16203 16206->16204 16206->16205 16207 40b6ed lstrcpyA 16206->16207 16210 40b731 lstrlenA 16206->16210 16211 40b71f lstrcmpA 16206->16211 16212 40b772 GetTickCount 16206->16212 16213 40bd49 InterlockedIncrement 16206->16213 16216 40b7ce InterlockedIncrement 16206->16216 16217 40bc5b InterlockedIncrement 16206->16217 16220 40b912 GetTickCount 16206->16220 16221 40b826 InterlockedIncrement 16206->16221 16222 40b932 GetTickCount 16206->16222 16223 40bcdc closesocket 16206->16223 16225 405ce1 23 API calls 16206->16225 16226 4038f0 6 API calls 16206->16226 16228 40bba6 InterlockedIncrement 16206->16228 16231 40bc4c closesocket 16206->16231 16233 40ba71 wsprintfA 16206->16233 16234 405ded 12 API calls 16206->16234 16237 40ab81 lstrcpynA InterlockedIncrement 16206->16237 16238 40a7c1 22 API calls 16206->16238 16239 40ef1e lstrlenA 16206->16239 16241 403e10 16206->16241 16244 403e4f 16206->16244 16247 40384f 16206->16247 16267 40a7a3 inet_ntoa 16206->16267 16274 40abee 16206->16274 16286 401feb GetTickCount 16206->16286 16287 40a688 16206->16287 16310 403cfb 16206->16310 16313 40b3c5 16206->16313 16344 40ab81 16206->16344 16259 405ce1 16207->16259 16210->16206 16211->16206 16211->16210 16212->16206 16356 40a628 16213->16356 16269 40acd7 16216->16269 16217->16206 16220->16206 16221->16212 16222->16206 16224 40bc6d InterlockedIncrement 16222->16224 16223->16206 16224->16206 16225->16206 16226->16206 16228->16206 16231->16206 16290 40a7c1 16233->16290 16234->16206 16237->16206 16238->16206 16239->16206 16242 4030fa 4 API calls 16241->16242 16243 403e1d 16242->16243 16243->16206 16245 4030fa 4 API calls 16244->16245 16246 403e5c 16245->16246 16246->16206 16248 4030fa 4 API calls 16247->16248 16250 403863 16248->16250 16249 4038b2 16249->16206 16250->16249 16251 4038b9 16250->16251 16252 403889 16250->16252 16365 4035f9 16251->16365 16359 403718 16252->16359 16257 4035f9 6 API calls 16257->16249 16258 403718 6 API calls 16258->16249 16260 405cf4 16259->16260 16261 405cec 16259->16261 16263 404bd1 4 API calls 16260->16263 16371 404bd1 GetTickCount 16261->16371 16264 405d02 16263->16264 16376 405472 16264->16376 16268 40a7b9 16267->16268 16268->16206 16270 40f315 14 API calls 16269->16270 16271 40aceb 16270->16271 16272 40acff 16271->16272 16273 40f315 14 API calls 16271->16273 16272->16206 16273->16272 16275 40abfb 16274->16275 16278 40ac65 16275->16278 16441 402f22 16275->16441 16277 40f315 14 API calls 16277->16278 16278->16277 16279 40ac8a 16278->16279 16280 40ac6f 16278->16280 16279->16206 16282 40ab81 2 API calls 16280->16282 16281 40ac23 16281->16278 16283 402684 2 API calls 16281->16283 16284 40ac81 16282->16284 16283->16281 16449 4038f0 16284->16449 16286->16206 16463 40a63d 16287->16463 16289 40a696 16289->16206 16291 40a87d lstrlenA send 16290->16291 16292 40a7df 16290->16292 16293 40a899 16291->16293 16294 40a8bf 16291->16294 16292->16291 16299 40a7fa wsprintfA 16292->16299 16300 40a80a 16292->16300 16302 40a8f2 16292->16302 16295 40a8a5 wsprintfA 16293->16295 16309 40a89e 16293->16309 16296 40a8c4 send 16294->16296 16294->16302 16295->16309 16298 40a8d8 wsprintfA 16296->16298 16296->16302 16297 40a978 recv 16297->16302 16303 40a982 16297->16303 16298->16309 16299->16300 16300->16291 16301 40a9b0 wsprintfA 16301->16309 16302->16297 16302->16301 16302->16303 16304 4030b5 2 API calls 16303->16304 16303->16309 16305 40ab05 16304->16305 16306 40e819 11 API calls 16305->16306 16307 40ab17 16306->16307 16308 40a7a3 inet_ntoa 16307->16308 16308->16309 16309->16206 16311 4030fa 4 API calls 16310->16311 16312 403d0b 16311->16312 16312->16206 16314 405ce1 23 API calls 16313->16314 16315 40b3e6 16314->16315 16316 405ce1 23 API calls 16315->16316 16318 40b404 16316->16318 16317 40b440 16319 40ef7c 3 API calls 16317->16319 16318->16317 16320 40ef7c 3 API calls 16318->16320 16322 40b458 wsprintfA 16319->16322 16321 40b42b 16320->16321 16323 40ef7c 3 API calls 16321->16323 16324 40ef7c 3 API calls 16322->16324 16323->16317 16325 40b480 16324->16325 16326 40ef7c 3 API calls 16325->16326 16327 40b493 16326->16327 16328 40ef7c 3 API calls 16327->16328 16329 40b4bb 16328->16329 16468 40ad89 GetLocalTime SystemTimeToFileTime 16329->16468 16333 40b4cc 16334 40ef7c 3 API calls 16333->16334 16335 40b4dd 16334->16335 16336 40b211 7 API calls 16335->16336 16337 40b4ec 16336->16337 16338 40ef7c 3 API calls 16337->16338 16339 40b4fd 16338->16339 16340 40b211 7 API calls 16339->16340 16341 40b509 16340->16341 16342 40ef7c 3 API calls 16341->16342 16343 40b51a 16342->16343 16343->16206 16345 40abe9 GetTickCount 16344->16345 16347 40ab8c 16344->16347 16349 40a51d 16345->16349 16346 40aba8 lstrcpynA 16346->16347 16347->16345 16347->16346 16348 40abe1 InterlockedIncrement 16347->16348 16348->16347 16350 40a4c7 4 API calls 16349->16350 16351 40a52c 16350->16351 16352 40a542 GetTickCount 16351->16352 16354 40a539 GetTickCount 16351->16354 16352->16354 16355 40a56c 16354->16355 16355->16206 16357 40a4c7 4 API calls 16356->16357 16358 40a633 16357->16358 16358->16206 16360 40f04e 4 API calls 16359->16360 16363 40372a 16360->16363 16361 403847 16361->16249 16361->16258 16362 4037b3 GetCurrentThreadId 16362->16363 16364 4037c8 GetCurrentThreadId 16362->16364 16363->16361 16363->16362 16364->16363 16366 40f04e 4 API calls 16365->16366 16368 40360c 16366->16368 16367 4036f1 16367->16249 16367->16257 16368->16367 16369 4036da GetCurrentThreadId 16368->16369 16369->16367 16370 4036e5 GetCurrentThreadId 16369->16370 16370->16367 16372 404bff InterlockedExchange 16371->16372 16373 404c08 16372->16373 16374 404bec GetTickCount 16372->16374 16373->16260 16374->16373 16375 404bf7 Sleep 16374->16375 16375->16372 16397 404763 16376->16397 16378 405b58 16407 404699 16378->16407 16381 404763 lstrlenA 16382 405b6e 16381->16382 16428 404f9f 16382->16428 16384 405b79 16384->16206 16386 405549 lstrlenA 16396 40548a 16386->16396 16388 40558d lstrcpynA 16388->16396 16389 404ae6 8 API calls 16389->16396 16390 405a9f lstrcpyA 16390->16396 16391 405935 lstrcpynA 16391->16396 16392 404ae6 8 API calls 16393 405643 LoadLibraryW 16392->16393 16393->16396 16394 405472 13 API calls 16394->16396 16395 4058e7 lstrcpyA 16395->16396 16396->16378 16396->16388 16396->16389 16396->16390 16396->16391 16396->16392 16396->16394 16396->16395 16401 404ae6 16396->16401 16405 40ef7c lstrlenA lstrlenA lstrlenA 16396->16405 16398 40477a 16397->16398 16399 404859 16398->16399 16400 40480d lstrlenA 16398->16400 16399->16396 16400->16398 16402 404af3 16401->16402 16404 404b03 16401->16404 16403 40ebed 8 API calls 16402->16403 16403->16404 16404->16386 16406 40efb4 16405->16406 16406->16396 16433 4045b3 16407->16433 16410 4045b3 7 API calls 16411 4046c6 16410->16411 16412 4045b3 7 API calls 16411->16412 16413 4046d8 16412->16413 16414 4045b3 7 API calls 16413->16414 16415 4046ea 16414->16415 16416 4045b3 7 API calls 16415->16416 16417 4046ff 16416->16417 16418 4045b3 7 API calls 16417->16418 16419 404711 16418->16419 16420 4045b3 7 API calls 16419->16420 16421 404723 16420->16421 16422 40ef7c 3 API calls 16421->16422 16423 404735 16422->16423 16424 40ef7c 3 API calls 16423->16424 16425 40474a 16424->16425 16426 40ef7c 3 API calls 16425->16426 16427 40475c 16426->16427 16427->16381 16429 404fac 16428->16429 16431 404fb0 16428->16431 16429->16384 16430 404ffd 16430->16384 16431->16430 16432 404fd5 IsBadCodePtr 16431->16432 16432->16431 16434 4045c1 16433->16434 16435 4045c8 16433->16435 16436 40ebcc 4 API calls 16434->16436 16437 40ebcc 4 API calls 16435->16437 16439 4045e1 16435->16439 16436->16435 16437->16439 16438 404691 16438->16410 16439->16438 16440 40ef7c 3 API calls 16439->16440 16440->16439 16456 402d21 GetModuleHandleA 16441->16456 16444 402fcf GetProcessHeap HeapFree 16448 402f44 16444->16448 16445 402f4f 16447 402f6b GetProcessHeap HeapFree 16445->16447 16446 402f85 16446->16444 16446->16446 16447->16448 16448->16281 16450 403900 16449->16450 16451 403980 16449->16451 16452 4030fa 4 API calls 16450->16452 16451->16279 16455 40390a 16452->16455 16453 40391b GetCurrentThreadId 16453->16455 16454 403939 GetCurrentThreadId 16454->16455 16455->16451 16455->16453 16455->16454 16457 402d46 LoadLibraryA 16456->16457 16458 402d5b GetProcAddress 16456->16458 16457->16458 16460 402d54 16457->16460 16458->16460 16462 402d6b 16458->16462 16459 402d97 GetProcessHeap HeapAlloc 16459->16460 16459->16462 16460->16445 16460->16446 16460->16448 16461 402db5 lstrcpynA 16461->16462 16462->16459 16462->16460 16462->16461 16464 40a645 16463->16464 16465 40a64d 16463->16465 16464->16289 16466 40a66e 16465->16466 16467 40a65e GetTickCount 16465->16467 16466->16289 16467->16466 16469 40adbf 16468->16469 16493 40ad08 gethostname 16469->16493 16472 4030b5 2 API calls 16473 40add3 16472->16473 16474 40a7a3 inet_ntoa 16473->16474 16475 40ade4 16473->16475 16474->16475 16476 40ae85 wsprintfA 16475->16476 16478 40ae36 wsprintfA wsprintfA 16475->16478 16477 40ef7c 3 API calls 16476->16477 16479 40aebb 16477->16479 16481 40ef7c 3 API calls 16478->16481 16480 40ef7c 3 API calls 16479->16480 16482 40aed2 16480->16482 16481->16475 16483 40b211 16482->16483 16484 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16483->16484 16485 40b2af GetLocalTime 16483->16485 16486 40b2d2 16484->16486 16485->16486 16487 40b2d9 SystemTimeToFileTime 16486->16487 16488 40b31c GetTimeZoneInformation 16486->16488 16489 40b2ec 16487->16489 16490 40b33a wsprintfA 16488->16490 16491 40b312 FileTimeToSystemTime 16489->16491 16490->16333 16491->16488 16494 40ad71 16493->16494 16498 40ad26 lstrlenA 16493->16498 16495 40ad85 16494->16495 16496 40ad79 lstrcpyA 16494->16496 16495->16472 16496->16495 16498->16494 16499 40ad68 lstrlenA 16498->16499 16499->16494 16501 40f428 14 API calls 16500->16501 16502 40198a 16501->16502 16503 401990 closesocket 16502->16503 16504 401998 16502->16504 16503->16504 16504->16092 16506 402d21 6 API calls 16505->16506 16507 402f01 16506->16507 16510 402f0f 16507->16510 16521 402df2 GetModuleHandleA 16507->16521 16509 402684 2 API calls 16511 402f1d 16509->16511 16510->16509 16512 402f1f 16510->16512 16511->16097 16512->16097 16514 401c80 16513->16514 16515 401d1c 16514->16515 16516 401cc2 wsprintfA 16514->16516 16520 401d79 16514->16520 16515->16515 16518 401d47 wsprintfA 16515->16518 16517 402684 2 API calls 16516->16517 16517->16514 16519 402684 2 API calls 16518->16519 16519->16520 16520->16093 16522 402e10 LoadLibraryA 16521->16522 16523 402e0b 16521->16523 16524 402e17 16522->16524 16523->16522 16523->16524 16525 402ef1 16524->16525 16526 402e28 GetProcAddress 16524->16526 16525->16510 16526->16525 16527 402e3e GetProcessHeap HeapAlloc 16526->16527 16529 402e62 16527->16529 16528 402ede GetProcessHeap HeapFree 16528->16525 16529->16525 16529->16528 16530 402e7f htons inet_addr 16529->16530 16531 402ea5 gethostbyname 16529->16531 16533 402ceb 16529->16533 16530->16529 16530->16531 16531->16529 16534 402cf2 16533->16534 16536 402d1c 16534->16536 16537 402d0e Sleep 16534->16537 16538 402a62 GetProcessHeap HeapAlloc 16534->16538 16536->16529 16537->16534 16537->16536 16539 402a92 16538->16539 16540 402a99 socket 16538->16540 16539->16534 16541 402cd3 GetProcessHeap HeapFree 16540->16541 16542 402ab4 16540->16542 16541->16539 16542->16541 16556 402abd 16542->16556 16543 402adb htons 16558 4026ff 16543->16558 16545 402b04 select 16545->16556 16546 402ca4 16547 402cb3 GetProcessHeap HeapFree closesocket 16546->16547 16547->16539 16548 402b3f recv 16548->16556 16549 402b66 htons 16549->16546 16549->16556 16550 402b87 htons 16550->16546 16550->16556 16553 402bf3 GetProcessHeap HeapAlloc 16553->16556 16554 402c17 htons 16573 402871 16554->16573 16556->16543 16556->16545 16556->16546 16556->16547 16556->16548 16556->16549 16556->16550 16556->16553 16556->16554 16557 402c4d GetProcessHeap HeapFree 16556->16557 16565 402923 16556->16565 16577 402904 16556->16577 16557->16556 16559 402717 16558->16559 16561 40271d 16558->16561 16560 40ebcc 4 API calls 16559->16560 16560->16561 16562 40272b GetTickCount htons 16561->16562 16563 4027cc htons htons sendto 16562->16563 16564 40278a 16562->16564 16563->16556 16564->16563 16566 402944 16565->16566 16568 40293d 16565->16568 16581 402816 htons 16566->16581 16568->16556 16569 402871 htons 16572 402950 16569->16572 16570 4029bd htons htons htons 16570->16568 16571 4029f6 GetProcessHeap HeapAlloc 16570->16571 16571->16568 16571->16572 16572->16568 16572->16569 16572->16570 16574 4028e3 16573->16574 16575 402889 16573->16575 16574->16556 16575->16574 16576 4028c3 htons 16575->16576 16576->16574 16576->16575 16578 402921 16577->16578 16579 402908 16577->16579 16578->16556 16580 402909 GetProcessHeap HeapFree 16579->16580 16580->16578 16580->16580 16582 40286b 16581->16582 16583 402836 16581->16583 16582->16572 16583->16582 16584 40285c htons 16583->16584 16584->16582 16584->16583 16586 406bc0 16585->16586 16587 406bbc 16585->16587 16588 40ebcc 4 API calls 16586->16588 16590 406bd4 16586->16590 16587->16124 16589 406be4 16588->16589 16589->16590 16591 406c07 CreateFileA 16589->16591 16592 406bfc 16589->16592 16590->16124 16594 406c34 WriteFile 16591->16594 16595 406c2a 16591->16595 16593 40ec2e codecvt 4 API calls 16592->16593 16593->16590 16597 406c49 CloseHandle DeleteFileA 16594->16597 16598 406c5a CloseHandle 16594->16598 16596 40ec2e codecvt 4 API calls 16595->16596 16596->16590 16597->16595 16599 40ec2e codecvt 4 API calls 16598->16599 16599->16590 14944 780920 TerminateProcess 16600 780005 16605 78092b GetPEB 16600->16605 16602 780030 16607 78003c 16602->16607 16606 780972 16605->16606 16606->16602 16608 780049 16607->16608 16622 780e0f SetErrorMode SetErrorMode 16608->16622 16613 780265 16614 7802ce VirtualProtect 16613->16614 16616 78030b 16614->16616 16615 780439 VirtualFree 16620 7805f4 LoadLibraryA 16615->16620 16621 7804be 16615->16621 16616->16615 16617 7804e3 LoadLibraryA 16617->16621 16619 7808c7 16620->16619 16621->16617 16621->16620 16623 780223 16622->16623 16624 780d90 16623->16624 16625 780dad 16624->16625 16626 780dbb GetPEB 16625->16626 16627 780238 VirtualAlloc 16625->16627 16626->16627 16627->16613 14945 801d18 14946 801d27 14945->14946 14949 8024b8 14946->14949 14952 8024d3 14949->14952 14950 8024dc CreateToolhelp32Snapshot 14951 8024f8 Module32First 14950->14951 14950->14952 14953 802507 14951->14953 14954 801d30 14951->14954 14952->14950 14952->14951 14956 802177 14953->14956 14957 8021a2 14956->14957 14958 8021b3 VirtualAlloc 14957->14958 14959 8021eb 14957->14959 14958->14959 14959->14959 14913 407a95 RegOpenKeyExA 14914 407ac4 14913->14914 14915 407acb GetUserNameA 14913->14915 14916 407da7 RegCloseKey 14915->14916 14917 407aed LookupAccountNameA 14915->14917 14916->14914 14917->14916 14918 407b24 RegGetKeySecurity 14917->14918 14918->14916 14919 407b49 GetSecurityDescriptorOwner 14918->14919 14920 407b63 EqualSid 14919->14920 14921 407bb8 GetSecurityDescriptorDacl 14919->14921 14920->14921 14922 407b74 LocalAlloc 14920->14922 14923 407da6 14921->14923 14933 407bdc 14921->14933 14922->14921 14924 407b8a InitializeSecurityDescriptor 14922->14924 14923->14916 14925 407bb1 LocalFree 14924->14925 14926 407b96 SetSecurityDescriptorOwner 14924->14926 14925->14921 14926->14925 14928 407ba6 RegSetKeySecurity 14926->14928 14927 407bf8 GetAce 14927->14933 14928->14925 14929 407c1d EqualSid 14929->14933 14930 407c5f EqualSid 14930->14933 14931 407cd9 14931->14923 14934 407d5a LocalAlloc 14931->14934 14935 407cf2 RegOpenKeyExA 14931->14935 14932 407c3a DeleteAce 14932->14933 14933->14923 14933->14927 14933->14929 14933->14930 14933->14931 14933->14932 14934->14923 14936 407d70 InitializeSecurityDescriptor 14934->14936 14935->14934 14939 407d0f 14935->14939 14937 407d7c SetSecurityDescriptorDacl 14936->14937 14938 407d9f LocalFree 14936->14938 14937->14938 14940 407d8c RegSetKeySecurity 14937->14940 14938->14923 14939->14939 14942 407d43 RegSetValueExA 14939->14942 14940->14938 14941 407d9c 14940->14941 14941->14938 14942->14934 14943 407d54 14942->14943 14943->14934
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                            • DeleteFileA.KERNEL32(C:\Users\user\Desktop\knkduwqg.exe), ref: 0040A407
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\knkduwqg.exe$C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe$D$P$\$gtdjtffe
                                                                                            • API String ID: 2089075347-309282177
                                                                                            • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                            • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 574 40637c-406384 575 406386-406389 574->575 576 40638a-4063b4 GetModuleHandleA VirtualAlloc 574->576 577 4063f5-4063f7 576->577 578 4063b6-4063d4 call 40ee08 VirtualAllocEx 576->578 580 40640b-40640f 577->580 578->577 582 4063d6-4063f3 call 4062b7 WriteProcessMemory 578->582 582->577 585 4063f9-40640a 582->585 585->580
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                            • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                            • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                            • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 264 407a95-407ac2 RegOpenKeyExA 265 407ac4-407ac6 264->265 266 407acb-407ae7 GetUserNameA 264->266 269 407db4-407db6 265->269 267 407da7-407db3 RegCloseKey 266->267 268 407aed-407b1e LookupAccountNameA 266->268 267->269 268->267 270 407b24-407b43 RegGetKeySecurity 268->270 270->267 271 407b49-407b61 GetSecurityDescriptorOwner 270->271 272 407b63-407b72 EqualSid 271->272 273 407bb8-407bd6 GetSecurityDescriptorDacl 271->273 272->273 274 407b74-407b88 LocalAlloc 272->274 275 407da6 273->275 276 407bdc-407be1 273->276 274->273 277 407b8a-407b94 InitializeSecurityDescriptor 274->277 275->267 276->275 278 407be7-407bf2 276->278 279 407bb1-407bb2 LocalFree 277->279 280 407b96-407ba4 SetSecurityDescriptorOwner 277->280 278->275 281 407bf8-407c08 GetAce 278->281 279->273 280->279 282 407ba6-407bab RegSetKeySecurity 280->282 283 407cc6 281->283 284 407c0e-407c1b 281->284 282->279 285 407cc9-407cd3 283->285 286 407c1d-407c2f EqualSid 284->286 287 407c4f-407c52 284->287 285->281 290 407cd9-407cdc 285->290 291 407c31-407c34 286->291 292 407c36-407c38 286->292 288 407c54-407c5e 287->288 289 407c5f-407c71 EqualSid 287->289 288->289 294 407c73-407c84 289->294 295 407c86 289->295 290->275 296 407ce2-407ce8 290->296 291->286 291->292 292->287 293 407c3a-407c4d DeleteAce 292->293 293->285 299 407c8b-407c8e 294->299 295->299 297 407d5a-407d6e LocalAlloc 296->297 298 407cea-407cf0 296->298 297->275 303 407d70-407d7a InitializeSecurityDescriptor 297->303 298->297 300 407cf2-407d0d RegOpenKeyExA 298->300 301 407c90-407c96 299->301 302 407c9d-407c9f 299->302 300->297 304 407d0f-407d16 300->304 301->302 305 407ca1-407ca5 302->305 306 407ca7-407cc3 302->306 307 407d7c-407d8a SetSecurityDescriptorDacl 303->307 308 407d9f-407da0 LocalFree 303->308 309 407d19-407d1e 304->309 305->283 305->306 306->283 307->308 310 407d8c-407d9a RegSetKeySecurity 307->310 308->275 309->309 311 407d20-407d52 call 402544 RegSetValueExA 309->311 310->308 312 407d9c 310->312 311->297 315 407d54 311->315 312->308 315->297
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe$D
                                                                                            • API String ID: 2976863881-3230128393
                                                                                            • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                            • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 316 4073ff-407419 317 40741b 316->317 318 40741d-407422 316->318 317->318 319 407424 318->319 320 407426-40742b 318->320 319->320 321 407430-407435 320->321 322 40742d 320->322 323 407437 321->323 324 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 321->324 322->321 323->324 329 407487-40749d call 40ee2a 324->329 330 4077f9-4077fe call 40ee2a 324->330 336 407703-40770e RegEnumKeyA 329->336 335 407801 330->335 339 407804-407808 335->339 337 4074a2-4074b1 call 406cad 336->337 338 407714-40771d RegCloseKey 336->338 342 4074b7-4074cc call 40f1a5 337->342 343 4076ed-407700 337->343 338->335 342->343 346 4074d2-4074f8 RegOpenKeyExA 342->346 343->336 347 407727-40772a 346->347 348 4074fe-407530 call 402544 RegQueryValueExA 346->348 349 407755-407764 call 40ee2a 347->349 350 40772c-407740 call 40ef00 347->350 348->347 356 407536-40753c 348->356 361 4076df-4076e2 349->361 358 407742-407745 RegCloseKey 350->358 359 40774b-40774e 350->359 360 40753f-407544 356->360 358->359 364 4077ec-4077f7 RegCloseKey 359->364 360->360 363 407546-40754b 360->363 361->343 362 4076e4-4076e7 RegCloseKey 361->362 362->343 363->349 365 407551-40756b call 40ee95 363->365 364->339 365->349 368 407571-407593 call 402544 call 40ee95 365->368 373 407753 368->373 374 407599-4075a0 368->374 373->349 375 4075a2-4075c6 call 40ef00 call 40ed03 374->375 376 4075c8-4075d7 call 40ed03 374->376 382 4075d8-4075da 375->382 376->382 384 4075dc 382->384 385 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 382->385 384->385 394 407626-40762b 385->394 394->394 395 40762d-407634 394->395 396 407637-40763c 395->396 396->396 397 40763e-407642 396->397 398 407644-407656 call 40ed77 397->398 399 40765c-407673 call 40ed23 397->399 398->399 406 407769-40777c call 40ef00 398->406 404 407680 399->404 405 407675-40767e 399->405 408 407683-40768e call 406cad 404->408 405->408 411 4077e3-4077e6 RegCloseKey 406->411 413 407722-407725 408->413 414 407694-4076bf call 40f1a5 call 406c96 408->414 411->364 415 4076dd 413->415 420 4076c1-4076c7 414->420 421 4076d8 414->421 415->361 420->421 422 4076c9-4076d2 420->422 421->415 422->421 423 40777e-407797 GetFileAttributesExA 422->423 424 407799 423->424 425 40779a-40779f 423->425 424->425 426 4077a1 425->426 427 4077a3-4077a8 425->427 426->427 428 4077c4-4077c8 427->428 429 4077aa-4077c0 call 40ee08 427->429 431 4077d7-4077dc 428->431 432 4077ca-4077d6 call 40ef00 428->432 429->428 435 4077e0-4077e2 431->435 436 4077de 431->436 432->431 435->411 436->435
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                            • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 438 78003c-780047 439 780049 438->439 440 78004c-780263 call 780a3f call 780e0f call 780d90 VirtualAlloc 438->440 439->440 455 78028b-780292 440->455 456 780265-780289 call 780a69 440->456 458 7802a1-7802b0 455->458 460 7802ce-7803c2 VirtualProtect call 780cce call 780ce7 456->460 458->460 461 7802b2-7802cc 458->461 467 7803d1-7803e0 460->467 461->458 468 780439-7804b8 VirtualFree 467->468 469 7803e2-780437 call 780ce7 467->469 471 7804be-7804cd 468->471 472 7805f4-7805fe 468->472 469->467 474 7804d3-7804dd 471->474 475 78077f-780789 472->475 476 780604-78060d 472->476 474->472 480 7804e3-780505 LoadLibraryA 474->480 478 78078b-7807a3 475->478 479 7807a6-7807b0 475->479 476->475 481 780613-780637 476->481 478->479 482 78086e-7808be LoadLibraryA 479->482 483 7807b6-7807cb 479->483 484 780517-780520 480->484 485 780507-780515 480->485 486 78063e-780648 481->486 490 7808c7-7808f9 482->490 487 7807d2-7807d5 483->487 488 780526-780547 484->488 485->488 486->475 489 78064e-78065a 486->489 491 780824-780833 487->491 492 7807d7-7807e0 487->492 493 78054d-780550 488->493 489->475 494 780660-78066a 489->494 496 7808fb-780901 490->496 497 780902-78091d 490->497 495 780839-78083c 491->495 498 7807e2 492->498 499 7807e4-780822 492->499 500 7805e0-7805ef 493->500 501 780556-78056b 493->501 502 78067a-780689 494->502 495->482 503 78083e-780847 495->503 496->497 498->491 499->487 500->474 506 78056d 501->506 507 78056f-78057a 501->507 504 78068f-7806b2 502->504 505 780750-78077a 502->505 510 780849 503->510 511 78084b-78086c 503->511 512 7806ef-7806fc 504->512 513 7806b4-7806ed 504->513 505->486 506->500 508 78059b-7805bb 507->508 509 78057c-780599 507->509 521 7805bd-7805db 508->521 509->521 510->482 511->495 515 78074b 512->515 516 7806fe-780748 512->516 513->512 515->502 516->515 521->493
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0078024D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID: cess$kernel32.dll
                                                                                            • API String ID: 4275171209-1230238691
                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction ID: 11e41495bae7d7e4d724454cbfe7a509fbcdab37b2827ee2bc84ff87f4a961b5
                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction Fuzzy Hash: 19527974A01229DFDBA4CF58C984BA8BBB1BF09304F1480D9E50DAB351DB34AE99DF54

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 522 40977c-4097b9 call 40ee2a CreateProcessA 525 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 522->525 526 4097bb-4097bd 522->526 530 409801-40981c call 40637c 525->530 531 4097f5 525->531 527 409864-409866 526->527 532 4097f6-4097ff TerminateProcess 530->532 535 40981e-409839 WriteProcessMemory 530->535 531->532 532->526 535->531 536 40983b-409856 Wow64SetThreadContext 535->536 536->531 537 409858-409863 ResumeThread 536->537 537->527
                                                                                            APIs
                                                                                            • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                            • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                            • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                            • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2098669666-2746444292
                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID:
                                                                                            • API String ID: 1371578007-0
                                                                                            • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                            • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 586 404000-404008 587 40400b-40402a CreateFileA 586->587 588 404057 587->588 589 40402c-404035 GetLastError 587->589 592 404059-40405c 588->592 590 404052 589->590 591 404037-40403a 589->591 594 404054-404056 590->594 591->590 593 40403c-40403f 591->593 592->594 593->592 595 404041-404050 Sleep 593->595 595->587 595->590
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 408151869-0
                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 614 406e36-406e5d GetUserNameW 615 406ebe-406ec2 614->615 616 406e5f-406e95 LookupAccountNameW 614->616 616->615 617 406e97-406e9b 616->617 618 406ebb-406ebd 617->618 619 406e9d-406ea3 617->619 618->615 619->618 620 406ea5-406eaa 619->620 621 406eb7-406eb9 620->621 622 406eac-406eb0 620->622 621->615 622->618 623 406eb2-406eb5 622->623 623->618 623->621
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID:
                                                                                            • API String ID: 2370142434-0
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 624 8024b8-8024d1 625 8024d3-8024d5 624->625 626 8024d7 625->626 627 8024dc-8024e8 CreateToolhelp32Snapshot 625->627 626->627 628 8024f8-802505 Module32First 627->628 629 8024ea-8024f0 627->629 630 802507-802508 call 802177 628->630 631 80250e-802516 628->631 629->628 634 8024f2-8024f6 629->634 635 80250d 630->635 634->625 634->628 635->631
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008024E0
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00802500
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724774915.00000000007F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 007F2000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_7f2000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 3833638111-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: bf762c584f1dd8fc047833872e5d0334f877e9149fe0f43ec19ba09aa219cb85
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: 01F062352007146BD7603AB9AC8DA6F76E8FF89724F100669E652D54C0DBB0E8454A65

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 637 780e0f-780e24 SetErrorMode * 2 638 780e2b-780e2c 637->638 639 780e26 637->639 639->638
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,00780223,?,?), ref: 00780E19
                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,00780223,?,?), ref: 00780E1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction ID: c37cf524c63f5757edd935c017db940ef546b67fe649cc31a07347fd0354d86c
                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction Fuzzy Hash: 77D0123114512877D7403A94DC09BCE7B1CDF05B62F008411FB0DD9080C774994047E5

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 640 406dc2-406dd5 641 406e33-406e35 640->641 642 406dd7-406df1 call 406cc9 call 40ef00 640->642 647 406df4-406df9 642->647 647->647 648 406dfb-406e00 647->648 649 406e02-406e22 GetVolumeInformationA 648->649 650 406e24 648->650 649->650 651 406e2e 649->651 650->651 651->641
                                                                                            APIs
                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1823874839-0
                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 652 409892-4098c0 653 4098c2-4098c5 652->653 654 4098d9 652->654 653->654 655 4098c7-4098d7 653->655 656 4098e0-4098f1 SetServiceStatus 654->656 655->656
                                                                                            APIs
                                                                                            • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ServiceStatus
                                                                                            • String ID:
                                                                                            • API String ID: 3969395364-0
                                                                                            • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                            • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                            • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                            • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 657 780920-780929 TerminateProcess
                                                                                            APIs
                                                                                            • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00780929
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessTerminate
                                                                                            • String ID:
                                                                                            • API String ID: 560597551-0
                                                                                            • Opcode ID: cf8f02fdaed65286ce872f3570c8b88d6c4cb2f13aa03d0d20e57ddf82142f08
                                                                                            • Instruction ID: c020644df524c2f76e0858e256880dd47cc8058b9a19a2f123197d7715fd106d
                                                                                            • Opcode Fuzzy Hash: cf8f02fdaed65286ce872f3570c8b88d6c4cb2f13aa03d0d20e57ddf82142f08
                                                                                            • Instruction Fuzzy Hash: DA90026024516011D820259D0C01B5500122747634F3117507270B92D1C44197004115
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 008021C8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724774915.00000000007F2000.00000040.00000020.00020000.00000000.sdmp, Offset: 007F2000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_7f2000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: a455b6d926b29f98eedb7c4108d6d19e0260f7545696d47233795d7d4b98deee
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: 20112D79A00208EFDB01DF98C985E98BBF5EF08350F058094FA489B362D771EA50DF80
                                                                                            APIs
                                                                                              • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                            • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3100162736-0
                                                                                            • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                            • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                            • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                            • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 007865F6
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00786610
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00786631
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00786652
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction ID: 9e22945f9bed584e372acad72256f75da19f8ea1f3e967655bd5b861a3def70b
                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction Fuzzy Hash: 4E11A3B1740258BFDB21AF65DC0AF9B3FA8EB047A5F104024F908E7251E7B5DD0087A4
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32 ref: 00789E6D
                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00789FE1
                                                                                            • lstrcat.KERNEL32(?,?), ref: 00789FF2
                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 0078A004
                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0078A054
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0078A09F
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0078A0D6
                                                                                            • lstrcpy.KERNEL32 ref: 0078A12F
                                                                                            • lstrlen.KERNEL32(00000022), ref: 0078A13C
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00789F13
                                                                                              • Part of subcall function 00787029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00787081
                                                                                              • Part of subcall function 00786F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\reoueqqp,00787043), ref: 00786F4E
                                                                                              • Part of subcall function 00786F30: GetProcAddress.KERNEL32(00000000), ref: 00786F55
                                                                                              • Part of subcall function 00786F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00786F7B
                                                                                              • Part of subcall function 00786F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00786F92
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0078A1A2
                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0078A1C5
                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0078A214
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0078A21B
                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 0078A265
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0078A29F
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0078A2C5
                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 0078A2D9
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0078A2F4
                                                                                            • wsprintfA.USER32 ref: 0078A31D
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0078A345
                                                                                            • lstrcat.KERNEL32(?,?), ref: 0078A364
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0078A387
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0078A398
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0078A1D1
                                                                                              • Part of subcall function 00789966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0078999D
                                                                                              • Part of subcall function 00789966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 007899BD
                                                                                              • Part of subcall function 00789966: RegCloseKey.ADVAPI32(?), ref: 007899C6
                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0078A3DB
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0078A3E2
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0078A41D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                            • String ID: "$"$"$D$P$\
                                                                                            • API String ID: 1653845638-2605685093
                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction ID: fcd6cfc1229646f162688ada09cd9548fc519c1614a6a490e657c959ea0a90b0
                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction Fuzzy Hash: F1F112B1D80259FFDF11EBA09C49EEF7BBCAB08300F1444A6F605E2141E7799A858F65
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                            • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00787D21
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00787D46
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00787D7D
                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00787DA2
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00787DC0
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00787DD1
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00787DE5
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00787DF3
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00787E03
                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00787E12
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00787E19
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00787E35
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe$D
                                                                                            • API String ID: 2976863881-3230128393
                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction ID: 5d765d5f1e80701d1017c59c09a3c21054aebdb72f923c3248f286917c5cb4fc
                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction Fuzzy Hash: B1A15C71940219AFDB11DFA1DD88FEEBBB9FB08300F148069F616E2150DB79CA85CB64
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                            • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                            • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00787A96
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00787ACD
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00787ADF
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00787B01
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00787B1F
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00787B39
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00787B4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00787B58
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00787B68
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00787B77
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00787B7E
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00787B9A
                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 00787BCA
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00787BF1
                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 00787C0A
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00787C2C
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00787CB1
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00787CBF
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00787CD0
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00787CE0
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00787CEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: e90db8605f24c7f4b8cdea20a8669ae03bab4930f35680131aa2d7c0f7e4d63d
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: A1815C71944219AFDB11DFA4DD88FEEBBBCAF08340F24806AE506E7150D779CA41CB64
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe$localcfg
                                                                                            • API String ID: 237177642-3993056816
                                                                                            • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                            • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-179334549
                                                                                            • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                            • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 835516345-270533642
                                                                                            • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                            • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0078865A
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0078867B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 007886A8
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 007886B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: "$C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe
                                                                                            • API String ID: 237177642-1353413065
                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction ID: e7fd308d00a54076d95c34a6a741fe4ef1c2517d2ffb4fe337ea5a89d3a2103d
                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction Fuzzy Hash: 13C1A0B1980108FEEB51BBA4DD89EEF7BBDEB04300F544076F605E6051EB784E948B66
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                            • select.WS2_32 ref: 00402B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 00781601
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 007817D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $<$@$D
                                                                                            • API String ID: 1628651668-1974347203
                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction ID: 56effd8c578fc6a756252e3c3c41c79e8ba6b0f8186d24e4f90db8795d4cfe5d
                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction Fuzzy Hash: 2AF19EB15483419FD720EF64C888BABB7E8FB88300F90892DF596D7290D7B8D945CB56
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 007876D9
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00787757
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0078778F
                                                                                            • ___ascii_stricmp.LIBCMT ref: 007878B4
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0078794E
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0078796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0078797E
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 007879AC
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00787A56
                                                                                              • Part of subcall function 0078F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,0078772A,?), ref: 0078F414
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 007879F6
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00787A4D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction ID: 052c9d4e6bbc6744200fa5f9b792f86a5469912d2ebfa4157b534f51d5ec58c3
                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction Fuzzy Hash: EFC1C172984209EFDB15ABA4DC49FEE7BB9EF45310F2040A1F505E6191EB79DA80CB60
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                                            • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"
                                                                                            • API String ID: 4293430545-3817095088
                                                                                            • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                            • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00782CED
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00782D07
                                                                                            • htons.WS2_32(00000000), ref: 00782D42
                                                                                            • select.WS2_32 ref: 00782D8F
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00782DB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00782E62
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 127016686-0
                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction ID: e9ea1ebc2f37348c9937cc14dcfa3e73d43684d78d6910b0c3dceb79edd0491d
                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction Fuzzy Hash: 2C61C071544305AFC720BF64DC0CB6BBBF8EB48752F144819F98497152D7B9D882CBAA
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                            • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                            • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                            • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                                            • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                                            • CloseHandle.KERNEL32(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 2622201749-0
                                                                                            • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                            • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: runas
                                                                                            • API String ID: 3696105349-4000483414
                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                            • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                            • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                            APIs
                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2404124870-0
                                                                                            • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                            • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                            APIs
                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                            • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00783068
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00783078
                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 00783095
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 007830B6
                                                                                            • htons.WS2_32(00000035), ref: 007830EF
                                                                                            • inet_addr.WS2_32(?), ref: 007830FA
                                                                                            • gethostbyname.WS2_32(?), ref: 0078310D
                                                                                            • HeapFree.KERNEL32(00000000), ref: 0078314D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: iphlpapi.dll
                                                                                            • API String ID: 2869546040-3565520932
                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction ID: 3bab4b7665f45b89bfc39abb1b2f357255c2d1f5fbfa5cb918e228851aa91b29
                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction Fuzzy Hash: 31318731E4060AABDB11ABBCDC4CAAE7778AF04F61F144125E518E7290DB7CDE418B54
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?), ref: 007895A7
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007895D5
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 007895DC
                                                                                            • wsprintfA.USER32 ref: 00789635
                                                                                            • wsprintfA.USER32 ref: 00789673
                                                                                            • wsprintfA.USER32 ref: 007896F4
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00789758
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0078978D
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 007897D8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID:
                                                                                            • API String ID: 3696105349-0
                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction ID: 42de77b672943b115824066a523765a322ec8d48bec6b8c15357696fcfb44a13
                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction Fuzzy Hash: 3BA182B198020CEFEB11EFA1CC49FEA3BACEB04741F144026FA15D6152E779D984CBA4
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 3560063639-3847274415
                                                                                            • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                            • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-1625972887
                                                                                            • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                            • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3188212458-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 007867C3
                                                                                            • htonl.WS2_32(?), ref: 007867DF
                                                                                            • htonl.WS2_32(?), ref: 007867EE
                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 007868F1
                                                                                            • ExitProcess.KERNEL32 ref: 007869BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Processhtonl$CurrentExitHugeRead
                                                                                            • String ID: except_info$localcfg
                                                                                            • API String ID: 1150517154-3605449297
                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction ID: e23bd7f508c8abb35fba742c0d6c65c3467317decb6e1f62545f3f6089b4f3d8
                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction Fuzzy Hash: EC615071940208EFDB60AFB4DC45FEA77E9FB08300F148069F96DD2161DB7599948F54
                                                                                            APIs
                                                                                            • htons.WS2_32(0078CC84), ref: 0078F5B4
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0078F5CE
                                                                                            • closesocket.WS2_32(00000000), ref: 0078F5DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction ID: 601d0fa4c20371f1001b25fb6555c543218af509c7ea1819fd7a83ef71eb4bb1
                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction Fuzzy Hash: F6315A72A40118ABDB10EFA5DC89DEE7BBCEF88310F104566F915E3150E7749A818BA4
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 00782FA1
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00782FB1
                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00782FC8
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00783000
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00783007
                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00783032
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: dnsapi.dll
                                                                                            • API String ID: 1242400761-3175542204
                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction ID: 6bd1a1b5ec82ea021da7d592a4b532bfc52a074098fa33ec8d8d825599d49567
                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction Fuzzy Hash: 6021A471980625BBCB21AB98DC489EEBBBDEF08B11F104421F901E7141D7B89E81C7D4
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                            • API String ID: 1082366364-3395550214
                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00789A18
                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 00789A52
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 00789A60
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00789A98
                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 00789AB5
                                                                                            • ResumeThread.KERNEL32(?), ref: 00789AC2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction ID: b15de8dc03c43e32fa077fe81270d95784aaea7327ae09b2603fa0f470c7e840
                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction Fuzzy Hash: FB213BB1A41219BBDB11ABA1DC09EEF7BBCEF04750F448061FA19E1150E7798A44CBA5
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(004102D8), ref: 00781C18
                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 00781C26
                                                                                            • GetProcessHeap.KERNEL32 ref: 00781C84
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00781C9D
                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00781CC1
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 00781D02
                                                                                            • FreeLibrary.KERNEL32(?), ref: 00781D0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID:
                                                                                            • API String ID: 2324436984-0
                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction ID: ad3110e32fe948610cd97040d80640b7f0850246609407a004ae0c5a5fe2ee87
                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction Fuzzy Hash: 8C314F32E40219BFCB11AFE4DC889FEBBB9EB45711B64447AE501A2110D7B94E81DBA4
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00786CE4
                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00786D22
                                                                                            • GetLastError.KERNEL32 ref: 00786DA7
                                                                                            • CloseHandle.KERNEL32(?), ref: 00786DB5
                                                                                            • GetLastError.KERNEL32 ref: 00786DD6
                                                                                            • DeleteFileA.KERNEL32(?), ref: 00786DE7
                                                                                            • GetLastError.KERNEL32 ref: 00786DFD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3873183294-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: 63c244b3ab6a512c6fa3a06b18b7d64518628dcb37c5937cf447235420ea8759
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 2331FE76A40249BFCF01EFA49D48ADEBFB9EB48300F148466E211E3212D7748A858B61
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\reoueqqp,00787043), ref: 00786F4E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00786F55
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00786F7B
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00786F92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$\\.\pipe\reoueqqp
                                                                                            • API String ID: 1082366364-1777047624
                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction ID: 12a4025699fa090bce9363291915759317fb4ead2325f3cccc56c05a67a05c0c
                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction Fuzzy Hash: 5A21C2617C5344B9F7227331AC8DFBB2A4C8B52711F2840A5F644A5192DADDC8D6C36D
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen
                                                                                            • String ID: $localcfg
                                                                                            • API String ID: 1659193697-2018645984
                                                                                            • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                            • Instruction ID: 8d1d207496ef616f35eceff2fca501376c02336d8d0640fbf19d9aaf779e6c9f
                                                                                            • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                            • Instruction Fuzzy Hash: 3D7109B1AC4304BAFF21BB54DC85FEE3B699B00715F244077F904E6091DA6E9D848767
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                            APIs
                                                                                              • Part of subcall function 0078DF6C: GetCurrentThreadId.KERNEL32 ref: 0078DFBA
                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 0078E8FA
                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00786128), ref: 0078E950
                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 0078E989
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 2920362961-1846390581
                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction ID: f3a78f06b441fe478f93ed133a6f2ae6492b7247684b4874492198e029fca0dd
                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction Fuzzy Hash: 05319031640705DBDB71AF24C888BAA7BE8EB15720F10852AE55587551D3B8FC80CB82
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction ID: ad91502c918df71d043ef53d816e9cc1f178552f3268e5d244bc5e88c32108aa
                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction Fuzzy Hash: A5213876244219FFEB10ABA4EC49EDF3EADEB49760B208425F602D1091EB789A409774
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                            • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 007892E2
                                                                                            • wsprintfA.USER32 ref: 00789350
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00789375
                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 00789389
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 00789394
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0078939B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction ID: a677a98da3d9aee16c71f691049b3079da5b76deedd8fde0d690a343223b0933
                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction Fuzzy Hash: 071157B5780114BBE7607772EC0EFEF3A6DDBC5B11F008065BB09E5091EBB84A558764
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                            • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0078C6B4
                                                                                            • InterlockedIncrement.KERNEL32(0078C74B), ref: 0078C715
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0078C747), ref: 0078C728
                                                                                            • CloseHandle.KERNEL32(00000000,?,0078C747,00413588,00788A77), ref: 0078C733
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1026198776-1857712256
                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction ID: 1e6f1576e2e50f53fadbf419bc5d0a0ece3ed34da1cb4f80c9286cd8a0785033
                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction Fuzzy Hash: FE5151B1A41B418FD7359F69C5C5526BBE9FB48300B50593EE18BC7A90E778F844CB20
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe
                                                                                            • API String ID: 124786226-148016686
                                                                                            • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                            • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0078E50A,00000000,00000000,00000000,00020106,00000000,0078E50A,00000000,000000E4), ref: 0078E319
                                                                                            • RegSetValueExA.ADVAPI32(0078E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0078E38E
                                                                                            • RegDeleteValueA.ADVAPI32(0078E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dx), ref: 0078E3BF
                                                                                            • RegCloseKey.ADVAPI32(0078E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dx,0078E50A), ref: 0078E3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: Dx
                                                                                            • API String ID: 2667537340-788195219
                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction ID: b9a742336527e5f60ba28222633e1201b5f99b874b97378a97f56ae149f20ed2
                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction Fuzzy Hash: CE213C71A4021DBBDF20AFA5EC89EEE7F79EF08750F048061F904E6161E7758A54D7A0
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 007871E1
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00787228
                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 00787286
                                                                                            • wsprintfA.USER32 ref: 0078729D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                            • String ID: |
                                                                                            • API String ID: 2539190677-2343686810
                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction ID: 69799ed38631098953583dc070a86043a87f163e39c50755d062a3815318b6fd
                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction Fuzzy Hash: 32311C72944208FFDB01EFA4DC49ADA7BBCEF04314F148066F959DB101EA79D648CB94
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1586453840-0
                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0078B51A
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0078B529
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0078B548
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0078B590
                                                                                            • wsprintfA.USER32 ref: 0078B61E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4026320513-0
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 335107ad3a58f150b19d811438a85d641bde38f5779872bf26dfccb59482764b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: 3F5100B1D4021DAACF14DFD5D8895EEBBB9BF48304F10816AF505B6150E7B84AC9CF98
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00786303
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 0078632A
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 007863B1
                                                                                            • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00786405
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: HugeRead$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 3498078134-0
                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction ID: 0c689eb95139ecdefd35ad0e3403977c96828d2c5fd596ff35aa5357045fabaf
                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction Fuzzy Hash: A64168B1A40209FFDB14EF58C884AADB7B8FF04314F288069E909D7690E739EE40CB50
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                            • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: A$ A
                                                                                            • API String ID: 3343386518-686259309
                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1802437671-0
                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007893C6
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 007893CD
                                                                                            • CharToOemA.USER32(?,?), ref: 007893DB
                                                                                            • wsprintfA.USER32 ref: 00789410
                                                                                              • Part of subcall function 007892CB: GetTempPathA.KERNEL32(00000400,?), ref: 007892E2
                                                                                              • Part of subcall function 007892CB: wsprintfA.USER32 ref: 00789350
                                                                                              • Part of subcall function 007892CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00789375
                                                                                              • Part of subcall function 007892CB: lstrlen.KERNEL32(?,?,00000000), ref: 00789389
                                                                                              • Part of subcall function 007892CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00789394
                                                                                              • Part of subcall function 007892CB: CloseHandle.KERNEL32(00000000), ref: 0078939B
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00789448
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction ID: cf521343015178553c3a1d2a393e6272c0b3de614ed31637e5ba322bc01a90f9
                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction Fuzzy Hash: B80152F6940158BBD721A7619D4DEDF377CDB95701F0040A1BB49E2080DAB897C58F75
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                            • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 2574300362-1087626847
                                                                                            • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                            • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2777991786-2393279970
                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *p@
                                                                                            • API String ID: 3429775523-2474123842
                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$u6A
                                                                                            • API String ID: 1594361348-1940331995
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: f54e17db91bb3e2e18ff366680972cfd35442e7a55dfa0556563681848d8bc3e
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9BE0C2306041119FCB00AB2CF848AC537E4EF0A331F008180F040D31A1C738DCC29740
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 007869E5
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 00786A26
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 00786A3A
                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 00786BD8
                                                                                              • Part of subcall function 0078EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00781DCF,?), ref: 0078EEA8
                                                                                              • Part of subcall function 0078EE95: HeapFree.KERNEL32(00000000), ref: 0078EEAF
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 3384756699-0
                                                                                            • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction ID: 98284cedbb5e0bdd830b2312c414fc7784c5483ff006d889c06aaf1529bf7221
                                                                                            • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction Fuzzy Hash: 167136B194021DFFDB10AFA4CC85AEEBBB9FB04314F20456AE515E6190D7389E92DB60
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 007841AB
                                                                                            • GetLastError.KERNEL32 ref: 007841B5
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 007841C6
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 007841D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 0e4109f3f68f01feb6924853711e7862713e3c47d7cb17c4899ed68bdf49b805
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: A001A97691110EABDF01EF91ED88BEE7B6CEB18355F104061F901E2050D7B49A948BB9
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0078421F
                                                                                            • GetLastError.KERNEL32 ref: 00784229
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 0078423A
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0078424D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 349961e146e23fbe600ff5eecd25aa1a6ec98d1e63e6c483878e9f51718b02eb
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: 5A01A57255510AABDF01EF90ED84BEE7BACFB08355F108461F901E2050D7B49A549BB6
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                            APIs
                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 0078E066
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 1534048567-1846390581
                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction ID: 0c6a11cff764635da061b8444645764357d3c6bfcf441a47ddffcdc2cfb15445
                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction Fuzzy Hash: ADF06D322007169BCB20DF65DC84A92B7E9FB09321B648A2AE158D3060D3B9E898CB55
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,Dx,00000000,00000000,00000000), ref: 0078E470
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0078E484
                                                                                              • Part of subcall function 0078E2FC: RegCreateKeyExA.ADVAPI32(80000001,0078E50A,00000000,00000000,00000000,00020106,00000000,0078E50A,00000000,000000E4), ref: 0078E319
                                                                                              • Part of subcall function 0078E2FC: RegSetValueExA.ADVAPI32(0078E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0078E38E
                                                                                              • Part of subcall function 0078E2FC: RegDeleteValueA.ADVAPI32(0078E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dx), ref: 0078E3BF
                                                                                              • Part of subcall function 0078E2FC: RegCloseKey.ADVAPI32(0078E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dx,0078E50A), ref: 0078E3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: Dx
                                                                                            • API String ID: 4151426672-788195219
                                                                                            • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction ID: 62fbe1fc4a2e4788591fbd1af2e110fab4b62fc7066f466e4188aaaa918b071b
                                                                                            • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction Fuzzy Hash: 9F4198B1980214FAEB207B528C4AFEB3B6CEB14765F148035FE0D94192E7B98A50D7B5
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 007883C6
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00788477
                                                                                              • Part of subcall function 007869C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 007869E5
                                                                                              • Part of subcall function 007869C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00786A26
                                                                                              • Part of subcall function 007869C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00786A3A
                                                                                              • Part of subcall function 0078EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00781DCF,?), ref: 0078EEA8
                                                                                              • Part of subcall function 0078EE95: HeapFree.KERNEL32(00000000), ref: 0078EEAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe
                                                                                            • API String ID: 359188348-148016686
                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction ID: c9cf97f7ebe9aef36ac5b16251964888eef20f1adb5550a99368ffa7c3806934
                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction Fuzzy Hash: 4E4172B298014EBFEB50FFA09D85DFF776CEB04340F5444AAF509D6011FAB85A948B61
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0078AFFF
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0078B00D
                                                                                              • Part of subcall function 0078AF6F: gethostname.WS2_32(?,00000080), ref: 0078AF83
                                                                                              • Part of subcall function 0078AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0078AFE6
                                                                                              • Part of subcall function 0078331C: gethostname.WS2_32(?,00000080), ref: 0078333F
                                                                                              • Part of subcall function 0078331C: gethostbyname.WS2_32(?), ref: 00783349
                                                                                              • Part of subcall function 0078AA0A: inet_ntoa.WS2_32(00000000), ref: 0078AA10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %OUTLOOK_BND_
                                                                                            • API String ID: 1981676241-3684217054
                                                                                            • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                            • Instruction ID: a5081ab1866e201947f4913d7becc379667e44a1ac24d862e467f7019fe34b7f
                                                                                            • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                            • Instruction Fuzzy Hash: D041007294024CEBDB25EFA0DC4AEEF3B6CFB08304F144426F92592152EB79D6548B55
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00789536
                                                                                            • Sleep.KERNEL32(000001F4), ref: 0078955D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-3916222277
                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction ID: 1c6550bddf4d4fdf82d514ccb3f21c13f3bb6e3bcb39c457d093c96d3ab24ce8
                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction Fuzzy Hash: 604109B19843846EEB77BB64D88C7F63BE49B02310F2C01A5D686971E2E67C4D918711
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                            • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,k@
                                                                                            • API String ID: 3934441357-1053005162
                                                                                            • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                            • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0078B9D9
                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 0078BA3A
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0078BA94
                                                                                            • GetTickCount.KERNEL32 ref: 0078BB79
                                                                                            • GetTickCount.KERNEL32 ref: 0078BB99
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0078BE15
                                                                                            • closesocket.WS2_32(00000000), ref: 0078BEB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 1869671989-2903620461
                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction ID: 7c4d418ef009b8906e25c177d85b854f1ef8557d33eca62f119affb04f18dcf2
                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction Fuzzy Hash: E5317F71580248EFDF25EFA4DC89AEE77B8EB48700F204056FA2492161EB79DA85CF54
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                            APIs
                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                            • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 007870BC
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 007870F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID: |
                                                                                            • API String ID: 2370142434-2343686810
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: 07a87876702d130a63a1f1e3756ed7e6a6f820ffd8e55d68b8fb3d18a6f09ab7
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 2F113C72D4411CEBDF55DFD4DC88ADEB7BCAB44301F2441A6E512E6090E674DB88CBA0
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2777991786-1857712256
                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                            • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                            APIs
                                                                                              • Part of subcall function 00782F88: GetModuleHandleA.KERNEL32(?), ref: 00782FA1
                                                                                              • Part of subcall function 00782F88: LoadLibraryA.KERNEL32(?), ref: 00782FB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007831DA
                                                                                            • HeapFree.KERNEL32(00000000), ref: 007831E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724662363.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_780000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction ID: b1b0c1146997e16d652d6cf526e355ffa6fc717f626ca4eab37d9ecdda0bd4a0
                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction Fuzzy Hash: 4D519A3194020AEFCF01AF68D8889FAB775FF15705F244169EC96C7211E73ADA19CB90
                                                                                            APIs
                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.1724382198.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                            • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                            Execution Graph

                                                                                            Execution Coverage:15%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:0.7%
                                                                                            Total number of Nodes:1809
                                                                                            Total number of Limit Nodes:18
                                                                                            execution_graph 7899 2995099 7900 2994bd1 4 API calls 7899->7900 7901 29950a2 7900->7901 8083 299195b 8084 299196b 8083->8084 8085 2991971 8083->8085 8086 299ec2e codecvt 4 API calls 8084->8086 8086->8085 7902 2996511 wsprintfA IsBadReadPtr 7903 299656a htonl htonl wsprintfA wsprintfA 7902->7903 7904 299674e 7902->7904 7905 29965f3 7903->7905 7906 299e318 23 API calls 7904->7906 7908 299668a GetCurrentProcess StackWalk64 7905->7908 7909 29966a0 wsprintfA 7905->7909 7911 2996652 wsprintfA 7905->7911 7907 2996753 ExitProcess 7906->7907 7908->7905 7908->7909 7910 29966ba 7909->7910 7912 2996712 wsprintfA 7910->7912 7914 29966da wsprintfA 7910->7914 7915 29966ed wsprintfA 7910->7915 7911->7905 7913 299e8a1 30 API calls 7912->7913 7916 2996739 7913->7916 7914->7915 7915->7910 7917 299e318 23 API calls 7916->7917 7918 2996741 7917->7918 8087 2998c51 8088 2998c5d 8087->8088 8089 2998c86 8087->8089 8093 2998c7d 8088->8093 8094 2998c6e 8088->8094 8090 2998c8b lstrcmpA 8089->8090 8100 2998c7b 8089->8100 8091 2998c9e 8090->8091 8090->8100 8092 2998cad 8091->8092 8096 299ec2e codecvt 4 API calls 8091->8096 8099 299ebcc 4 API calls 8092->8099 8092->8100 8109 2998bb3 8093->8109 8101 2998be7 8094->8101 8096->8092 8099->8100 8102 2998c2a 8101->8102 8103 2998bf2 8101->8103 8102->8100 8104 2998bb3 6 API calls 8103->8104 8105 2998bf8 8104->8105 8113 2996410 8105->8113 8107 2998c01 8107->8102 8128 2996246 8107->8128 8110 2998be4 8109->8110 8111 2998bbc 8109->8111 8111->8110 8112 2996246 6 API calls 8111->8112 8112->8110 8114 299641e 8113->8114 8115 2996421 8113->8115 8114->8107 8116 299643a 8115->8116 8117 299643e VirtualAlloc 8115->8117 8116->8107 8118 299645b VirtualAlloc 8117->8118 8119 2996472 8117->8119 8118->8119 8127 29964fb 8118->8127 8120 299ebcc 4 API calls 8119->8120 8121 2996479 8120->8121 8121->8127 8138 2996069 8121->8138 8124 29964da 8126 2996246 6 API calls 8124->8126 8124->8127 8126->8127 8127->8107 8129 29962b3 8128->8129 8134 2996252 8128->8134 8129->8102 8130 2996297 8131 29962ad 8130->8131 8132 29962a0 VirtualFree 8130->8132 8135 299ec2e codecvt 4 API calls 8131->8135 8132->8131 8133 299628f 8137 299ec2e codecvt 4 API calls 8133->8137 8134->8130 8134->8133 8136 2996281 FreeLibrary 8134->8136 8135->8129 8136->8134 8137->8130 8139 2996089 8138->8139 8140 2996090 IsBadReadPtr 8138->8140 8139->8124 8148 2995f3f 8139->8148 8140->8139 8142 29960aa 8140->8142 8141 29960c0 LoadLibraryA 8141->8139 8141->8142 8142->8139 8142->8141 8143 299ebcc 4 API calls 8142->8143 8144 299ebed 8 API calls 8142->8144 8145 2996191 IsBadReadPtr 8142->8145 8146 2996141 GetProcAddress 8142->8146 8147 2996155 GetProcAddress 8142->8147 8143->8142 8144->8142 8145->8139 8145->8142 8146->8142 8147->8142 8149 2995fe6 8148->8149 8151 2995f61 8148->8151 8149->8124 8150 2995fbf VirtualProtect 8150->8149 8150->8151 8151->8149 8151->8150 7919 2995d93 IsBadWritePtr 7920 2995ddc 7919->7920 7921 2995da8 7919->7921 7921->7920 7923 2995389 7921->7923 7924 2994bd1 4 API calls 7923->7924 7925 29953a5 7924->7925 7926 2994ae6 8 API calls 7925->7926 7929 29953ad 7926->7929 7927 2995407 7927->7920 7928 2994ae6 8 API calls 7928->7929 7929->7927 7929->7928 8152 2994ed3 8157 2994c9a 8152->8157 8159 2994ca9 8157->8159 8160 2994cd8 8157->8160 8158 299ec2e codecvt 4 API calls 8158->8160 8159->8158 8161 2995453 8166 299543a 8161->8166 8169 2995048 8166->8169 8170 2994bd1 4 API calls 8169->8170 8171 2995056 8170->8171 8172 299ec2e codecvt 4 API calls 8171->8172 8173 299508b 8171->8173 8172->8173 7930 2994e92 GetTickCount 7931 2994ec0 InterlockedExchange 7930->7931 7932 2994ec9 7931->7932 7933 2994ead GetTickCount 7931->7933 7933->7932 7934 2994eb8 Sleep 7933->7934 7934->7931 8174 29943d2 8175 29943e0 8174->8175 8176 2991940 4 API calls 8175->8176 8177 29943ef 8175->8177 8176->8177 7935 2998314 7936 299675c 21 API calls 7935->7936 7937 2998324 7936->7937 8178 299e749 8179 299dd05 6 API calls 8178->8179 8180 299e751 8179->8180 8181 299e781 lstrcmpA 8180->8181 8182 299e799 8180->8182 8181->8180 7938 299448b 7940 2994499 7938->7940 7939 29944ab 7940->7939 7942 2991940 7940->7942 7943 299ec2e codecvt 4 API calls 7942->7943 7944 2991949 7943->7944 7944->7939 7954 2995e0d 7957 29950dc 7954->7957 7956 2995e20 7958 2994bd1 4 API calls 7957->7958 7959 29950f2 7958->7959 7960 2994ae6 8 API calls 7959->7960 7966 29950ff 7960->7966 7961 2995130 7962 2994ae6 8 API calls 7961->7962 7964 2995138 7962->7964 7963 2994ae6 8 API calls 7965 2995110 lstrcmpA 7963->7965 7967 299513e 7964->7967 7968 299516e 7964->7968 7970 2994ae6 8 API calls 7964->7970 7965->7961 7965->7966 7966->7961 7966->7963 7969 2994ae6 8 API calls 7966->7969 7967->7956 7968->7967 7971 2994ae6 8 API calls 7968->7971 7969->7966 7972 299515e 7970->7972 7973 29951b6 7971->7973 7972->7968 7975 2994ae6 8 API calls 7972->7975 8000 2994a3d 7973->8000 7975->7968 7977 2994ae6 8 API calls 7978 29951c7 7977->7978 7979 2994ae6 8 API calls 7978->7979 7980 29951d7 7979->7980 7981 2994ae6 8 API calls 7980->7981 7982 29951e7 7981->7982 7982->7967 7983 2994ae6 8 API calls 7982->7983 7984 2995219 7983->7984 7985 2994ae6 8 API calls 7984->7985 7986 2995227 7985->7986 7987 2994ae6 8 API calls 7986->7987 7988 299524f lstrcpyA 7987->7988 7989 2994ae6 8 API calls 7988->7989 7993 2995263 7989->7993 7990 2994ae6 8 API calls 7991 2995315 7990->7991 7992 2994ae6 8 API calls 7991->7992 7994 2995323 7992->7994 7993->7990 7995 2994ae6 8 API calls 7994->7995 7997 2995331 7995->7997 7996 2994ae6 8 API calls 7996->7997 7997->7967 7997->7996 7998 2994ae6 8 API calls 7997->7998 7999 2995351 lstrcmpA 7998->7999 7999->7967 7999->7997 8001 2994a4a 8000->8001 8002 2994a53 8000->8002 8004 299ebed 8 API calls 8001->8004 8003 2994a78 8002->8003 8005 299ebed 8 API calls 8002->8005 8006 2994a8e 8003->8006 8008 2994aa3 8003->8008 8004->8002 8005->8003 8007 2994a9b 8006->8007 8009 299ec2e codecvt 4 API calls 8006->8009 8007->7977 8008->8007 8010 299ebed 8 API calls 8008->8010 8009->8007 8010->8007 8011 2994c0d 8012 2994ae6 8 API calls 8011->8012 8013 2994c17 8012->8013 8187 2995e4d 8188 2995048 8 API calls 8187->8188 8189 2995e55 8188->8189 8190 2995e64 8189->8190 8191 2991940 4 API calls 8189->8191 8191->8190 8014 299f483 WSAStartup 8015 2995c05 IsBadWritePtr 8016 2995c24 IsBadWritePtr 8015->8016 8023 2995ca6 8015->8023 8017 2995c32 8016->8017 8016->8023 8018 2995c82 8017->8018 8019 2994bd1 4 API calls 8017->8019 8020 2994bd1 4 API calls 8018->8020 8019->8018 8021 2995c90 8020->8021 8022 2995472 18 API calls 8021->8022 8022->8023 8024 2995b84 IsBadWritePtr 8025 2995b99 8024->8025 8026 2995b9d 8024->8026 8027 2994bd1 4 API calls 8026->8027 8028 2995bcc 8027->8028 8029 2995472 18 API calls 8028->8029 8030 2995be5 8029->8030 8031 299f304 8034 299f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8031->8034 8033 299f312 8034->8033 8035 299be31 lstrcmpiA 8036 299be55 lstrcmpiA 8035->8036 8042 299be71 8035->8042 8037 299be61 lstrcmpiA 8036->8037 8036->8042 8040 299bfc8 8037->8040 8037->8042 8038 299bf62 lstrcmpiA 8039 299bf77 lstrcmpiA 8038->8039 8043 299bf70 8038->8043 8041 299bf8c lstrcmpiA 8039->8041 8039->8043 8041->8043 8042->8038 8046 299ebcc 4 API calls 8042->8046 8043->8040 8044 299bfc2 8043->8044 8045 299ec2e codecvt 4 API calls 8043->8045 8047 299ec2e codecvt 4 API calls 8044->8047 8045->8043 8048 299beb6 8046->8048 8047->8040 8048->8038 8048->8040 8049 299ebcc 4 API calls 8048->8049 8050 299bf5a 8048->8050 8049->8048 8050->8038 8051 2995d34 IsBadWritePtr 8052 2995d47 8051->8052 8053 2995d4a 8051->8053 8054 2995389 12 API calls 8053->8054 8055 2995d80 8054->8055 8056 2995029 8061 2994a02 8056->8061 8062 2994a18 8061->8062 8063 2994a12 8061->8063 8065 2994a26 8062->8065 8066 299ec2e codecvt 4 API calls 8062->8066 8064 299ec2e codecvt 4 API calls 8063->8064 8064->8062 8067 299ec2e codecvt 4 API calls 8065->8067 8068 2994a34 8065->8068 8066->8065 8067->8068 6127 2999a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6243 299ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6127->6243 6129 2999a95 6130 2999aa3 GetModuleHandleA GetModuleFileNameA 6129->6130 6136 299a3cc 6129->6136 6139 2999ac4 6130->6139 6131 299a41c CreateThread WSAStartup 6244 299e52e 6131->6244 7318 299405e CreateEventA 6131->7318 6133 2999afd GetCommandLineA 6143 2999b22 6133->6143 6134 299a406 DeleteFileA 6134->6136 6137 299a40d 6134->6137 6135 299a445 6263 299eaaf 6135->6263 6136->6131 6136->6134 6136->6137 6140 299a3ed GetLastError 6136->6140 6137->6131 6139->6133 6140->6137 6142 299a3f8 Sleep 6140->6142 6141 299a44d 6267 2991d96 6141->6267 6142->6134 6147 2999c0c 6143->6147 6156 2999b47 6143->6156 6145 299a457 6315 29980c9 6145->6315 6507 29996aa 6147->6507 6153 2999c39 6157 299a167 GetModuleHandleA GetModuleFileNameA 6153->6157 6513 2994280 CreateEventA 6153->6513 6154 299a1d2 6163 299a1e3 GetCommandLineA 6154->6163 6159 2999b96 lstrlenA 6156->6159 6162 2999b58 6156->6162 6160 299a189 6157->6160 6161 2999c05 ExitProcess 6157->6161 6159->6162 6160->6161 6171 299a1b2 GetDriveTypeA 6160->6171 6162->6161 6466 299675c 6162->6466 6187 299a205 6163->6187 6171->6161 6173 299a1c5 6171->6173 6614 2999145 GetModuleHandleA GetModuleFileNameA CharToOemA 6173->6614 6174 299675c 21 API calls 6176 2999c79 6174->6176 6176->6157 6183 2999e3e 6176->6183 6184 2999ca0 GetTempPathA 6176->6184 6177 2999bff 6177->6161 6179 299a49f GetTickCount 6180 299a491 6179->6180 6181 299a4be Sleep 6179->6181 6180->6179 6180->6181 6186 299a4b7 GetTickCount 6180->6186 6362 299c913 6180->6362 6181->6180 6190 2999e6b GetEnvironmentVariableA 6183->6190 6194 2999e04 6183->6194 6184->6183 6185 2999cba 6184->6185 6539 29999d2 lstrcpyA 6185->6539 6186->6181 6191 299a285 lstrlenA 6187->6191 6203 299a239 6187->6203 6190->6194 6195 2999e7d 6190->6195 6191->6203 6609 299ec2e 6194->6609 6196 29999d2 16 API calls 6195->6196 6197 2999e9d 6196->6197 6197->6194 6202 2999eb0 lstrcpyA lstrlenA 6197->6202 6200 2999d5f 6553 2996cc9 6200->6553 6201 299a3c2 6626 29998f2 6201->6626 6206 2999ef4 6202->6206 6203->6203 6622 2996ec3 6203->6622 6210 2996dc2 6 API calls 6206->6210 6211 2999f03 6206->6211 6207 299a39d StartServiceCtrlDispatcherA 6207->6201 6208 2999d72 lstrcpyA lstrcatA lstrcatA 6212 2999cf6 6208->6212 6209 299a3c7 6209->6136 6210->6211 6213 2999f32 RegOpenKeyExA 6211->6213 6562 2999326 6212->6562 6214 2999f48 RegSetValueExA RegCloseKey 6213->6214 6218 2999f70 6213->6218 6214->6218 6215 299a35f 6215->6201 6215->6207 6223 2999f9d GetModuleHandleA GetModuleFileNameA 6218->6223 6219 2999dde GetFileAttributesExA 6220 2999e0c DeleteFileA 6219->6220 6222 2999df7 6219->6222 6220->6183 6222->6194 6599 29996ff 6222->6599 6225 299a093 6223->6225 6226 2999fc2 6223->6226 6227 299a103 CreateProcessA 6225->6227 6230 299a0a4 wsprintfA 6225->6230 6226->6225 6231 2999ff1 GetDriveTypeA 6226->6231 6228 299a13a 6227->6228 6229 299a12a DeleteFileA 6227->6229 6228->6194 6236 29996ff 3 API calls 6228->6236 6229->6228 6605 2992544 6230->6605 6231->6225 6234 299a00d 6231->6234 6238 299a02d lstrcatA 6234->6238 6236->6194 6239 299a046 6238->6239 6240 299a052 lstrcatA 6239->6240 6241 299a064 lstrcatA 6239->6241 6240->6241 6241->6225 6242 299a081 lstrcatA 6241->6242 6242->6225 6243->6129 6633 299dd05 GetTickCount 6244->6633 6246 299e538 6641 299dbcf 6246->6641 6248 299e544 6249 299e555 GetFileSize 6248->6249 6253 299e5b8 6248->6253 6250 299e5b1 CloseHandle 6249->6250 6251 299e566 6249->6251 6250->6253 6665 299db2e 6251->6665 6651 299e3ca RegOpenKeyExA 6253->6651 6255 299e576 ReadFile 6255->6250 6257 299e58d 6255->6257 6669 299e332 6257->6669 6259 299e5f2 6261 299e3ca 19 API calls 6259->6261 6262 299e629 6259->6262 6261->6262 6262->6135 6264 299eabe 6263->6264 6266 299eaba 6263->6266 6265 299dd05 6 API calls 6264->6265 6264->6266 6265->6266 6266->6141 6268 299ee2a 6267->6268 6269 2991db4 GetVersionExA 6268->6269 6270 2991dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6269->6270 6272 2991e24 6270->6272 6273 2991e16 GetCurrentProcess 6270->6273 6727 299e819 6272->6727 6273->6272 6275 2991e3d 6276 299e819 11 API calls 6275->6276 6277 2991e4e 6276->6277 6278 2991e77 6277->6278 6768 299df70 6277->6768 6734 299ea84 6278->6734 6281 2991e6c 6283 299df70 12 API calls 6281->6283 6283->6278 6284 299e819 11 API calls 6285 2991e93 6284->6285 6738 299199c inet_addr LoadLibraryA 6285->6738 6288 299e819 11 API calls 6289 2991eb9 6288->6289 6290 299f04e 4 API calls 6289->6290 6298 2991ed8 6289->6298 6292 2991ec9 6290->6292 6291 299e819 11 API calls 6293 2991eee 6291->6293 6294 299ea84 30 API calls 6292->6294 6295 2991f0a 6293->6295 6752 2991b71 6293->6752 6294->6298 6297 299e819 11 API calls 6295->6297 6300 2991f23 6297->6300 6298->6291 6299 2991efd 6301 299ea84 30 API calls 6299->6301 6302 2991f3f 6300->6302 6756 2991bdf 6300->6756 6301->6295 6304 299e819 11 API calls 6302->6304 6306 2991f5e 6304->6306 6308 2991f77 6306->6308 6309 299ea84 30 API calls 6306->6309 6307 299ea84 30 API calls 6307->6302 6764 29930b5 6308->6764 6309->6308 6312 2996ec3 2 API calls 6314 2991f8e GetTickCount 6312->6314 6314->6145 6316 2996ec3 2 API calls 6315->6316 6317 29980eb 6316->6317 6318 29980f9 6317->6318 6319 29980ef 6317->6319 6835 299704c 6318->6835 6822 2997ee6 6319->6822 6322 2998269 CreateThread 6341 2995e6c 6322->6341 7296 299877e 6322->7296 6323 2998110 6324 29980f4 6323->6324 6326 2998156 RegOpenKeyExA 6323->6326 6324->6322 6325 299675c 21 API calls 6324->6325 6331 2998244 6325->6331 6327 299816d RegQueryValueExA 6326->6327 6328 2998216 6326->6328 6329 299818d 6327->6329 6330 29981f7 6327->6330 6328->6324 6329->6330 6335 299ebcc 4 API calls 6329->6335 6332 299820d RegCloseKey 6330->6332 6334 299ec2e codecvt 4 API calls 6330->6334 6331->6322 6333 299ec2e codecvt 4 API calls 6331->6333 6332->6328 6333->6322 6340 29981dd 6334->6340 6336 29981a0 6335->6336 6336->6332 6337 29981aa RegQueryValueExA 6336->6337 6337->6330 6338 29981c4 6337->6338 6339 299ebcc 4 API calls 6338->6339 6339->6340 6340->6332 6937 299ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6341->6937 6343 2995e71 6938 299e654 6343->6938 6345 2995ec1 6346 2993132 6345->6346 6347 299df70 12 API calls 6346->6347 6348 299313b 6347->6348 6349 299c125 6348->6349 6949 299ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6349->6949 6351 299c12d 6352 299e654 13 API calls 6351->6352 6353 299c2bd 6352->6353 6354 299e654 13 API calls 6353->6354 6355 299c2c9 6354->6355 6356 299e654 13 API calls 6355->6356 6357 299a47a 6356->6357 6358 2998db1 6357->6358 6359 2998dbc 6358->6359 6360 299e654 13 API calls 6359->6360 6361 2998dec Sleep 6360->6361 6361->6180 6363 299c92f 6362->6363 6364 299c93c 6363->6364 6961 299c517 6363->6961 6366 299ca2b 6364->6366 6367 299e819 11 API calls 6364->6367 6366->6180 6368 299c96a 6367->6368 6369 299e819 11 API calls 6368->6369 6370 299c97d 6369->6370 6371 299e819 11 API calls 6370->6371 6372 299c990 6371->6372 6373 299c9aa 6372->6373 6374 299ebcc 4 API calls 6372->6374 6373->6366 6950 2992684 6373->6950 6374->6373 6379 299ca26 6978 299c8aa 6379->6978 6382 299ca44 6383 299ca4b closesocket 6382->6383 6384 299ca83 6382->6384 6383->6379 6385 299ea84 30 API calls 6384->6385 6386 299caac 6385->6386 6387 299f04e 4 API calls 6386->6387 6388 299cab2 6387->6388 6389 299ea84 30 API calls 6388->6389 6390 299caca 6389->6390 6391 299ea84 30 API calls 6390->6391 6392 299cad9 6391->6392 6982 299c65c 6392->6982 6395 299cb60 closesocket 6395->6366 6397 299dad2 closesocket 6398 299e318 23 API calls 6397->6398 6399 299dae0 6398->6399 6399->6366 6400 299df4c 20 API calls 6421 299cb70 6400->6421 6406 299e654 13 API calls 6406->6421 6411 299ea84 30 API calls 6411->6421 6412 299d569 closesocket Sleep 7029 299e318 6412->7029 6413 299d815 wsprintfA 6413->6421 6414 299cc1c GetTempPathA 6414->6421 6415 299c517 23 API calls 6415->6421 6417 299f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6417->6421 6418 2997ead 6 API calls 6418->6421 6419 299e8a1 30 API calls 6419->6421 6420 299d582 ExitProcess 6421->6397 6421->6400 6421->6406 6421->6411 6421->6412 6421->6413 6421->6414 6421->6415 6421->6417 6421->6418 6421->6419 6422 299cfe3 GetSystemDirectoryA 6421->6422 6423 299cfad GetEnvironmentVariableA 6421->6423 6424 299675c 21 API calls 6421->6424 6425 299d027 GetSystemDirectoryA 6421->6425 6426 299c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6421->6426 6427 299d105 lstrcatA 6421->6427 6428 299ef1e lstrlenA 6421->6428 6429 299cc9f CreateFileA 6421->6429 6430 299ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6421->6430 6432 299d15b CreateFileA 6421->6432 6437 299d149 SetFileAttributesA 6421->6437 6438 299d36e GetEnvironmentVariableA 6421->6438 6439 299d1bf SetFileAttributesA 6421->6439 6440 2998e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6421->6440 6442 299d22d GetEnvironmentVariableA 6421->6442 6443 299d3af lstrcatA 6421->6443 6445 299d3f2 CreateFileA 6421->6445 6447 2997fcf 64 API calls 6421->6447 6453 299d3e0 SetFileAttributesA 6421->6453 6454 299d26e lstrcatA 6421->6454 6456 299d4b1 CreateProcessA 6421->6456 6457 299d2b1 CreateFileA 6421->6457 6459 299d452 SetFileAttributesA 6421->6459 6461 2997ee6 64 API calls 6421->6461 6462 299d29f SetFileAttributesA 6421->6462 6465 299d31d SetFileAttributesA 6421->6465 6990 299c75d 6421->6990 7002 2997e2f 6421->7002 7024 2997ead 6421->7024 7034 29931d0 6421->7034 7051 2993c09 6421->7051 7061 2993a00 6421->7061 7065 299e7b4 6421->7065 7068 299c06c 6421->7068 7074 2996f5f GetUserNameA 6421->7074 7085 299e854 6421->7085 7095 2997dd6 6421->7095 6422->6421 6423->6421 6424->6421 6425->6421 6426->6421 6427->6421 6428->6421 6429->6421 6431 299ccc6 WriteFile 6429->6431 6430->6421 6433 299cced CloseHandle 6431->6433 6434 299cdcc CloseHandle 6431->6434 6432->6421 6435 299d182 WriteFile CloseHandle 6432->6435 6441 299cd2f 6433->6441 6434->6421 6435->6421 6436 299cd16 wsprintfA 6436->6441 6437->6432 6438->6421 6439->6421 6440->6421 6441->6436 7011 2997fcf 6441->7011 6442->6421 6443->6421 6443->6445 6445->6421 6448 299d415 WriteFile CloseHandle 6445->6448 6447->6421 6448->6421 6449 299cda5 6452 2997ee6 64 API calls 6449->6452 6450 299cd81 WaitForSingleObject CloseHandle CloseHandle 6451 299f04e 4 API calls 6450->6451 6451->6449 6455 299cdbd DeleteFileA 6452->6455 6453->6445 6454->6421 6454->6457 6455->6421 6456->6421 6458 299d4e8 CloseHandle CloseHandle 6456->6458 6457->6421 6460 299d2d8 WriteFile CloseHandle 6457->6460 6458->6421 6459->6421 6460->6421 6461->6421 6462->6457 6465->6421 6467 299677a SetFileAttributesA 6466->6467 6468 2996784 CreateFileA 6466->6468 6467->6468 6469 29967b5 6468->6469 6470 29967a4 CreateFileA 6468->6470 6471 29967ba SetFileAttributesA 6469->6471 6472 29967c5 6469->6472 6470->6469 6471->6472 6473 29967cf GetFileSize 6472->6473 6474 2996977 6472->6474 6475 29967e5 6473->6475 6493 2996965 6473->6493 6474->6161 6494 2996a60 CreateFileA 6474->6494 6477 29967ed ReadFile 6475->6477 6475->6493 6476 299696e FindCloseChangeNotification 6476->6474 6478 2996811 SetFilePointer 6477->6478 6477->6493 6479 299682a ReadFile 6478->6479 6478->6493 6480 2996848 SetFilePointer 6479->6480 6479->6493 6481 2996867 6480->6481 6480->6493 6482 2996878 ReadFile 6481->6482 6483 29968d5 6481->6483 6484 2996891 6482->6484 6487 29968d0 6482->6487 6483->6476 6485 299ebcc 4 API calls 6483->6485 6484->6482 6484->6487 6486 29968f8 6485->6486 6488 2996900 SetFilePointer 6486->6488 6486->6493 6487->6483 6489 299695a 6488->6489 6490 299690d ReadFile 6488->6490 6492 299ec2e codecvt 4 API calls 6489->6492 6490->6489 6491 2996922 6490->6491 6491->6476 6492->6493 6493->6476 6495 2996b8c GetLastError 6494->6495 6496 2996a8f GetDiskFreeSpaceA 6494->6496 6505 2996b86 6495->6505 6497 2996ac5 6496->6497 6506 2996ad7 6496->6506 7180 299eb0e 6497->7180 6501 2996b56 CloseHandle 6504 2996b65 GetLastError CloseHandle 6501->6504 6501->6505 6502 2996b36 GetLastError CloseHandle 6503 2996b7f DeleteFileA 6502->6503 6503->6505 6504->6503 6505->6177 7184 2996987 6506->7184 6508 29996b9 6507->6508 6509 29973ff 17 API calls 6508->6509 6510 29996e2 6509->6510 6511 29996f7 6510->6511 6512 299704c 16 API calls 6510->6512 6511->6153 6511->6154 6512->6511 6514 29942a5 6513->6514 6519 299429d 6513->6519 7190 2993ecd 6514->7190 6516 29942b0 7194 2994000 6516->7194 6518 29943c1 CloseHandle 6518->6519 6519->6157 6519->6174 6520 29942b6 6520->6518 6520->6519 7200 2993f18 WriteFile 6520->7200 6525 29943ba CloseHandle 6525->6518 6526 2994318 6527 2993f18 4 API calls 6526->6527 6528 2994331 6527->6528 6529 2993f18 4 API calls 6528->6529 6530 299434a 6529->6530 6531 299ebcc 4 API calls 6530->6531 6532 2994350 6531->6532 6533 2993f18 4 API calls 6532->6533 6534 2994389 6533->6534 6535 299ec2e codecvt 4 API calls 6534->6535 6536 299438f 6535->6536 6537 2993f8c 4 API calls 6536->6537 6538 299439f CloseHandle CloseHandle 6537->6538 6538->6519 6540 29999eb 6539->6540 6541 2999a2f lstrcatA 6540->6541 6542 299ee2a 6541->6542 6543 2999a4b lstrcatA 6542->6543 6544 2996a60 13 API calls 6543->6544 6545 2999a60 6544->6545 6545->6183 6545->6212 6546 2996dc2 6545->6546 6547 2996e33 6546->6547 6548 2996dd7 6546->6548 6547->6200 6549 2996cc9 5 API calls 6548->6549 6550 2996ddc 6549->6550 6550->6550 6551 2996e02 GetVolumeInformationA 6550->6551 6552 2996e24 6550->6552 6551->6552 6552->6547 6554 2996cdc GetModuleHandleA GetProcAddress 6553->6554 6561 2996d8b 6553->6561 6555 2996cfd 6554->6555 6556 2996d12 GetSystemDirectoryA 6554->6556 6555->6556 6555->6561 6557 2996d1e 6556->6557 6558 2996d27 GetWindowsDirectoryA 6556->6558 6557->6558 6557->6561 6559 2996d42 6558->6559 6560 299ef1e lstrlenA 6559->6560 6560->6561 6561->6208 7208 2991910 6562->7208 6565 299934a GetModuleHandleA GetModuleFileNameA 6567 299937f 6565->6567 6568 29993d9 6567->6568 6569 29993a4 6567->6569 6571 2999401 wsprintfA 6568->6571 6570 29993c3 wsprintfA 6569->6570 6572 2999415 6570->6572 6571->6572 6573 29994a0 6572->6573 6576 2996cc9 5 API calls 6572->6576 6574 2996edd 5 API calls 6573->6574 6575 29994ac 6574->6575 6577 299962f 6575->6577 6578 29994e8 RegOpenKeyExA 6575->6578 6579 2999439 6576->6579 6584 2999646 6577->6584 7223 2991820 6577->7223 6581 29994fb 6578->6581 6582 2999502 6578->6582 6586 299ef1e lstrlenA 6579->6586 6581->6577 6587 299958a 6581->6587 6585 299951f RegQueryValueExA 6582->6585 6593 29995d6 6584->6593 7229 29991eb 6584->7229 6588 2999539 6585->6588 6589 2999530 6585->6589 6590 2999462 6586->6590 6587->6584 6591 2999593 6587->6591 6594 2999556 RegQueryValueExA 6588->6594 6592 299956e RegCloseKey 6589->6592 6595 299947e wsprintfA 6590->6595 6591->6593 7210 299f0e4 6591->7210 6592->6581 6593->6219 6593->6220 6594->6589 6594->6592 6595->6573 6597 29995bb 6597->6593 7217 29918e0 6597->7217 6600 2992544 6599->6600 6601 299972d RegOpenKeyExA 6600->6601 6602 2999765 6601->6602 6603 2999740 6601->6603 6602->6194 6604 299974f RegDeleteValueA RegCloseKey 6603->6604 6604->6602 6606 2992554 lstrcatA 6605->6606 6607 299ee2a 6606->6607 6608 299a0ec lstrcatA 6607->6608 6608->6227 6610 299a15d 6609->6610 6611 299ec37 6609->6611 6610->6157 6610->6161 6612 299eba0 codecvt 2 API calls 6611->6612 6613 299ec3d GetProcessHeap RtlFreeHeap 6612->6613 6613->6610 6615 2992544 6614->6615 6616 299919e wsprintfA 6615->6616 6617 29991bb 6616->6617 7267 2999064 GetTempPathA 6617->7267 6620 29991d5 ShellExecuteA 6621 29991e7 6620->6621 6621->6177 6623 2996ed5 6622->6623 6624 2996ecc 6622->6624 6623->6215 6625 2996e36 2 API calls 6624->6625 6625->6623 6627 29998f6 6626->6627 6628 2994280 30 API calls 6627->6628 6629 2999904 Sleep 6627->6629 6630 2999915 6627->6630 6628->6627 6629->6627 6629->6630 6632 2999947 6630->6632 7274 299977c 6630->7274 6632->6209 6634 299dd41 InterlockedExchange 6633->6634 6635 299dd4a 6634->6635 6636 299dd20 GetCurrentThreadId 6634->6636 6638 299dd53 GetCurrentThreadId 6635->6638 6637 299dd2e GetTickCount 6636->6637 6636->6638 6639 299dd39 Sleep 6637->6639 6640 299dd4c 6637->6640 6638->6246 6639->6634 6640->6638 6642 299dbf0 6641->6642 6674 299db67 GetEnvironmentVariableA 6642->6674 6644 299dc19 6645 299dcda 6644->6645 6646 299db67 3 API calls 6644->6646 6645->6248 6647 299dc5c 6646->6647 6647->6645 6648 299db67 3 API calls 6647->6648 6649 299dc9b 6648->6649 6649->6645 6650 299db67 3 API calls 6649->6650 6650->6645 6652 299e528 6651->6652 6653 299e3f4 6651->6653 6652->6259 6654 299e434 RegQueryValueExA 6653->6654 6655 299e458 6654->6655 6656 299e51d RegCloseKey 6654->6656 6657 299e46e RegQueryValueExA 6655->6657 6656->6652 6657->6655 6658 299e488 6657->6658 6658->6656 6659 299db2e 8 API calls 6658->6659 6660 299e499 6659->6660 6660->6656 6661 299e4b9 RegQueryValueExA 6660->6661 6662 299e4e8 6660->6662 6661->6660 6661->6662 6662->6656 6663 299e332 14 API calls 6662->6663 6664 299e513 6663->6664 6664->6656 6666 299db3a 6665->6666 6668 299db55 6665->6668 6678 299ebed 6666->6678 6668->6250 6668->6255 6696 299f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6669->6696 6671 299e3be 6671->6250 6673 299e342 6673->6671 6699 299de24 6673->6699 6675 299db89 lstrcpyA CreateFileA 6674->6675 6676 299dbca 6674->6676 6675->6644 6676->6644 6679 299ec01 6678->6679 6680 299ebf6 6678->6680 6690 299eba0 6679->6690 6687 299ebcc GetProcessHeap RtlAllocateHeap 6680->6687 6688 299eb74 2 API calls 6687->6688 6689 299ebe8 6688->6689 6689->6668 6691 299ebbf GetProcessHeap RtlReAllocateHeap 6690->6691 6692 299eba7 GetProcessHeap HeapSize 6690->6692 6693 299eb74 6691->6693 6692->6691 6694 299eb7b GetProcessHeap HeapSize 6693->6694 6695 299eb93 6693->6695 6694->6695 6695->6668 6710 299eb41 6696->6710 6698 299f0b7 6698->6673 6700 299de3a 6699->6700 6703 299de4e 6700->6703 6719 299dd84 6700->6719 6703->6673 6704 299ebed 8 API calls 6706 299def6 6704->6706 6705 299de9e 6705->6703 6705->6704 6706->6703 6709 299ddcf lstrcmpA 6706->6709 6707 299de76 6723 299ddcf 6707->6723 6709->6703 6711 299eb4a 6710->6711 6712 299eb61 6710->6712 6715 299eae4 6711->6715 6712->6698 6714 299eb54 6714->6698 6714->6712 6716 299eaed LoadLibraryA 6715->6716 6717 299eb02 GetProcAddress 6715->6717 6716->6717 6718 299eb01 6716->6718 6717->6714 6718->6714 6720 299dd96 6719->6720 6721 299ddc5 6719->6721 6720->6721 6722 299ddad lstrcmpiA 6720->6722 6721->6705 6721->6707 6722->6720 6722->6721 6724 299de20 6723->6724 6725 299dddd 6723->6725 6724->6703 6725->6724 6726 299ddfa lstrcmpA 6725->6726 6726->6725 6728 299dd05 6 API calls 6727->6728 6729 299e821 6728->6729 6730 299dd84 lstrcmpiA 6729->6730 6731 299e82c 6730->6731 6732 299e844 6731->6732 6777 2992480 6731->6777 6732->6275 6735 299ea98 6734->6735 6786 299e8a1 6735->6786 6737 2991e84 6737->6284 6739 29919d5 GetProcAddress GetProcAddress GetProcAddress 6738->6739 6742 29919ce 6738->6742 6740 2991ab3 FreeLibrary 6739->6740 6741 2991a04 6739->6741 6740->6742 6741->6740 6743 2991a14 GetBestInterface GetProcessHeap 6741->6743 6742->6288 6743->6742 6744 2991a2e HeapAlloc 6743->6744 6744->6742 6745 2991a42 GetAdaptersInfo 6744->6745 6746 2991a62 6745->6746 6747 2991a52 HeapReAlloc 6745->6747 6748 2991a69 GetAdaptersInfo 6746->6748 6749 2991aa1 FreeLibrary 6746->6749 6747->6746 6748->6749 6750 2991a75 HeapFree 6748->6750 6749->6742 6750->6749 6814 2991ac3 LoadLibraryA 6752->6814 6755 2991bcf 6755->6299 6757 2991ac3 13 API calls 6756->6757 6758 2991c09 6757->6758 6759 2991c5a 6758->6759 6760 2991c0d GetComputerNameA 6758->6760 6759->6307 6761 2991c1f 6760->6761 6762 2991c45 GetVolumeInformationA 6760->6762 6761->6762 6763 2991c41 6761->6763 6762->6759 6763->6759 6765 299ee2a 6764->6765 6766 29930d0 gethostname gethostbyname 6765->6766 6767 2991f82 6766->6767 6767->6312 6767->6314 6769 299dd05 6 API calls 6768->6769 6770 299df7c 6769->6770 6771 299dd84 lstrcmpiA 6770->6771 6775 299df89 6771->6775 6772 299dfc4 6772->6281 6773 299ddcf lstrcmpA 6773->6775 6774 299ec2e codecvt 4 API calls 6774->6775 6775->6772 6775->6773 6775->6774 6776 299dd84 lstrcmpiA 6775->6776 6776->6775 6780 2992419 lstrlenA 6777->6780 6779 2992491 6779->6732 6781 299243d lstrlenA 6780->6781 6782 2992474 6780->6782 6783 299244e lstrcmpiA 6781->6783 6784 2992464 lstrlenA 6781->6784 6782->6779 6783->6784 6785 299245c 6783->6785 6784->6781 6784->6782 6785->6782 6785->6784 6787 299dd05 6 API calls 6786->6787 6788 299e8b4 6787->6788 6789 299dd84 lstrcmpiA 6788->6789 6790 299e8c0 6789->6790 6791 299e8c8 lstrcpynA 6790->6791 6792 299e90a 6790->6792 6793 299e8f5 6791->6793 6794 2992419 4 API calls 6792->6794 6802 299ea27 6792->6802 6807 299df4c 6793->6807 6795 299e926 lstrlenA lstrlenA 6794->6795 6796 299e96a 6795->6796 6797 299e94c lstrlenA 6795->6797 6801 299ebcc 4 API calls 6796->6801 6796->6802 6797->6796 6799 299e901 6800 299dd84 lstrcmpiA 6799->6800 6800->6792 6803 299e98f 6801->6803 6802->6737 6803->6802 6804 299df4c 20 API calls 6803->6804 6805 299ea1e 6804->6805 6806 299ec2e codecvt 4 API calls 6805->6806 6806->6802 6808 299dd05 6 API calls 6807->6808 6809 299df51 6808->6809 6810 299f04e 4 API calls 6809->6810 6811 299df58 6810->6811 6812 299de24 10 API calls 6811->6812 6813 299df63 6812->6813 6813->6799 6815 2991ae2 GetProcAddress 6814->6815 6821 2991b68 GetComputerNameA GetVolumeInformationA 6814->6821 6818 2991af5 6815->6818 6815->6821 6816 2991b1c GetAdaptersAddresses 6816->6818 6820 2991b29 6816->6820 6817 299ebed 8 API calls 6817->6818 6818->6816 6818->6817 6818->6820 6819 299ec2e codecvt 4 API calls 6819->6821 6820->6819 6820->6820 6820->6821 6821->6755 6823 2996ec3 2 API calls 6822->6823 6824 2997ef4 6823->6824 6834 2997fc9 6824->6834 6858 29973ff 6824->6858 6826 2997f16 6826->6834 6878 2997809 GetUserNameA 6826->6878 6828 2997f63 6828->6834 6902 299ef1e lstrlenA 6828->6902 6831 299ef1e lstrlenA 6832 2997fb7 6831->6832 6904 2997a95 RegOpenKeyExA 6832->6904 6834->6324 6836 2997073 6835->6836 6837 29970b9 RegOpenKeyExA 6836->6837 6838 29970d0 6837->6838 6852 29971b8 6837->6852 6839 2996dc2 6 API calls 6838->6839 6842 29970d5 6839->6842 6840 299719b RegEnumValueA 6841 29971af RegCloseKey 6840->6841 6840->6842 6841->6852 6842->6840 6844 29971d0 6842->6844 6935 299f1a5 lstrlenA 6842->6935 6845 2997205 RegCloseKey 6844->6845 6846 2997227 6844->6846 6845->6852 6847 29972b8 ___ascii_stricmp 6846->6847 6848 299728e RegCloseKey 6846->6848 6849 29972cd RegCloseKey 6847->6849 6850 29972dd 6847->6850 6848->6852 6849->6852 6851 2997311 RegCloseKey 6850->6851 6853 2997335 6850->6853 6851->6852 6852->6323 6854 29973d5 RegCloseKey 6853->6854 6856 299737e GetFileAttributesExA 6853->6856 6857 2997397 6853->6857 6855 29973e4 6854->6855 6856->6857 6857->6854 6859 299741b 6858->6859 6860 2996dc2 6 API calls 6859->6860 6861 299743f 6860->6861 6862 2997469 RegOpenKeyExA 6861->6862 6863 29977f9 6862->6863 6874 2997487 ___ascii_stricmp 6862->6874 6863->6826 6864 2997703 RegEnumKeyA 6865 2997714 RegCloseKey 6864->6865 6864->6874 6865->6863 6866 299f1a5 lstrlenA 6866->6874 6867 29974d2 RegOpenKeyExA 6867->6874 6868 299772c 6870 299774b 6868->6870 6871 2997742 RegCloseKey 6868->6871 6869 2997521 RegQueryValueExA 6869->6874 6873 29977ec RegCloseKey 6870->6873 6871->6870 6872 29976e4 RegCloseKey 6872->6874 6873->6863 6874->6864 6874->6866 6874->6867 6874->6868 6874->6869 6874->6872 6875 2997769 6874->6875 6877 299777e GetFileAttributesExA 6874->6877 6876 29977e3 RegCloseKey 6875->6876 6876->6873 6877->6875 6879 299783d LookupAccountNameA 6878->6879 6880 2997a8d 6878->6880 6879->6880 6881 2997874 GetLengthSid GetFileSecurityA 6879->6881 6880->6828 6881->6880 6882 29978a8 GetSecurityDescriptorOwner 6881->6882 6883 299791d GetSecurityDescriptorDacl 6882->6883 6884 29978c5 EqualSid 6882->6884 6883->6880 6891 2997941 6883->6891 6884->6883 6885 29978dc LocalAlloc 6884->6885 6885->6883 6886 29978ef InitializeSecurityDescriptor 6885->6886 6887 29978fb SetSecurityDescriptorOwner 6886->6887 6888 2997916 LocalFree 6886->6888 6887->6888 6890 299790b SetFileSecurityA 6887->6890 6888->6883 6889 299795b GetAce 6889->6891 6890->6888 6891->6880 6891->6889 6892 2997980 EqualSid 6891->6892 6893 2997a3d 6891->6893 6894 29979be EqualSid 6891->6894 6895 299799d DeleteAce 6891->6895 6892->6891 6893->6880 6896 2997a43 LocalAlloc 6893->6896 6894->6891 6895->6891 6896->6880 6897 2997a56 InitializeSecurityDescriptor 6896->6897 6898 2997a62 SetSecurityDescriptorDacl 6897->6898 6899 2997a86 LocalFree 6897->6899 6898->6899 6900 2997a73 SetFileSecurityA 6898->6900 6899->6880 6900->6899 6901 2997a83 6900->6901 6901->6899 6903 2997fa6 6902->6903 6903->6831 6905 2997acb GetUserNameA 6904->6905 6906 2997ac4 6904->6906 6907 2997aed LookupAccountNameA 6905->6907 6908 2997da7 RegCloseKey 6905->6908 6906->6834 6907->6908 6909 2997b24 RegGetKeySecurity 6907->6909 6908->6906 6909->6908 6910 2997b49 GetSecurityDescriptorOwner 6909->6910 6911 2997bb8 GetSecurityDescriptorDacl 6910->6911 6912 2997b63 EqualSid 6910->6912 6913 2997da6 6911->6913 6927 2997bdc 6911->6927 6912->6911 6914 2997b74 LocalAlloc 6912->6914 6913->6908 6914->6911 6915 2997b8a InitializeSecurityDescriptor 6914->6915 6917 2997bb1 LocalFree 6915->6917 6918 2997b96 SetSecurityDescriptorOwner 6915->6918 6916 2997bf8 GetAce 6916->6927 6917->6911 6918->6917 6919 2997ba6 RegSetKeySecurity 6918->6919 6919->6917 6920 2997c1d EqualSid 6920->6927 6921 2997cd9 6921->6913 6924 2997d5a LocalAlloc 6921->6924 6926 2997cf2 RegOpenKeyExA 6921->6926 6922 2997c5f EqualSid 6922->6927 6923 2997c3a DeleteAce 6923->6927 6924->6913 6925 2997d70 InitializeSecurityDescriptor 6924->6925 6928 2997d7c SetSecurityDescriptorDacl 6925->6928 6929 2997d9f LocalFree 6925->6929 6926->6924 6932 2997d0f 6926->6932 6927->6913 6927->6916 6927->6920 6927->6921 6927->6922 6927->6923 6928->6929 6930 2997d8c RegSetKeySecurity 6928->6930 6929->6913 6930->6929 6931 2997d9c 6930->6931 6931->6929 6933 2997d43 RegSetValueExA 6932->6933 6933->6924 6934 2997d54 6933->6934 6934->6924 6936 299f1c3 6935->6936 6936->6842 6937->6343 6939 299dd05 6 API calls 6938->6939 6942 299e65f 6939->6942 6940 299e6a5 6941 299ebcc 4 API calls 6940->6941 6944 299e6f5 6940->6944 6945 299e6b0 6941->6945 6942->6940 6943 299e68c lstrcmpA 6942->6943 6943->6942 6947 299e71d lstrcmpA 6944->6947 6948 299e6b7 6944->6948 6945->6944 6946 299e6e0 lstrcpynA 6945->6946 6945->6948 6946->6944 6947->6944 6948->6345 6949->6351 6951 2992692 inet_addr 6950->6951 6953 299268e 6950->6953 6952 299269e gethostbyname 6951->6952 6951->6953 6952->6953 6954 299f428 6953->6954 7102 299f315 6954->7102 6957 299f43e 6958 299f473 recv 6957->6958 6959 299f458 6958->6959 6960 299f47c 6958->6960 6959->6958 6959->6960 6960->6382 6962 299c532 6961->6962 6963 299c525 6961->6963 6964 299c548 6962->6964 7115 299e7ff 6962->7115 6963->6962 6966 299ec2e codecvt 4 API calls 6963->6966 6967 299e7ff lstrcmpiA 6964->6967 6975 299c54f 6964->6975 6966->6962 6968 299c615 6967->6968 6969 299ebcc 4 API calls 6968->6969 6968->6975 6969->6975 6970 299c5d1 6973 299ebcc 4 API calls 6970->6973 6972 299e819 11 API calls 6974 299c5b7 6972->6974 6973->6975 6976 299f04e 4 API calls 6974->6976 6975->6364 6977 299c5bf 6976->6977 6977->6964 6977->6970 6980 299c8d2 6978->6980 6979 299c907 6979->6366 6980->6979 6981 299c517 23 API calls 6980->6981 6981->6979 6983 299c670 6982->6983 6984 299c67d 6982->6984 6985 299ebcc 4 API calls 6983->6985 6986 299ebcc 4 API calls 6984->6986 6988 299c699 6984->6988 6985->6984 6986->6988 6987 299c6f3 6987->6395 6987->6421 6988->6987 6989 299c73c send 6988->6989 6989->6987 6991 299c770 6990->6991 6992 299c77d 6990->6992 6993 299ebcc 4 API calls 6991->6993 6994 299c799 6992->6994 6995 299ebcc 4 API calls 6992->6995 6993->6992 6996 299ebcc 4 API calls 6994->6996 6998 299c7b5 6994->6998 6995->6994 6996->6998 6997 299f43e recv 6999 299c7cb 6997->6999 6998->6997 7000 299f43e recv 6999->7000 7001 299c7d3 6999->7001 7000->7001 7001->6421 7118 2997db7 7002->7118 7005 2997e96 7005->6421 7006 2997e70 7006->7005 7008 299f04e 4 API calls 7006->7008 7007 299f04e 4 API calls 7009 2997e4c 7007->7009 7008->7005 7009->7006 7010 299f04e 4 API calls 7009->7010 7010->7006 7012 2996ec3 2 API calls 7011->7012 7013 2997fdd 7012->7013 7014 29980c2 CreateProcessA 7013->7014 7015 29973ff 17 API calls 7013->7015 7014->6449 7014->6450 7016 2997fff 7015->7016 7016->7014 7017 2997809 21 API calls 7016->7017 7018 299804d 7017->7018 7018->7014 7019 299ef1e lstrlenA 7018->7019 7020 299809e 7019->7020 7021 299ef1e lstrlenA 7020->7021 7022 29980af 7021->7022 7023 2997a95 24 API calls 7022->7023 7023->7014 7025 2997db7 2 API calls 7024->7025 7026 2997eb8 7025->7026 7027 299f04e 4 API calls 7026->7027 7028 2997ece DeleteFileA 7027->7028 7028->6421 7030 299dd05 6 API calls 7029->7030 7031 299e31d 7030->7031 7122 299e177 7031->7122 7033 299e326 7033->6420 7035 29931f3 7034->7035 7045 29931ec 7034->7045 7036 299ebcc 4 API calls 7035->7036 7050 29931fc 7036->7050 7037 299344b 7038 2993459 7037->7038 7039 299349d 7037->7039 7041 299f04e 4 API calls 7038->7041 7040 299ec2e codecvt 4 API calls 7039->7040 7040->7045 7042 299345f 7041->7042 7044 29930fa 4 API calls 7042->7044 7043 299ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7043->7050 7044->7045 7045->6421 7046 299344d 7047 299ec2e codecvt 4 API calls 7046->7047 7047->7037 7049 2993141 lstrcmpiA 7049->7050 7050->7037 7050->7043 7050->7045 7050->7046 7050->7049 7148 29930fa GetTickCount 7050->7148 7052 29930fa 4 API calls 7051->7052 7053 2993c1a 7052->7053 7054 2993ce6 7053->7054 7153 2993a72 7053->7153 7054->6421 7057 2993a72 9 API calls 7058 2993c5e 7057->7058 7058->7054 7059 2993a72 9 API calls 7058->7059 7060 299ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7058->7060 7059->7058 7060->7058 7062 2993a10 7061->7062 7063 29930fa 4 API calls 7062->7063 7064 2993a1a 7063->7064 7064->6421 7066 299dd05 6 API calls 7065->7066 7067 299e7be 7066->7067 7067->6421 7069 299c07e wsprintfA 7068->7069 7073 299c105 7068->7073 7162 299bfce GetTickCount wsprintfA 7069->7162 7071 299c0ef 7163 299bfce GetTickCount wsprintfA 7071->7163 7073->6421 7075 2997047 7074->7075 7076 2996f88 7074->7076 7075->6421 7076->7076 7077 2996f94 LookupAccountNameA 7076->7077 7078 2996fcb 7077->7078 7079 2997025 7077->7079 7082 2996fdb ConvertSidToStringSidA 7078->7082 7164 2996edd 7079->7164 7082->7079 7083 2996ff1 7082->7083 7084 2997013 LocalFree 7083->7084 7084->7079 7086 299dd05 6 API calls 7085->7086 7087 299e85c 7086->7087 7088 299dd84 lstrcmpiA 7087->7088 7089 299e867 7088->7089 7090 299e885 lstrcpyA 7089->7090 7175 29924a5 7089->7175 7178 299dd69 7090->7178 7096 2997db7 2 API calls 7095->7096 7097 2997de1 7096->7097 7098 2997e16 7097->7098 7099 299f04e 4 API calls 7097->7099 7098->6421 7100 2997df2 7099->7100 7100->7098 7101 299f04e 4 API calls 7100->7101 7101->7098 7103 299f33b 7102->7103 7104 299ca1d 7102->7104 7105 299f347 htons socket 7103->7105 7104->6379 7104->6957 7106 299f382 ioctlsocket 7105->7106 7107 299f374 closesocket 7105->7107 7108 299f3aa connect select 7106->7108 7109 299f39d 7106->7109 7107->7104 7108->7104 7111 299f3f2 __WSAFDIsSet 7108->7111 7110 299f39f closesocket 7109->7110 7110->7104 7111->7110 7112 299f403 ioctlsocket 7111->7112 7114 299f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7112->7114 7114->7104 7116 299dd84 lstrcmpiA 7115->7116 7117 299c58e 7116->7117 7117->6964 7117->6970 7117->6972 7119 2997dc8 InterlockedExchange 7118->7119 7120 2997dc0 Sleep 7119->7120 7121 2997dd4 7119->7121 7120->7119 7121->7006 7121->7007 7123 299e184 7122->7123 7124 299e2e4 7123->7124 7125 299e223 7123->7125 7138 299dfe2 7123->7138 7124->7033 7125->7124 7127 299dfe2 8 API calls 7125->7127 7129 299e23c 7127->7129 7128 299e1be 7128->7125 7130 299dbcf 3 API calls 7128->7130 7129->7124 7142 299e095 RegCreateKeyExA 7129->7142 7132 299e1d6 7130->7132 7131 299e21a CloseHandle 7131->7125 7132->7125 7132->7131 7133 299e1f9 WriteFile 7132->7133 7133->7131 7135 299e213 7133->7135 7135->7131 7136 299e2a3 7136->7124 7137 299e095 4 API calls 7136->7137 7137->7124 7139 299dffc 7138->7139 7141 299e024 7138->7141 7140 299db2e 8 API calls 7139->7140 7139->7141 7140->7141 7141->7128 7143 299e0c0 7142->7143 7144 299e172 7142->7144 7145 299e13d 7143->7145 7147 299e115 RegSetValueExA 7143->7147 7144->7136 7146 299e14e RegDeleteValueA RegCloseKey 7145->7146 7146->7144 7147->7143 7147->7145 7149 2993122 InterlockedExchange 7148->7149 7150 299310f GetTickCount 7149->7150 7151 299312e 7149->7151 7150->7151 7152 299311a Sleep 7150->7152 7151->7050 7152->7149 7154 299f04e 4 API calls 7153->7154 7161 2993a83 7154->7161 7155 2993ac1 7155->7054 7155->7057 7156 2993be6 7159 299ec2e codecvt 4 API calls 7156->7159 7157 299ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7158 2993bc0 7157->7158 7158->7156 7158->7157 7159->7155 7160 2993b66 lstrlenA 7160->7155 7160->7161 7161->7155 7161->7158 7161->7160 7162->7071 7163->7073 7165 2996f55 wsprintfA 7164->7165 7166 2996eef AllocateAndInitializeSid 7164->7166 7165->7075 7167 2996f1c CheckTokenMembership 7166->7167 7168 2996f44 7166->7168 7169 2996f3b FreeSid 7167->7169 7170 2996f2e 7167->7170 7168->7165 7172 2996e36 GetUserNameW 7168->7172 7169->7168 7170->7169 7173 2996e5f LookupAccountNameW 7172->7173 7174 2996e97 7172->7174 7173->7174 7174->7165 7176 2992419 4 API calls 7175->7176 7177 29924b6 7176->7177 7177->7090 7179 299dd79 lstrlenA 7178->7179 7179->6421 7181 299eb21 7180->7181 7182 299eb17 7180->7182 7181->6506 7183 299eae4 2 API calls 7182->7183 7183->7181 7185 29969b9 WriteFile 7184->7185 7187 2996a3c 7185->7187 7188 29969ff 7185->7188 7187->6501 7187->6502 7188->7187 7189 2996a10 WriteFile 7188->7189 7189->7187 7189->7188 7191 2993edc 7190->7191 7193 2993ee2 7190->7193 7192 2996dc2 6 API calls 7191->7192 7192->7193 7193->6516 7195 299400b CreateFileA 7194->7195 7196 299402c GetLastError 7195->7196 7198 2994052 7195->7198 7197 2994037 7196->7197 7196->7198 7197->7198 7199 2994041 Sleep 7197->7199 7198->6520 7199->7195 7199->7198 7201 2993f7c 7200->7201 7202 2993f4e GetLastError 7200->7202 7204 2993f8c ReadFile 7201->7204 7202->7201 7203 2993f5b WaitForSingleObject GetOverlappedResult 7202->7203 7203->7201 7205 2993ff0 7204->7205 7206 2993fc2 GetLastError 7204->7206 7205->6525 7205->6526 7206->7205 7207 2993fcf WaitForSingleObject GetOverlappedResult 7206->7207 7207->7205 7209 2991924 GetVersionExA 7208->7209 7209->6565 7211 299f0ed 7210->7211 7212 299f0f1 7210->7212 7211->6597 7213 299f119 7212->7213 7214 299f0fa lstrlenA SysAllocStringByteLen 7212->7214 7215 299f11c MultiByteToWideChar 7213->7215 7214->7215 7216 299f117 7214->7216 7215->7216 7216->6597 7218 2991820 17 API calls 7217->7218 7220 29918f2 7218->7220 7219 29918f9 7219->6593 7220->7219 7234 2991280 7220->7234 7222 2991908 7222->6593 7246 2991000 7223->7246 7225 2991839 7226 299183d 7225->7226 7227 2991851 GetCurrentProcess 7225->7227 7226->6584 7228 2991864 7227->7228 7228->6584 7230 2999308 7229->7230 7233 299920e 7229->7233 7230->6593 7231 29992f1 Sleep 7231->7233 7232 29992bf ShellExecuteA 7232->7230 7232->7233 7233->7230 7233->7231 7233->7232 7235 29912e1 7234->7235 7236 29916f9 GetLastError 7235->7236 7244 29913a8 7235->7244 7242 2991699 7236->7242 7237 2991570 lstrlenW 7237->7244 7238 29915be GetStartupInfoW 7238->7244 7239 29915ff CreateProcessWithLogonW 7240 29916bf GetLastError 7239->7240 7241 299163f WaitForSingleObject 7239->7241 7240->7242 7243 2991659 CloseHandle 7241->7243 7241->7244 7242->7222 7243->7244 7244->7237 7244->7238 7244->7239 7244->7242 7245 2991668 CloseHandle 7244->7245 7245->7244 7247 299100d LoadLibraryA 7246->7247 7256 2991023 7246->7256 7248 2991021 7247->7248 7247->7256 7248->7225 7249 29910b5 GetProcAddress 7250 299127b 7249->7250 7251 29910d1 GetProcAddress 7249->7251 7250->7225 7251->7250 7252 29910f0 GetProcAddress 7251->7252 7252->7250 7253 2991110 GetProcAddress 7252->7253 7253->7250 7254 2991130 GetProcAddress 7253->7254 7254->7250 7255 299114f GetProcAddress 7254->7255 7255->7250 7257 299116f GetProcAddress 7255->7257 7256->7249 7266 29910ae 7256->7266 7257->7250 7258 299118f GetProcAddress 7257->7258 7258->7250 7259 29911ae GetProcAddress 7258->7259 7259->7250 7260 29911ce GetProcAddress 7259->7260 7260->7250 7261 29911ee GetProcAddress 7260->7261 7261->7250 7262 2991209 GetProcAddress 7261->7262 7262->7250 7263 2991225 GetProcAddress 7262->7263 7263->7250 7264 2991241 GetProcAddress 7263->7264 7264->7250 7265 299125c GetProcAddress 7264->7265 7265->7250 7266->7225 7268 299908d 7267->7268 7269 29990e2 wsprintfA 7268->7269 7270 299ee2a 7269->7270 7271 29990fd CreateFileA 7270->7271 7272 299911a lstrlenA WriteFile CloseHandle 7271->7272 7273 299913f 7271->7273 7272->7273 7273->6620 7273->6621 7275 299ee2a 7274->7275 7276 2999794 CreateProcessA 7275->7276 7277 29997c2 7276->7277 7278 29997bb 7276->7278 7279 29997d4 GetThreadContext 7277->7279 7278->6632 7280 2999801 7279->7280 7281 29997f5 7279->7281 7288 299637c 7280->7288 7282 29997f6 TerminateProcess 7281->7282 7282->7278 7284 2999816 7284->7282 7285 299981e WriteProcessMemory 7284->7285 7285->7281 7286 299983b SetThreadContext 7285->7286 7286->7281 7287 2999858 ResumeThread 7286->7287 7287->7278 7289 299638a GetModuleHandleA VirtualAlloc 7288->7289 7290 2996386 7288->7290 7291 29963f5 7289->7291 7292 29963b6 7289->7292 7290->7284 7291->7284 7293 29963be VirtualAllocEx 7292->7293 7293->7291 7294 29963d6 7293->7294 7295 29963df WriteProcessMemory 7294->7295 7295->7291 7297 2998791 7296->7297 7298 299879f 7296->7298 7299 299f04e 4 API calls 7297->7299 7300 29987bc 7298->7300 7301 299f04e 4 API calls 7298->7301 7299->7298 7302 299e819 11 API calls 7300->7302 7301->7300 7303 29987d7 7302->7303 7316 2998803 7303->7316 7451 29926b2 gethostbyaddr 7303->7451 7306 29987eb 7308 299e8a1 30 API calls 7306->7308 7306->7316 7308->7316 7311 299e819 11 API calls 7311->7316 7312 29988a0 Sleep 7312->7316 7313 29926b2 2 API calls 7313->7316 7314 299f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7314->7316 7316->7311 7316->7312 7316->7313 7316->7314 7317 299e8a1 30 API calls 7316->7317 7348 2998cee 7316->7348 7356 299c4d6 7316->7356 7359 299c4e2 7316->7359 7362 2992011 7316->7362 7397 2998328 7316->7397 7317->7316 7319 299407d 7318->7319 7320 2994084 7318->7320 7321 2993ecd 6 API calls 7320->7321 7322 299408f 7321->7322 7323 2994000 3 API calls 7322->7323 7324 2994095 7323->7324 7325 2994130 7324->7325 7326 29940c0 7324->7326 7327 2993ecd 6 API calls 7325->7327 7331 2993f18 4 API calls 7326->7331 7328 2994159 CreateNamedPipeA 7327->7328 7329 2994188 ConnectNamedPipe 7328->7329 7330 2994167 Sleep 7328->7330 7334 2994195 GetLastError 7329->7334 7343 29941ab 7329->7343 7330->7325 7332 2994176 CloseHandle 7330->7332 7333 29940da 7331->7333 7332->7329 7335 2993f8c 4 API calls 7333->7335 7336 299425e DisconnectNamedPipe 7334->7336 7334->7343 7337 29940ec 7335->7337 7336->7329 7338 2994127 CloseHandle 7337->7338 7340 2994101 7337->7340 7338->7325 7339 2993f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7339->7343 7341 2993f18 4 API calls 7340->7341 7342 299411c ExitProcess 7341->7342 7343->7329 7343->7336 7343->7339 7344 2993f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7343->7344 7345 299426a CloseHandle CloseHandle 7343->7345 7344->7343 7346 299e318 23 API calls 7345->7346 7347 299427b 7346->7347 7347->7347 7349 2998dae 7348->7349 7350 2998d02 GetTickCount 7348->7350 7349->7316 7350->7349 7353 2998d19 7350->7353 7351 2998da1 GetTickCount 7351->7349 7353->7351 7355 2998d89 7353->7355 7456 299a677 7353->7456 7459 299a688 7353->7459 7355->7351 7467 299c2dc 7356->7467 7360 299c2dc 142 API calls 7359->7360 7361 299c4ec 7360->7361 7361->7316 7363 2992020 7362->7363 7364 299202e 7362->7364 7365 299f04e 4 API calls 7363->7365 7366 299204b 7364->7366 7367 299f04e 4 API calls 7364->7367 7365->7364 7368 299206e GetTickCount 7366->7368 7369 299f04e 4 API calls 7366->7369 7367->7366 7370 29920db GetTickCount 7368->7370 7371 2992090 7368->7371 7374 2992068 7369->7374 7372 2992132 GetTickCount GetTickCount 7370->7372 7373 29920e7 7370->7373 7375 29920d4 GetTickCount 7371->7375 7379 2992684 2 API calls 7371->7379 7392 29920ce 7371->7392 7807 2991978 7371->7807 7376 299f04e 4 API calls 7372->7376 7377 299212b GetTickCount 7373->7377 7388 2991978 15 API calls 7373->7388 7389 2992125 7373->7389 7797 2992ef8 7373->7797 7374->7368 7375->7370 7378 2992159 7376->7378 7377->7372 7381 299e854 13 API calls 7378->7381 7394 29921b4 7378->7394 7379->7371 7383 299218e 7381->7383 7382 299f04e 4 API calls 7385 29921d1 7382->7385 7387 299e819 11 API calls 7383->7387 7386 29921f2 7385->7386 7390 299ea84 30 API calls 7385->7390 7386->7316 7391 299219c 7387->7391 7388->7373 7389->7377 7393 29921ec 7390->7393 7391->7394 7812 2991c5f 7391->7812 7392->7375 7395 299f04e 4 API calls 7393->7395 7394->7382 7395->7386 7398 2997dd6 6 API calls 7397->7398 7399 299833c 7398->7399 7400 2996ec3 2 API calls 7399->7400 7427 2998340 7399->7427 7401 299834f 7400->7401 7402 299835c 7401->7402 7407 299846b 7401->7407 7403 29973ff 17 API calls 7402->7403 7428 2998373 7403->7428 7404 29985df 7405 2998626 GetTempPathA 7404->7405 7417 2998768 7404->7417 7432 2998671 7404->7432 7418 2998638 7405->7418 7406 299675c 21 API calls 7406->7404 7409 29984a7 RegOpenKeyExA 7407->7409 7424 2998450 7407->7424 7411 29984c0 RegQueryValueExA 7409->7411 7412 299852f 7409->7412 7410 29986ad 7413 2998762 7410->7413 7416 2997e2f 6 API calls 7410->7416 7414 29984dd 7411->7414 7415 2998521 RegCloseKey 7411->7415 7419 2998564 RegOpenKeyExA 7412->7419 7430 29985a5 7412->7430 7413->7417 7414->7415 7421 299ebcc 4 API calls 7414->7421 7415->7412 7431 29986bb 7416->7431 7423 299ec2e codecvt 4 API calls 7417->7423 7417->7427 7418->7432 7420 2998573 RegSetValueExA RegCloseKey 7419->7420 7419->7430 7420->7430 7426 29984f0 7421->7426 7422 299875b DeleteFileA 7422->7413 7423->7427 7424->7404 7424->7406 7426->7415 7429 29984f8 RegQueryValueExA 7426->7429 7427->7316 7428->7424 7428->7427 7433 29983ea RegOpenKeyExA 7428->7433 7429->7415 7434 2998515 7429->7434 7430->7424 7435 299ec2e codecvt 4 API calls 7430->7435 7431->7422 7440 29986e0 lstrcpyA lstrlenA 7431->7440 7884 2996ba7 IsBadCodePtr 7432->7884 7433->7424 7436 29983fd RegQueryValueExA 7433->7436 7439 299ec2e codecvt 4 API calls 7434->7439 7435->7424 7437 299842d RegSetValueExA 7436->7437 7438 299841e 7436->7438 7441 2998447 RegCloseKey 7437->7441 7438->7437 7438->7441 7442 299851d 7439->7442 7443 2997fcf 64 API calls 7440->7443 7441->7424 7442->7415 7444 2998719 CreateProcessA 7443->7444 7445 299873d CloseHandle CloseHandle 7444->7445 7446 299874f 7444->7446 7445->7417 7447 2997ee6 64 API calls 7446->7447 7448 2998754 7447->7448 7449 2997ead 6 API calls 7448->7449 7450 299875a 7449->7450 7450->7422 7452 29926fb 7451->7452 7453 29926cd 7451->7453 7452->7306 7454 29926e1 inet_ntoa 7453->7454 7455 29926de 7453->7455 7454->7455 7455->7306 7462 299a63d 7456->7462 7458 299a685 7458->7353 7460 299a63d GetTickCount 7459->7460 7461 299a696 7460->7461 7461->7353 7463 299a64d 7462->7463 7464 299a645 7462->7464 7465 299a65e GetTickCount 7463->7465 7466 299a66e 7463->7466 7464->7458 7465->7466 7466->7458 7484 299a4c7 GetTickCount 7467->7484 7470 299c47a 7475 299c4ab InterlockedIncrement CreateThread 7470->7475 7476 299c4d2 7470->7476 7471 299c300 GetTickCount 7473 299c337 7471->7473 7472 299c326 7472->7473 7474 299c32b GetTickCount 7472->7474 7473->7470 7478 299c363 GetTickCount 7473->7478 7474->7473 7475->7476 7477 299c4cb CloseHandle 7475->7477 7489 299b535 7475->7489 7476->7316 7477->7476 7478->7470 7479 299c373 7478->7479 7480 299c378 GetTickCount 7479->7480 7481 299c37f 7479->7481 7480->7481 7482 299c43b GetTickCount 7481->7482 7483 299c45e 7482->7483 7483->7470 7485 299a4f7 InterlockedExchange 7484->7485 7486 299a500 7485->7486 7487 299a4e4 GetTickCount 7485->7487 7486->7470 7486->7471 7486->7472 7487->7486 7488 299a4ef Sleep 7487->7488 7488->7485 7490 299b566 7489->7490 7491 299ebcc 4 API calls 7490->7491 7492 299b587 7491->7492 7493 299ebcc 4 API calls 7492->7493 7520 299b590 7493->7520 7494 299bdcd InterlockedDecrement 7495 299bde2 7494->7495 7497 299ec2e codecvt 4 API calls 7495->7497 7498 299bdea 7497->7498 7499 299ec2e codecvt 4 API calls 7498->7499 7501 299bdf2 7499->7501 7500 299bdb7 Sleep 7500->7520 7503 299be05 7501->7503 7504 299ec2e codecvt 4 API calls 7501->7504 7502 299bdcc 7502->7494 7504->7503 7505 299ebed 8 API calls 7505->7520 7508 299b6b6 lstrlenA 7508->7520 7509 29930b5 2 API calls 7509->7520 7510 299e819 11 API calls 7510->7520 7511 299b6ed lstrcpyA 7564 2995ce1 7511->7564 7514 299b71f lstrcmpA 7515 299b731 lstrlenA 7514->7515 7514->7520 7515->7520 7516 299b772 GetTickCount 7516->7520 7517 299bd49 InterlockedIncrement 7658 299a628 7517->7658 7520->7494 7520->7500 7520->7502 7520->7505 7520->7508 7520->7509 7520->7510 7520->7511 7520->7514 7520->7515 7520->7516 7520->7517 7521 299bc5b InterlockedIncrement 7520->7521 7522 299b7ce InterlockedIncrement 7520->7522 7525 299b912 GetTickCount 7520->7525 7526 299b826 InterlockedIncrement 7520->7526 7527 299bcdc closesocket 7520->7527 7528 299b932 GetTickCount 7520->7528 7530 2995ce1 22 API calls 7520->7530 7531 29938f0 6 API calls 7520->7531 7535 299bba6 InterlockedIncrement 7520->7535 7537 299bc4c closesocket 7520->7537 7538 299a7c1 22 API calls 7520->7538 7539 2995ded 12 API calls 7520->7539 7541 299ba71 wsprintfA 7520->7541 7543 299ab81 lstrcpynA InterlockedIncrement 7520->7543 7544 299ef1e lstrlenA 7520->7544 7545 299a688 GetTickCount 7520->7545 7546 2993e10 7520->7546 7549 2993e4f 7520->7549 7552 299384f 7520->7552 7572 299a7a3 inet_ntoa 7520->7572 7579 299abee 7520->7579 7591 2991feb GetTickCount 7520->7591 7612 2993cfb 7520->7612 7615 299b3c5 7520->7615 7646 299ab81 7520->7646 7521->7520 7574 299acd7 7522->7574 7525->7520 7526->7516 7527->7520 7528->7520 7529 299bc6d InterlockedIncrement 7528->7529 7529->7520 7530->7520 7531->7520 7535->7520 7537->7520 7538->7520 7539->7520 7592 299a7c1 7541->7592 7543->7520 7544->7520 7545->7520 7547 29930fa 4 API calls 7546->7547 7548 2993e1d 7547->7548 7548->7520 7550 29930fa 4 API calls 7549->7550 7551 2993e5c 7550->7551 7551->7520 7553 29930fa 4 API calls 7552->7553 7554 2993863 7553->7554 7555 29938b9 7554->7555 7556 2993889 7554->7556 7563 29938b2 7554->7563 7667 29935f9 7555->7667 7661 2993718 7556->7661 7561 2993718 6 API calls 7561->7563 7562 29935f9 6 API calls 7562->7563 7563->7520 7565 2995cec 7564->7565 7566 2995cf4 7564->7566 7673 2994bd1 GetTickCount 7565->7673 7568 2994bd1 4 API calls 7566->7568 7569 2995d02 7568->7569 7678 2995472 7569->7678 7573 299a7b9 7572->7573 7573->7520 7575 299f315 14 API calls 7574->7575 7576 299aceb 7575->7576 7577 299acff 7576->7577 7578 299f315 14 API calls 7576->7578 7577->7520 7578->7577 7580 299abfb 7579->7580 7583 299ac65 7580->7583 7741 2992f22 7580->7741 7582 299f315 14 API calls 7582->7583 7583->7582 7584 299ac6f 7583->7584 7585 299ac8a 7583->7585 7587 299ab81 2 API calls 7584->7587 7585->7520 7586 299ac23 7586->7583 7589 2992684 2 API calls 7586->7589 7588 299ac81 7587->7588 7749 29938f0 7588->7749 7589->7586 7591->7520 7593 299a87d lstrlenA send 7592->7593 7594 299a7df 7592->7594 7595 299a899 7593->7595 7596 299a8bf 7593->7596 7594->7593 7600 299a7fa wsprintfA 7594->7600 7603 299a80a 7594->7603 7604 299a8f2 7594->7604 7598 299a8a5 wsprintfA 7595->7598 7611 299a89e 7595->7611 7599 299a8c4 send 7596->7599 7596->7604 7597 299a978 recv 7597->7604 7605 299a982 7597->7605 7598->7611 7601 299a8d8 wsprintfA 7599->7601 7599->7604 7600->7603 7601->7611 7602 299a9b0 wsprintfA 7602->7611 7603->7593 7604->7597 7604->7602 7604->7605 7606 29930b5 2 API calls 7605->7606 7605->7611 7607 299ab05 7606->7607 7608 299e819 11 API calls 7607->7608 7609 299ab17 7608->7609 7610 299a7a3 inet_ntoa 7609->7610 7610->7611 7611->7520 7613 29930fa 4 API calls 7612->7613 7614 2993d0b 7613->7614 7614->7520 7616 2995ce1 22 API calls 7615->7616 7617 299b3e6 7616->7617 7618 2995ce1 22 API calls 7617->7618 7619 299b404 7618->7619 7620 299b440 7619->7620 7622 299ef7c 3 API calls 7619->7622 7621 299ef7c 3 API calls 7620->7621 7624 299b458 wsprintfA 7621->7624 7623 299b42b 7622->7623 7625 299ef7c 3 API calls 7623->7625 7626 299ef7c 3 API calls 7624->7626 7625->7620 7627 299b480 7626->7627 7628 299ef7c 3 API calls 7627->7628 7629 299b493 7628->7629 7630 299ef7c 3 API calls 7629->7630 7631 299b4bb 7630->7631 7765 299ad89 GetLocalTime SystemTimeToFileTime 7631->7765 7635 299b4cc 7636 299ef7c 3 API calls 7635->7636 7637 299b4dd 7636->7637 7638 299b211 7 API calls 7637->7638 7639 299b4ec 7638->7639 7640 299ef7c 3 API calls 7639->7640 7641 299b4fd 7640->7641 7642 299b211 7 API calls 7641->7642 7643 299b509 7642->7643 7644 299ef7c 3 API calls 7643->7644 7645 299b51a 7644->7645 7645->7520 7647 299abe9 GetTickCount 7646->7647 7649 299ab8c 7646->7649 7651 299a51d 7647->7651 7648 299aba8 lstrcpynA 7648->7649 7649->7647 7649->7648 7650 299abe1 InterlockedIncrement 7649->7650 7650->7649 7652 299a4c7 4 API calls 7651->7652 7653 299a52c 7652->7653 7654 299a542 GetTickCount 7653->7654 7656 299a539 GetTickCount 7653->7656 7654->7656 7657 299a56c 7656->7657 7657->7520 7659 299a4c7 4 API calls 7658->7659 7660 299a633 7659->7660 7660->7520 7662 299f04e 4 API calls 7661->7662 7664 299372a 7662->7664 7663 2993847 7663->7561 7663->7563 7664->7663 7665 29937b3 GetCurrentThreadId 7664->7665 7665->7664 7666 29937c8 GetCurrentThreadId 7665->7666 7666->7664 7668 299f04e 4 API calls 7667->7668 7670 299360c 7668->7670 7669 29936f1 7669->7562 7669->7563 7670->7669 7671 29936da GetCurrentThreadId 7670->7671 7671->7669 7672 29936e5 GetCurrentThreadId 7671->7672 7672->7669 7674 2994bff InterlockedExchange 7673->7674 7675 2994c08 7674->7675 7676 2994bec GetTickCount 7674->7676 7675->7566 7676->7675 7677 2994bf7 Sleep 7676->7677 7677->7674 7697 2994763 7678->7697 7680 2995b58 7707 2994699 7680->7707 7683 2994763 lstrlenA 7684 2995b6e 7683->7684 7728 2994f9f 7684->7728 7686 2995b79 7686->7520 7688 2995549 lstrlenA 7695 299548a 7688->7695 7690 299558d lstrcpynA 7690->7695 7691 2995a9f lstrcpyA 7691->7695 7692 2995935 lstrcpynA 7692->7695 7693 2995472 13 API calls 7693->7695 7694 29958e7 lstrcpyA 7694->7695 7695->7680 7695->7690 7695->7691 7695->7692 7695->7693 7695->7694 7696 2994ae6 8 API calls 7695->7696 7701 2994ae6 7695->7701 7705 299ef7c lstrlenA lstrlenA lstrlenA 7695->7705 7696->7695 7699 299477a 7697->7699 7698 2994859 7698->7695 7699->7698 7700 299480d lstrlenA 7699->7700 7700->7699 7702 2994af3 7701->7702 7704 2994b03 7701->7704 7703 299ebed 8 API calls 7702->7703 7703->7704 7704->7688 7706 299efb4 7705->7706 7706->7695 7733 29945b3 7707->7733 7710 29945b3 7 API calls 7711 29946c6 7710->7711 7712 29945b3 7 API calls 7711->7712 7713 29946d8 7712->7713 7714 29945b3 7 API calls 7713->7714 7715 29946ea 7714->7715 7716 29945b3 7 API calls 7715->7716 7717 29946ff 7716->7717 7718 29945b3 7 API calls 7717->7718 7719 2994711 7718->7719 7720 29945b3 7 API calls 7719->7720 7721 2994723 7720->7721 7722 299ef7c 3 API calls 7721->7722 7723 2994735 7722->7723 7724 299ef7c 3 API calls 7723->7724 7725 299474a 7724->7725 7726 299ef7c 3 API calls 7725->7726 7727 299475c 7726->7727 7727->7683 7729 2994fac 7728->7729 7730 2994fb0 7728->7730 7729->7686 7731 2994ffd 7730->7731 7732 2994fd5 IsBadCodePtr 7730->7732 7731->7686 7732->7730 7734 29945c8 7733->7734 7735 29945c1 7733->7735 7737 29945e1 7734->7737 7738 299ebcc 4 API calls 7734->7738 7736 299ebcc 4 API calls 7735->7736 7736->7734 7739 2994691 7737->7739 7740 299ef7c 3 API calls 7737->7740 7738->7737 7739->7710 7740->7737 7756 2992d21 GetModuleHandleA 7741->7756 7744 2992f44 7744->7586 7745 2992fcf GetProcessHeap HeapFree 7745->7744 7746 2992f4f 7748 2992f6b GetProcessHeap HeapFree 7746->7748 7747 2992f85 7747->7745 7747->7747 7748->7744 7750 2993900 7749->7750 7755 2993980 7749->7755 7751 29930fa 4 API calls 7750->7751 7752 299390a 7751->7752 7753 299391b GetCurrentThreadId 7752->7753 7754 2993939 GetCurrentThreadId 7752->7754 7752->7755 7753->7752 7754->7752 7755->7585 7757 2992d5b GetProcAddress 7756->7757 7758 2992d46 LoadLibraryA 7756->7758 7759 2992d6b DnsQuery_A 7757->7759 7762 2992d54 7757->7762 7758->7757 7758->7762 7760 2992d7d 7759->7760 7759->7762 7761 2992d97 GetProcessHeap HeapAlloc 7760->7761 7760->7762 7761->7762 7763 2992dac 7761->7763 7762->7744 7762->7746 7762->7747 7763->7760 7764 2992db5 lstrcpynA 7763->7764 7764->7763 7766 299adbf 7765->7766 7790 299ad08 gethostname 7766->7790 7769 29930b5 2 API calls 7770 299add3 7769->7770 7771 299a7a3 inet_ntoa 7770->7771 7779 299ade4 7770->7779 7771->7779 7772 299ae85 wsprintfA 7773 299ef7c 3 API calls 7772->7773 7774 299aebb 7773->7774 7776 299ef7c 3 API calls 7774->7776 7775 299ae36 wsprintfA wsprintfA 7777 299ef7c 3 API calls 7775->7777 7778 299aed2 7776->7778 7777->7779 7780 299b211 7778->7780 7779->7772 7779->7775 7781 299b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7780->7781 7782 299b2af GetLocalTime 7780->7782 7783 299b2d2 7781->7783 7782->7783 7784 299b2d9 SystemTimeToFileTime 7783->7784 7785 299b31c GetTimeZoneInformation 7783->7785 7786 299b2ec 7784->7786 7788 299b33a wsprintfA 7785->7788 7787 299b312 FileTimeToSystemTime 7786->7787 7787->7785 7788->7635 7791 299ad71 7790->7791 7795 299ad26 lstrlenA 7790->7795 7792 299ad79 lstrcpyA 7791->7792 7793 299ad85 7791->7793 7792->7793 7793->7769 7795->7791 7796 299ad68 lstrlenA 7795->7796 7796->7791 7798 2992d21 7 API calls 7797->7798 7799 2992f01 7798->7799 7800 2992f14 7799->7800 7801 2992f06 7799->7801 7802 2992684 2 API calls 7800->7802 7820 2992df2 GetModuleHandleA 7801->7820 7804 2992f1d 7802->7804 7804->7373 7806 2992f1f 7806->7373 7808 299f428 14 API calls 7807->7808 7809 299198a 7808->7809 7810 2991998 7809->7810 7811 2991990 closesocket 7809->7811 7810->7371 7811->7810 7813 2991c80 7812->7813 7814 2991cc2 wsprintfA 7813->7814 7816 2991d1c 7813->7816 7819 2991d79 7813->7819 7815 2992684 2 API calls 7814->7815 7815->7813 7817 2991d47 wsprintfA 7816->7817 7818 2992684 2 API calls 7817->7818 7818->7819 7819->7394 7821 2992e0b 7820->7821 7822 2992e10 LoadLibraryA 7820->7822 7821->7822 7823 2992e17 7821->7823 7822->7823 7824 2992ef1 7823->7824 7825 2992e28 GetProcAddress 7823->7825 7824->7800 7824->7806 7825->7824 7826 2992e3e GetProcessHeap HeapAlloc 7825->7826 7828 2992e62 7826->7828 7827 2992ede GetProcessHeap HeapFree 7827->7824 7828->7824 7828->7827 7829 2992e7f htons inet_addr 7828->7829 7830 2992ea5 gethostbyname 7828->7830 7832 2992ceb 7828->7832 7829->7828 7829->7830 7830->7828 7833 2992cf2 7832->7833 7835 2992d1c 7833->7835 7836 2992d0e Sleep 7833->7836 7837 2992a62 GetProcessHeap HeapAlloc 7833->7837 7835->7828 7836->7833 7836->7835 7838 2992a99 socket 7837->7838 7839 2992a92 7837->7839 7840 2992cd3 GetProcessHeap HeapFree 7838->7840 7841 2992ab4 7838->7841 7839->7833 7840->7839 7841->7840 7853 2992abd 7841->7853 7842 2992adb htons 7857 29926ff 7842->7857 7844 2992b04 select 7844->7853 7845 2992ca4 7846 2992cb3 GetProcessHeap HeapFree closesocket 7845->7846 7846->7839 7847 2992b3f recv 7847->7853 7848 2992b66 htons 7848->7845 7848->7853 7849 2992b87 htons 7849->7845 7849->7853 7852 2992bf3 GetProcessHeap HeapAlloc 7852->7853 7853->7842 7853->7844 7853->7845 7853->7846 7853->7847 7853->7848 7853->7849 7853->7852 7854 2992c17 htons 7853->7854 7856 2992c4d GetProcessHeap HeapFree 7853->7856 7864 2992923 7853->7864 7876 2992904 7853->7876 7872 2992871 7854->7872 7856->7853 7858 299271d 7857->7858 7859 2992717 7857->7859 7861 299272b GetTickCount htons 7858->7861 7860 299ebcc 4 API calls 7859->7860 7860->7858 7862 29927cc htons htons sendto 7861->7862 7863 299278a 7861->7863 7862->7853 7863->7862 7865 2992944 7864->7865 7867 299293d 7864->7867 7880 2992816 htons 7865->7880 7867->7853 7868 2992871 htons 7871 2992950 7868->7871 7869 29929bd htons htons htons 7869->7867 7870 29929f6 GetProcessHeap HeapAlloc 7869->7870 7870->7867 7870->7871 7871->7867 7871->7868 7871->7869 7873 2992889 7872->7873 7874 29928e3 7872->7874 7873->7874 7875 29928c3 htons 7873->7875 7874->7853 7875->7873 7875->7874 7877 2992908 7876->7877 7878 2992921 7876->7878 7879 2992909 GetProcessHeap HeapFree 7877->7879 7878->7853 7879->7878 7879->7879 7881 299286b 7880->7881 7882 2992836 7880->7882 7881->7871 7882->7881 7883 299285c htons 7882->7883 7883->7881 7883->7882 7885 2996bbc 7884->7885 7886 2996bc0 7884->7886 7885->7410 7887 299ebcc 4 API calls 7886->7887 7889 2996bd4 7886->7889 7888 2996be4 7887->7888 7888->7889 7890 2996bfc 7888->7890 7891 2996c07 CreateFileA 7888->7891 7889->7410 7892 299ec2e codecvt 4 API calls 7890->7892 7893 2996c2a 7891->7893 7894 2996c34 WriteFile 7891->7894 7892->7889 7895 299ec2e codecvt 4 API calls 7893->7895 7896 2996c49 CloseHandle DeleteFileA 7894->7896 7897 2996c5a CloseHandle 7894->7897 7895->7889 7896->7893 7898 299ec2e codecvt 4 API calls 7897->7898 7898->7889 8069 2995e21 8070 2995e29 8069->8070 8071 2995e36 8069->8071 8072 29950dc 17 API calls 8070->8072 8072->8071 8204 2994861 IsBadWritePtr 8205 2994876 8204->8205 8206 2999961 RegisterServiceCtrlHandlerA 8207 299997d 8206->8207 8214 29999cb 8206->8214 8216 2999892 8207->8216 8209 299999a 8210 29999ba 8209->8210 8211 2999892 SetServiceStatus 8209->8211 8213 2999892 SetServiceStatus 8210->8213 8210->8214 8212 29999aa 8211->8212 8212->8210 8215 29998f2 41 API calls 8212->8215 8213->8214 8215->8210 8217 29998c2 SetServiceStatus 8216->8217 8217->8209 8219 2994960 8220 299496d 8219->8220 8222 299497d 8219->8222 8221 299ebed 8 API calls 8220->8221 8221->8222 8073 29935a5 8074 29930fa 4 API calls 8073->8074 8076 29935b3 8074->8076 8075 29935ea 8076->8075 8080 299355d 8076->8080 8078 29935da 8078->8075 8079 299355d 4 API calls 8078->8079 8079->8075 8081 299f04e 4 API calls 8080->8081 8082 299356a 8081->8082 8082->8078
                                                                                            APIs
                                                                                            • closesocket.WS2_32(?), ref: 0299CA4E
                                                                                            • closesocket.WS2_32(?), ref: 0299CB63
                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 0299CC28
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0299CCB4
                                                                                            • WriteFile.KERNEL32(0299A4B3,?,-000000E8,?,00000000), ref: 0299CCDC
                                                                                            • CloseHandle.KERNEL32(0299A4B3), ref: 0299CCED
                                                                                            • wsprintfA.USER32 ref: 0299CD21
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0299CD77
                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0299CD89
                                                                                            • CloseHandle.KERNEL32(?), ref: 0299CD98
                                                                                            • CloseHandle.KERNEL32(?), ref: 0299CD9D
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0299CDC4
                                                                                            • CloseHandle.KERNEL32(0299A4B3), ref: 0299CDCC
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0299CFB1
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0299CFEF
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0299D033
                                                                                            • lstrcatA.KERNEL32(?,04100108), ref: 0299D10C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 0299D155
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0299D171
                                                                                            • WriteFile.KERNEL32(00000000,0410012C,?,?,00000000), ref: 0299D195
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0299D19C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0299D1C8
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0299D231
                                                                                            • lstrcatA.KERNEL32(?,04100108,?,?,?,?,?,?,?,00000100), ref: 0299D27C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0299D2AB
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0299D2C7
                                                                                            • WriteFile.KERNEL32(00000000,0410012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0299D2EB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0299D2F2
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0299D326
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0299D372
                                                                                            • lstrcatA.KERNEL32(?,04100108,?,?,?,?,?,?,?,00000100), ref: 0299D3BD
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0299D3EC
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0299D408
                                                                                            • WriteFile.KERNEL32(00000000,0410012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0299D428
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0299D42F
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0299D45B
                                                                                            • CreateProcessA.KERNEL32(?,029A0264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0299D4DE
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0299D4F4
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0299D4FC
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0299D513
                                                                                            • closesocket.WS2_32(?), ref: 0299D56C
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0299D577
                                                                                            • ExitProcess.KERNEL32 ref: 0299D583
                                                                                            • wsprintfA.USER32 ref: 0299D81F
                                                                                              • Part of subcall function 0299C65C: send.WS2_32(00000000,?,00000000), ref: 0299C74B
                                                                                            • closesocket.WS2_32(?), ref: 0299DAD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                            • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                            • API String ID: 562065436-1513350910
                                                                                            • Opcode ID: 3c9e2ae8234954e7ccf23b47881eab94c726dd4ae6f03572f69aa8f5877573d5
                                                                                            • Instruction ID: 27e3d65cce35c6228fbe2c146040a40da9eb02675fbe538d528dd12953f1a74e
                                                                                            • Opcode Fuzzy Hash: 3c9e2ae8234954e7ccf23b47881eab94c726dd4ae6f03572f69aa8f5877573d5
                                                                                            • Instruction Fuzzy Hash: 9DB29271D44309AFEF10EFA8DC89FEA7BADAF49324F04046AE549A6180D7319955CFA0
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 02999A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 02999A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(02996511), ref: 02999A8A
                                                                                              • Part of subcall function 0299EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0299EC5E
                                                                                              • Part of subcall function 0299EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0299EC72
                                                                                              • Part of subcall function 0299EC54: GetTickCount.KERNEL32 ref: 0299EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02999AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 02999ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 02999AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 02999B99
                                                                                            • ExitProcess.KERNEL32 ref: 02999C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 02999CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 02999D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 02999D8B
                                                                                            • lstrcatA.KERNEL32(?,029A070C), ref: 02999D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02999DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 02999E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02999E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02999EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02999ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02999F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02999F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02999F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02999FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02999FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02999FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0299A038
                                                                                            • lstrcatA.KERNEL32(00000022,029A0A34), ref: 0299A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0299A072
                                                                                            • lstrcatA.KERNEL32(00000022,029A0A34), ref: 0299A08D
                                                                                            • wsprintfA.USER32 ref: 0299A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0299A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0299A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0299A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0299A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0299A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0299A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0299A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0299A1E5
                                                                                              • Part of subcall function 029999D2: lstrcpyA.KERNEL32(?,?,00000100,029A22F8,00000000,?,02999E9D,?,00000022,?,?,?,?,?,?,?), ref: 029999DF
                                                                                              • Part of subcall function 029999D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02999E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02999A3C
                                                                                              • Part of subcall function 029999D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02999E9D,?,00000022,?,?,?), ref: 02999A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0299A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0299A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0299A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0299A400
                                                                                            • DeleteFileA.KERNELBASE(029A33D8), ref: 0299A407
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0299405E,00000000,00000000,00000000), ref: 0299A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0299A43A
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0299877E,00000000,00000000,00000000), ref: 0299A469
                                                                                            • Sleep.KERNELBASE(00000BB8), ref: 0299A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0299A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0299A4B7
                                                                                            • Sleep.KERNELBASE(00001A90), ref: 0299A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe$D$P$\$gtdjtffe
                                                                                            • API String ID: 2089075347-2199420381
                                                                                            • Opcode ID: b96d35c27924db4ded904432669746c12dc482f95544d88dc01107393a0ad77c
                                                                                            • Instruction ID: 06a3bcda7e4878fc0e58112e94e923ecba0b346ce3060b2d136df90df136f80b
                                                                                            • Opcode Fuzzy Hash: b96d35c27924db4ded904432669746c12dc482f95544d88dc01107393a0ad77c
                                                                                            • Instruction Fuzzy Hash: 9D5271B1D44359AFEF21DBA88C49FEE7BBCEF45314F0444AAE509A2140E7709A44CFA1

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 905 299199c-29919cc inet_addr LoadLibraryA 906 29919ce-29919d0 905->906 907 29919d5-29919fe GetProcAddress * 3 905->907 908 2991abf-2991ac2 906->908 909 2991ab3-2991ab6 FreeLibrary 907->909 910 2991a04-2991a06 907->910 912 2991abc 909->912 910->909 911 2991a0c-2991a0e 910->911 911->909 913 2991a14-2991a28 GetBestInterface GetProcessHeap 911->913 914 2991abe 912->914 913->912 915 2991a2e-2991a40 HeapAlloc 913->915 914->908 915->912 916 2991a42-2991a50 GetAdaptersInfo 915->916 917 2991a62-2991a67 916->917 918 2991a52-2991a60 HeapReAlloc 916->918 919 2991a69-2991a73 GetAdaptersInfo 917->919 920 2991aa1-2991aad FreeLibrary 917->920 918->917 919->920 922 2991a75 919->922 920->912 921 2991aaf-2991ab1 920->921 921->914 923 2991a77-2991a80 922->923 924 2991a8a-2991a91 923->924 925 2991a82-2991a86 923->925 927 2991a93 924->927 928 2991a96-2991a9b HeapFree 924->928 925->923 926 2991a88 925->926 926->928 927->928 928->920
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 029919B1
                                                                                            • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,02991E9E), ref: 029919BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 029919E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 029919ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 029919F9
                                                                                            • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02991E9E), ref: 02991A1B
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02991E9E), ref: 02991A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02991E9E), ref: 02991A36
                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,02991E9E,?,?,?,?,00000001,02991E9E), ref: 02991A4A
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,02991E9E,?,?,?,?,00000001,02991E9E), ref: 02991A5A
                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,02991E9E,?,?,?,?,00000001,02991E9E), ref: 02991A6E
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02991E9E), ref: 02991A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02991E9E), ref: 02991AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 293628436-270533642
                                                                                            • Opcode ID: 186673c61fa190147b60976abafe3df9823b6f287a8e033dc885838c44c6b0ad
                                                                                            • Instruction ID: 161be8de4c5339d1328d9d9c20115f19c08bb3f49fa81d67e822ac789d9a6241
                                                                                            • Opcode Fuzzy Hash: 186673c61fa190147b60976abafe3df9823b6f287a8e033dc885838c44c6b0ad
                                                                                            • Instruction Fuzzy Hash: 69314F32E4131AAFDF119FE8CC889BEBBB9FF45265B14056AE505A2100D7304E40CBA0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 696 2997a95-2997ac2 RegOpenKeyExA 697 2997acb-2997ae7 GetUserNameA 696->697 698 2997ac4-2997ac6 696->698 700 2997aed-2997b1e LookupAccountNameA 697->700 701 2997da7-2997db3 RegCloseKey 697->701 699 2997db4-2997db6 698->699 700->701 702 2997b24-2997b43 RegGetKeySecurity 700->702 701->699 702->701 703 2997b49-2997b61 GetSecurityDescriptorOwner 702->703 704 2997bb8-2997bd6 GetSecurityDescriptorDacl 703->704 705 2997b63-2997b72 EqualSid 703->705 706 2997bdc-2997be1 704->706 707 2997da6 704->707 705->704 708 2997b74-2997b88 LocalAlloc 705->708 706->707 709 2997be7-2997bf2 706->709 707->701 708->704 710 2997b8a-2997b94 InitializeSecurityDescriptor 708->710 709->707 711 2997bf8-2997c08 GetAce 709->711 712 2997bb1-2997bb2 LocalFree 710->712 713 2997b96-2997ba4 SetSecurityDescriptorOwner 710->713 714 2997c0e-2997c1b 711->714 715 2997cc6 711->715 712->704 713->712 716 2997ba6-2997bab RegSetKeySecurity 713->716 718 2997c1d-2997c2f EqualSid 714->718 719 2997c4f-2997c52 714->719 717 2997cc9-2997cd3 715->717 716->712 717->711 720 2997cd9-2997cdc 717->720 721 2997c31-2997c34 718->721 722 2997c36-2997c38 718->722 723 2997c5f-2997c71 EqualSid 719->723 724 2997c54-2997c5e 719->724 720->707 725 2997ce2-2997ce8 720->725 721->718 721->722 722->719 726 2997c3a-2997c4d DeleteAce 722->726 727 2997c73-2997c84 723->727 728 2997c86 723->728 724->723 729 2997d5a-2997d6e LocalAlloc 725->729 730 2997cea-2997cf0 725->730 726->717 731 2997c8b-2997c8e 727->731 728->731 729->707 734 2997d70-2997d7a InitializeSecurityDescriptor 729->734 730->729 735 2997cf2-2997d0d RegOpenKeyExA 730->735 732 2997c9d-2997c9f 731->732 733 2997c90-2997c96 731->733 736 2997ca1-2997ca5 732->736 737 2997ca7-2997cc3 732->737 733->732 738 2997d7c-2997d8a SetSecurityDescriptorDacl 734->738 739 2997d9f-2997da0 LocalFree 734->739 735->729 740 2997d0f-2997d16 735->740 736->715 736->737 737->715 738->739 741 2997d8c-2997d9a RegSetKeySecurity 738->741 739->707 742 2997d19-2997d1e 740->742 741->739 743 2997d9c 741->743 742->742 744 2997d20-2997d52 call 2992544 RegSetValueExA 742->744 743->739 744->729 747 2997d54 744->747 747->729
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02997ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02997ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,029A070C,?,?,?), ref: 02997B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02997B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02997B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 02997B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02997B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02997B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02997B9C
                                                                                            • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 02997BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02997BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,02997FC9,?,00000000), ref: 02997BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe$D
                                                                                            • API String ID: 2976863881-3230128393
                                                                                            • Opcode ID: cef9358592ac8bc5ca40c9c15ee43bd31920721ef7fe9fb639a57845b1ffc4e5
                                                                                            • Instruction ID: f241e43b588bc33384f8887f5a1ddd2c7c8786e6bd8933469c4c937f5da35756
                                                                                            • Opcode Fuzzy Hash: cef9358592ac8bc5ca40c9c15ee43bd31920721ef7fe9fb639a57845b1ffc4e5
                                                                                            • Instruction Fuzzy Hash: 4EA13AB1D40219ABEF118FA8DC89FFEBBBDFF44314F044469E905A2140EB359A55CBA0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 748 2997809-2997837 GetUserNameA 749 299783d-299786e LookupAccountNameA 748->749 750 2997a8e-2997a94 748->750 749->750 751 2997874-29978a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 29978a8-29978c3 GetSecurityDescriptorOwner 751->752 753 299791d-299793b GetSecurityDescriptorDacl 752->753 754 29978c5-29978da EqualSid 752->754 756 2997a8d 753->756 757 2997941-2997946 753->757 754->753 755 29978dc-29978ed LocalAlloc 754->755 755->753 758 29978ef-29978f9 InitializeSecurityDescriptor 755->758 756->750 757->756 759 299794c-2997955 757->759 760 29978fb-2997909 SetSecurityDescriptorOwner 758->760 761 2997916-2997917 LocalFree 758->761 759->756 762 299795b-299796b GetAce 759->762 760->761 763 299790b-2997910 SetFileSecurityA 760->763 761->753 764 2997a2a 762->764 765 2997971-299797e 762->765 763->761 766 2997a2d-2997a37 764->766 767 29979ae-29979b1 765->767 768 2997980-2997992 EqualSid 765->768 766->762 771 2997a3d-2997a41 766->771 772 29979be-29979d0 EqualSid 767->772 773 29979b3-29979bd 767->773 769 2997999-299799b 768->769 770 2997994-2997997 768->770 769->767 774 299799d-29979ac DeleteAce 769->774 770->768 770->769 771->756 775 2997a43-2997a54 LocalAlloc 771->775 776 29979d2-29979e3 772->776 777 29979e5 772->777 773->772 774->766 775->756 778 2997a56-2997a60 InitializeSecurityDescriptor 775->778 779 29979ea-29979ed 776->779 777->779 780 2997a62-2997a71 SetSecurityDescriptorDacl 778->780 781 2997a86-2997a87 LocalFree 778->781 782 29979f8-29979fb 779->782 783 29979ef-29979f5 779->783 780->781 784 2997a73-2997a81 SetFileSecurityA 780->784 781->756 785 29979fd-2997a01 782->785 786 2997a03-2997a0e 782->786 783->782 784->781 787 2997a83 784->787 785->764 785->786 788 2997a19-2997a24 786->788 789 2997a10-2997a17 786->789 787->781 790 2997a27 788->790 789->790 790->764
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0299782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02997866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 02997878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0299789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,02997F63,?), ref: 029978B8
                                                                                            • EqualSid.ADVAPI32(?,02997F63), ref: 029978D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 029978E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029978F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02997901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02997910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02997917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02997933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 02997963
                                                                                            • EqualSid.ADVAPI32(?,02997F63), ref: 0299798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 029979A3
                                                                                            • EqualSid.ADVAPI32(?,02997F63), ref: 029979C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02997A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02997A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02997A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02997A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02997A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: fc3699b4476bf6ae62e981563265a372bfa9bc70e056b6afbba6e3cc734847b0
                                                                                            • Instruction ID: 3b697e35310e39605aae90ac4b3b368dcabab9926c889a6b8a2600725f1b8570
                                                                                            • Opcode Fuzzy Hash: fc3699b4476bf6ae62e981563265a372bfa9bc70e056b6afbba6e3cc734847b0
                                                                                            • Instruction Fuzzy Hash: 338127B1D1121AAFDF218FE8CD85BEEBBBCEF08754F14456AE505E2140DB359A41CBA0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 791 2998328-299833e call 2997dd6 794 2998348-2998356 call 2996ec3 791->794 795 2998340-2998343 791->795 799 299846b-2998474 794->799 800 299835c-2998378 call 29973ff 794->800 797 299877b-299877d 795->797 802 299847a-2998480 799->802 803 29985c2-29985ce 799->803 810 299837e-2998384 800->810 811 2998464-2998466 800->811 802->803 807 2998486-29984ba call 2992544 RegOpenKeyExA 802->807 805 29985d0-29985da call 299675c 803->805 806 2998615-2998620 803->806 818 29985df-29985eb 805->818 808 29986a7-29986b0 call 2996ba7 806->808 809 2998626-299864c GetTempPathA call 2998274 call 299eca5 806->809 824 29984c0-29984db RegQueryValueExA 807->824 825 2998543-2998571 call 2992544 RegOpenKeyExA 807->825 826 2998762 808->826 827 29986b6-29986bd call 2997e2f 808->827 846 299864e-299866f call 299eca5 809->846 847 2998671-29986a4 call 2992544 call 299ef00 call 299ee2a 809->847 810->811 816 299838a-299838d 810->816 817 2998779-299877a 811->817 816->811 822 2998393-2998399 816->822 817->797 818->806 823 29985ed-29985ef 818->823 829 299839c-29983a1 822->829 823->806 830 29985f1-29985fa 823->830 832 29984dd-29984e1 824->832 833 2998521-299852d RegCloseKey 824->833 852 2998573-299857b 825->852 853 29985a5-29985b7 call 299ee2a 825->853 836 2998768-299876b 826->836 858 299875b-299875c DeleteFileA 827->858 859 29986c3-299873b call 299ee2a * 2 lstrcpyA lstrlenA call 2997fcf CreateProcessA 827->859 829->829 838 29983a3-29983af 829->838 830->806 840 29985fc-299860f call 29924c2 830->840 832->833 834 29984e3-29984e6 832->834 833->825 839 299852f-2998541 call 299eed1 833->839 834->833 842 29984e8-29984f6 call 299ebcc 834->842 844 299876d-2998775 call 299ec2e 836->844 845 2998776-2998778 836->845 848 29983b1 838->848 849 29983b3-29983ba 838->849 839->825 839->853 840->806 840->836 842->833 875 29984f8-2998513 RegQueryValueExA 842->875 844->845 845->817 846->847 847->808 848->849 864 2998450-299845f call 299ee2a 849->864 865 29983c0-29983fb call 2992544 RegOpenKeyExA 849->865 855 299857e-2998583 852->855 853->803 876 29985b9-29985c1 call 299ec2e 853->876 855->855 866 2998585-299859f RegSetValueExA RegCloseKey 855->866 858->826 899 299873d-299874d CloseHandle * 2 859->899 900 299874f-299875a call 2997ee6 call 2997ead 859->900 864->803 865->864 885 29983fd-299841c RegQueryValueExA 865->885 866->853 875->833 881 2998515-299851e call 299ec2e 875->881 876->803 881->833 886 299842d-2998441 RegSetValueExA 885->886 887 299841e-2998421 885->887 894 2998447-299844a RegCloseKey 886->894 887->886 893 2998423-2998426 887->893 893->886 897 2998428-299842b 893->897 894->864 897->886 897->894 899->836 900->858
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 029983F3
                                                                                            • RegQueryValueExA.KERNELBASE(029A0750,?,00000000,?,02998893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02998414
                                                                                            • RegSetValueExA.KERNELBASE(029A0750,?,00000000,00000004,02998893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02998441
                                                                                            • RegCloseKey.ADVAPI32(029A0750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0299844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe$localcfg
                                                                                            • API String ID: 237177642-3993056816
                                                                                            • Opcode ID: 523de5834f470f9f8ddd3528329ec0d6aefb33caadc8aef38fad9c5ded2b0ea0
                                                                                            • Instruction ID: 8d8e79d79c4cf80281331f3355d8fcb5fde90f7142969176c7f06d25b8062af2
                                                                                            • Opcode Fuzzy Hash: 523de5834f470f9f8ddd3528329ec0d6aefb33caadc8aef38fad9c5ded2b0ea0
                                                                                            • Instruction Fuzzy Hash: 97C1A0B1D44208BEEF11EBA89C85EFE7BBDFF46314F1404AAE545A2040EB315A94CF61

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 02991DC6
                                                                                            • GetSystemInfo.KERNELBASE(?), ref: 02991DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02991E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02991E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 02991E1B
                                                                                            • GetTickCount.KERNEL32 ref: 02991FC9
                                                                                              • Part of subcall function 02991BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02991C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 541d2b0f68af5d44d136ac845be68f212efd238c3ec69b566d25044f35c219fa
                                                                                            • Instruction ID: 40465f99f6c6ee565892d8b6cfbac1f4561879d406b7a8548a01279a34bca599
                                                                                            • Opcode Fuzzy Hash: 541d2b0f68af5d44d136ac845be68f212efd238c3ec69b566d25044f35c219fa
                                                                                            • Instruction Fuzzy Hash: 3851B4B09083456FFB20AF798C85F27BAECFF95758F040D2DB58A82142D775A504CBA1

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 999 29973ff-2997419 1000 299741b 999->1000 1001 299741d-2997422 999->1001 1000->1001 1002 2997424 1001->1002 1003 2997426-299742b 1001->1003 1002->1003 1004 299742d 1003->1004 1005 2997430-2997435 1003->1005 1004->1005 1006 299743a-2997481 call 2996dc2 call 2992544 RegOpenKeyExA 1005->1006 1007 2997437 1005->1007 1012 29977f9-29977fe call 299ee2a 1006->1012 1013 2997487-299749d call 299ee2a 1006->1013 1007->1006 1018 2997801 1012->1018 1019 2997703-299770e RegEnumKeyA 1013->1019 1022 2997804-2997808 1018->1022 1020 29974a2-29974b1 call 2996cad 1019->1020 1021 2997714-299771d RegCloseKey 1019->1021 1025 29976ed-2997700 1020->1025 1026 29974b7-29974cc call 299f1a5 1020->1026 1021->1018 1025->1019 1026->1025 1029 29974d2-29974f8 RegOpenKeyExA 1026->1029 1030 29974fe-2997530 call 2992544 RegQueryValueExA 1029->1030 1031 2997727-299772a 1029->1031 1030->1031 1038 2997536-299753c 1030->1038 1033 299772c-2997740 call 299ef00 1031->1033 1034 2997755-2997764 call 299ee2a 1031->1034 1042 299774b-299774e 1033->1042 1043 2997742-2997745 RegCloseKey 1033->1043 1044 29976df-29976e2 1034->1044 1041 299753f-2997544 1038->1041 1041->1041 1046 2997546-299754b 1041->1046 1047 29977ec-29977f7 RegCloseKey 1042->1047 1043->1042 1044->1025 1045 29976e4-29976e7 RegCloseKey 1044->1045 1045->1025 1046->1034 1048 2997551-299756b call 299ee95 1046->1048 1047->1022 1048->1034 1051 2997571-2997593 call 2992544 call 299ee95 1048->1051 1056 2997599-29975a0 1051->1056 1057 2997753 1051->1057 1058 29975c8-29975d7 call 299ed03 1056->1058 1059 29975a2-29975c6 call 299ef00 call 299ed03 1056->1059 1057->1034 1065 29975d8-29975da 1058->1065 1059->1065 1067 29975dc 1065->1067 1068 29975df-2997623 call 299ee95 call 2992544 call 299ee95 call 299ee2a 1065->1068 1067->1068 1077 2997626-299762b 1068->1077 1077->1077 1078 299762d-2997634 1077->1078 1079 2997637-299763c 1078->1079 1079->1079 1080 299763e-2997642 1079->1080 1081 299765c-2997673 call 299ed23 1080->1081 1082 2997644-2997656 call 299ed77 1080->1082 1087 2997680 1081->1087 1088 2997675-299767e 1081->1088 1082->1081 1089 2997769-299777c call 299ef00 1082->1089 1091 2997683-299768e call 2996cad 1087->1091 1088->1091 1094 29977e3-29977e6 RegCloseKey 1089->1094 1096 2997722-2997725 1091->1096 1097 2997694-29976bf call 299f1a5 call 2996c96 1091->1097 1094->1047 1098 29976dd 1096->1098 1103 29976d8 1097->1103 1104 29976c1-29976c7 1097->1104 1098->1044 1103->1098 1104->1103 1105 29976c9-29976d2 1104->1105 1105->1103 1106 299777e-2997797 GetFileAttributesExA 1105->1106 1107 2997799 1106->1107 1108 299779a-299779f 1106->1108 1107->1108 1109 29977a1 1108->1109 1110 29977a3-29977a8 1108->1110 1109->1110 1111 29977aa-29977c0 call 299ee08 1110->1111 1112 29977c4-29977c8 1110->1112 1111->1112 1114 29977ca-29977d6 call 299ef00 1112->1114 1115 29977d7-29977dc 1112->1115 1114->1115 1118 29977de 1115->1118 1119 29977e0-29977e2 1115->1119 1118->1119 1119->1094
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 02997472
                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 029974F0
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 02997528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0299764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 029976E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02997706
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 02997717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 02997745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 029977EF
                                                                                              • Part of subcall function 0299F1A5: lstrlenA.KERNEL32(000000C8,000000E4,029A22F8,000000C8,02997150,?), ref: 0299F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0299778F
                                                                                            • RegCloseKey.KERNELBASE(?), ref: 029977E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 201f30bb30ef8db9e4abf8779f548c90027765e0bbf14e5b3602c7f97b60cb72
                                                                                            • Instruction ID: fc0a3faba8e6fae70b6603a68f633843a1439574ef9bd96e8501d866c7824133
                                                                                            • Opcode Fuzzy Hash: 201f30bb30ef8db9e4abf8779f548c90027765e0bbf14e5b3602c7f97b60cb72
                                                                                            • Instruction Fuzzy Hash: 32C190B1914209ABEF11DBACDC44BEEBBBEEF85320F140496E544A6190EB31DA54CB61

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1121 299675c-2996778 1122 299677a-299677e SetFileAttributesA 1121->1122 1123 2996784-29967a2 CreateFileA 1121->1123 1122->1123 1124 29967b5-29967b8 1123->1124 1125 29967a4-29967b2 CreateFileA 1123->1125 1126 29967ba-29967bf SetFileAttributesA 1124->1126 1127 29967c5-29967c9 1124->1127 1125->1124 1126->1127 1128 29967cf-29967df GetFileSize 1127->1128 1129 2996977-2996986 1127->1129 1130 299696b 1128->1130 1131 29967e5-29967e7 1128->1131 1132 299696e-2996971 FindCloseChangeNotification 1130->1132 1131->1130 1133 29967ed-299680b ReadFile 1131->1133 1132->1129 1133->1130 1134 2996811-2996824 SetFilePointer 1133->1134 1134->1130 1135 299682a-2996842 ReadFile 1134->1135 1135->1130 1136 2996848-2996861 SetFilePointer 1135->1136 1136->1130 1137 2996867-2996876 1136->1137 1138 2996878-299688f ReadFile 1137->1138 1139 29968d5-29968df 1137->1139 1140 2996891-299689e 1138->1140 1141 29968d2 1138->1141 1139->1132 1142 29968e5-29968eb 1139->1142 1143 29968a0-29968b5 1140->1143 1144 29968b7-29968ba 1140->1144 1141->1139 1145 29968ed 1142->1145 1146 29968f0-29968fe call 299ebcc 1142->1146 1147 29968bd-29968c3 1143->1147 1144->1147 1145->1146 1146->1130 1153 2996900-299690b SetFilePointer 1146->1153 1149 29968c8-29968ce 1147->1149 1150 29968c5 1147->1150 1149->1138 1152 29968d0 1149->1152 1150->1149 1152->1139 1154 299695a-2996969 call 299ec2e 1153->1154 1155 299690d-2996920 ReadFile 1153->1155 1154->1132 1155->1154 1156 2996922-2996958 1155->1156 1156->1132
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0299677E
                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0299679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 029967B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 029967BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 029967D3
                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,02998244,00000000,?,74DF0F10,00000000), ref: 02996807
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0299681F
                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0299683E
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0299685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,02998244,00000000,?,74DF0F10,00000000), ref: 0299688B
                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 02996906
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,02998244,00000000,?,74DF0F10,00000000), ref: 0299691C
                                                                                            • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 02996971
                                                                                              • Part of subcall function 0299EC2E: GetProcessHeap.KERNEL32(00000000,0299EA27,00000000,0299EA27,00000000), ref: 0299EC41
                                                                                              • Part of subcall function 0299EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0299EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 1400801100-0
                                                                                            • Opcode ID: 3551340fce028fba9c259f7c17b43bdd4da05392ca8a5966ebd095ecff7d1495
                                                                                            • Instruction ID: 1ee419a56901af9ed8770a5e07a97588520caf7c1d8030f88bb39c5fd630e8b8
                                                                                            • Opcode Fuzzy Hash: 3551340fce028fba9c259f7c17b43bdd4da05392ca8a5966ebd095ecff7d1495
                                                                                            • Instruction Fuzzy Hash: DA710671D04219EFDF158FA9CC80AEEBBBDFF04364F10456AE515A6190E7309E52DB60

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1159 299f315-299f332 1160 299f33b-299f372 call 299ee2a htons socket 1159->1160 1161 299f334-299f336 1159->1161 1165 299f382-299f39b ioctlsocket 1160->1165 1166 299f374-299f37d closesocket 1160->1166 1162 299f424-299f427 1161->1162 1167 299f3aa-299f3f0 connect select 1165->1167 1168 299f39d 1165->1168 1166->1162 1170 299f421 1167->1170 1171 299f3f2-299f401 __WSAFDIsSet 1167->1171 1169 299f39f-299f3a8 closesocket 1168->1169 1172 299f423 1169->1172 1170->1172 1171->1169 1173 299f403-299f416 ioctlsocket call 299f26d 1171->1173 1172->1162 1175 299f41b-299f41f 1173->1175 1175->1172
                                                                                            APIs
                                                                                            • htons.WS2_32(0299CA1D), ref: 0299F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0299F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0299F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 36ca8819aa2126ab5b9f70f604d38ec17a10b002e841434119c83abc7568a1db
                                                                                            • Instruction ID: ec68be59b2a186240c1c87cf65e0f630a341989e5015b0a057cd8bf700809c1e
                                                                                            • Opcode Fuzzy Hash: 36ca8819aa2126ab5b9f70f604d38ec17a10b002e841434119c83abc7568a1db
                                                                                            • Instruction Fuzzy Hash: 9B315C72944218ABDF109FA9DC85AFEBBBCFF89360F104566F919D2140E7749A418BE0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1176 299405e-299407b CreateEventA 1177 299407d-2994081 1176->1177 1178 2994084-29940a8 call 2993ecd call 2994000 1176->1178 1183 29940ae-29940be call 299ee2a 1178->1183 1184 2994130-299413e call 299ee2a 1178->1184 1183->1184 1190 29940c0-29940f1 call 299eca5 call 2993f18 call 2993f8c 1183->1190 1189 299413f-2994165 call 2993ecd CreateNamedPipeA 1184->1189 1195 2994188-2994193 ConnectNamedPipe 1189->1195 1196 2994167-2994174 Sleep 1189->1196 1208 29940f3-29940ff 1190->1208 1209 2994127-299412a CloseHandle 1190->1209 1200 29941ab-29941c0 call 2993f8c 1195->1200 1201 2994195-29941a5 GetLastError 1195->1201 1196->1189 1198 2994176-2994182 CloseHandle 1196->1198 1198->1195 1200->1195 1207 29941c2-29941f2 call 2993f18 call 2993f8c 1200->1207 1201->1200 1203 299425e-2994265 DisconnectNamedPipe 1201->1203 1203->1195 1207->1203 1217 29941f4-2994200 1207->1217 1208->1209 1211 2994101-2994121 call 2993f18 ExitProcess 1208->1211 1209->1184 1217->1203 1218 2994202-2994215 call 2993f8c 1217->1218 1218->1203 1221 2994217-299421b 1218->1221 1221->1203 1222 299421d-2994230 call 2993f8c 1221->1222 1222->1203 1225 2994232-2994236 1222->1225 1225->1195 1226 299423c-2994251 call 2993f18 1225->1226 1229 299426a-2994276 CloseHandle * 2 call 299e318 1226->1229 1230 2994253-2994259 1226->1230 1232 299427b 1229->1232 1230->1195 1232->1232
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02994070
                                                                                            • ExitProcess.KERNEL32 ref: 02994121
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2404124870-0
                                                                                            • Opcode ID: 1243427927bf128ecc315ab513cc9628527eecaf7432065ed39256bad2b17126
                                                                                            • Instruction ID: 78b0d6d0d131a6b3b07d67cc331872cb0b0710d8b32bda948dc3f673da85ed8b
                                                                                            • Opcode Fuzzy Hash: 1243427927bf128ecc315ab513cc9628527eecaf7432065ed39256bad2b17126
                                                                                            • Instruction Fuzzy Hash: F85191B1D40219BBEF21ABA88D85FBF7B7DEF51724F000165F601B6180E7318A42DBA1

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1233 2992d21-2992d44 GetModuleHandleA 1234 2992d5b-2992d69 GetProcAddress 1233->1234 1235 2992d46-2992d52 LoadLibraryA 1233->1235 1236 2992d6b-2992d7b DnsQuery_A 1234->1236 1237 2992d54-2992d56 1234->1237 1235->1234 1235->1237 1236->1237 1238 2992d7d-2992d88 1236->1238 1239 2992dee-2992df1 1237->1239 1240 2992deb 1238->1240 1241 2992d8a-2992d8b 1238->1241 1240->1239 1242 2992d90-2992d95 1241->1242 1243 2992de2-2992de8 1242->1243 1244 2992d97-2992daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 2992dea 1243->1245 1244->1245 1246 2992dac-2992dd9 call 299ee2a lstrcpynA 1244->1246 1245->1240 1249 2992ddb-2992dde 1246->1249 1250 2992de0 1246->1250 1249->1243 1250->1243
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,02992F01,?,029920FF,029A2000), ref: 02992D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 02992D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02992D61
                                                                                            • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02992D77
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02992D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 02992DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02992DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 233223969-3847274415
                                                                                            • Opcode ID: db8cd733618cb710bf6b5cb43297099c2b88c7c17c1e8f2996fcc0cef3b235c0
                                                                                            • Instruction ID: a7a9316a2afc34e294616a4ce353231c4c7e7df12d9fe7f84501aeb55e7df693
                                                                                            • Opcode Fuzzy Hash: db8cd733618cb710bf6b5cb43297099c2b88c7c17c1e8f2996fcc0cef3b235c0
                                                                                            • Instruction Fuzzy Hash: B6214C71D45225BBCF219B5CDC48AAEBBBCEF09B61F114412F905A7100D7709985C7D0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1251 29980c9-29980ed call 2996ec3 1254 29980f9-2998115 call 299704c 1251->1254 1255 29980ef call 2997ee6 1251->1255 1260 299811b-2998121 1254->1260 1261 2998225-299822b 1254->1261 1258 29980f4 1255->1258 1258->1261 1260->1261 1262 2998127-299812a 1260->1262 1263 299822d-2998233 1261->1263 1264 299826c-2998273 1261->1264 1262->1261 1265 2998130-2998167 call 2992544 RegOpenKeyExA 1262->1265 1263->1264 1266 2998235-299823f call 299675c 1263->1266 1272 299816d-299818b RegQueryValueExA 1265->1272 1273 2998216-2998222 call 299ee2a 1265->1273 1269 2998244-299824b 1266->1269 1269->1264 1271 299824d-2998269 call 29924c2 call 299ec2e 1269->1271 1271->1264 1275 299818d-2998191 1272->1275 1276 29981f7-29981fe 1272->1276 1273->1261 1275->1276 1281 2998193-2998196 1275->1281 1279 299820d-2998210 RegCloseKey 1276->1279 1280 2998200-2998206 call 299ec2e 1276->1280 1279->1273 1289 299820c 1280->1289 1281->1276 1285 2998198-29981a8 call 299ebcc 1281->1285 1285->1279 1291 29981aa-29981c2 RegQueryValueExA 1285->1291 1289->1279 1291->1276 1292 29981c4-29981ca 1291->1292 1293 29981cd-29981d2 1292->1293 1293->1293 1294 29981d4-29981e5 call 299ebcc 1293->1294 1294->1279 1297 29981e7-29981f5 call 299ef00 1294->1297 1297->1289
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0299815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0299A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 02998187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0299A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 029981BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 02998210
                                                                                              • Part of subcall function 0299675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0299677E
                                                                                              • Part of subcall function 0299675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0299679A
                                                                                              • Part of subcall function 0299675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 029967B0
                                                                                              • Part of subcall function 0299675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 029967BF
                                                                                              • Part of subcall function 0299675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 029967D3
                                                                                              • Part of subcall function 0299675C: ReadFile.KERNELBASE(000000FF,?,00000040,02998244,00000000,?,74DF0F10,00000000), ref: 02996807
                                                                                              • Part of subcall function 0299675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0299681F
                                                                                              • Part of subcall function 0299675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0299683E
                                                                                              • Part of subcall function 0299675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0299685C
                                                                                              • Part of subcall function 0299EC2E: GetProcessHeap.KERNEL32(00000000,0299EA27,00000000,0299EA27,00000000), ref: 0299EC41
                                                                                              • Part of subcall function 0299EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0299EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\gtdjtffe\ubezyssm.exe
                                                                                            • API String ID: 124786226-148016686
                                                                                            • Opcode ID: 68411e96a1e83519619a753bc5043a2028339d98fe5967a3415b60a6fadb1950
                                                                                            • Instruction ID: 62ad8c265e030af403d0bb5136be74125c73f2393de22f6c42c0f76b9266c504
                                                                                            • Opcode Fuzzy Hash: 68411e96a1e83519619a753bc5043a2028339d98fe5967a3415b60a6fadb1950
                                                                                            • Instruction Fuzzy Hash: DB41A2B2D44209BFEF11EBA8DC81EBEB77DEB45364F1408AAE901A2000E7315A54CF91

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1300 2991ac3-2991adc LoadLibraryA 1301 2991b6b-2991b70 1300->1301 1302 2991ae2-2991af3 GetProcAddress 1300->1302 1303 2991b6a 1302->1303 1304 2991af5-2991b01 1302->1304 1303->1301 1305 2991b1c-2991b27 GetAdaptersAddresses 1304->1305 1306 2991b29-2991b2b 1305->1306 1307 2991b03-2991b12 call 299ebed 1305->1307 1309 2991b5b-2991b5e 1306->1309 1310 2991b2d-2991b32 1306->1310 1307->1306 1316 2991b14-2991b1b 1307->1316 1311 2991b69 1309->1311 1312 2991b60-2991b68 call 299ec2e 1309->1312 1310->1311 1314 2991b34-2991b3b 1310->1314 1311->1303 1312->1311 1317 2991b3d-2991b52 1314->1317 1318 2991b54-2991b59 1314->1318 1316->1305 1317->1317 1317->1318 1318->1309 1318->1314
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02991AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02991AE9
                                                                                            • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02991B20
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 3646706440-1087626847
                                                                                            • Opcode ID: 0059024a354ec5e86288260f59ceb0b4d9752da4bb261ea64442fddc2bf3deb7
                                                                                            • Instruction ID: 9115d60e5b08838a3d6f78676bd2374f94547232f7abd6d622c8a5909c126d5e
                                                                                            • Opcode Fuzzy Hash: 0059024a354ec5e86288260f59ceb0b4d9752da4bb261ea64442fddc2bf3deb7
                                                                                            • Instruction Fuzzy Hash: 6811B471E01228AFDF159BADDC849ADBBBFFB44B74B14445AE00DA3148E7308A40CB90

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1320 299e3ca-299e3ee RegOpenKeyExA 1321 299e528-299e52d 1320->1321 1322 299e3f4-299e3fb 1320->1322 1323 299e3fe-299e403 1322->1323 1323->1323 1324 299e405-299e40f 1323->1324 1325 299e411-299e413 1324->1325 1326 299e414-299e452 call 299ee08 call 299f1ed RegQueryValueExA 1324->1326 1325->1326 1331 299e458-299e486 call 299f1ed RegQueryValueExA 1326->1331 1332 299e51d-299e527 RegCloseKey 1326->1332 1335 299e488-299e48a 1331->1335 1332->1321 1335->1332 1336 299e490-299e4a1 call 299db2e 1335->1336 1336->1332 1339 299e4a3-299e4a6 1336->1339 1340 299e4a9-299e4d3 call 299f1ed RegQueryValueExA 1339->1340 1343 299e4e8-299e4ea 1340->1343 1344 299e4d5-299e4da 1340->1344 1343->1332 1346 299e4ec-299e516 call 2992544 call 299e332 1343->1346 1344->1343 1345 299e4dc-299e4e6 1344->1345 1345->1340 1345->1343 1346->1332
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,0299E5F2,00000000,00020119,0299E5F2,029A22F8), ref: 0299E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0299E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0299E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0299E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0299E482
                                                                                            • RegQueryValueExA.ADVAPI32(0299E5F2,?,00000000,?,80000001,?), ref: 0299E4CF
                                                                                            • RegCloseKey.ADVAPI32(0299E5F2,?,?,?,?,000000C8,000000E4), ref: 0299E520
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1586453840-0
                                                                                            • Opcode ID: d59649dd1a79b58287e36cd3404a4a0c4d198e2e68432e5c735964b099aeb194
                                                                                            • Instruction ID: 090e04a5edb27963e602431b11be5cb0a47d55663e5c9509950e92ab864fd673
                                                                                            • Opcode Fuzzy Hash: d59649dd1a79b58287e36cd3404a4a0c4d198e2e68432e5c735964b099aeb194
                                                                                            • Instruction Fuzzy Hash: 9E41F6B2D0021DBFEF11DFE8DC81EEEBBBDEB48354F144466E910A2150E3319A558BA1

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1351 299f26d-299f303 setsockopt * 5
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0299F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0299F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0299F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0299F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0299F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: b07f85cf3ac1fef2409cb9996f1df201236ecfb38409b5fae974b19433acf808
                                                                                            • Instruction ID: 0908c45cd5bf4071570952b5f8d1054f03e295dccf64875326eaf15ad912cab3
                                                                                            • Opcode Fuzzy Hash: b07f85cf3ac1fef2409cb9996f1df201236ecfb38409b5fae974b19433acf808
                                                                                            • Instruction Fuzzy Hash: 6611FBB1A40248BAEB11DE94CD41FAE7FBCEB44751F004066BB04EA1D0E6B19A44CB94

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1352 2991bdf-2991c04 call 2991ac3 1354 2991c09-2991c0b 1352->1354 1355 2991c5a-2991c5e 1354->1355 1356 2991c0d-2991c1d GetComputerNameA 1354->1356 1357 2991c1f-2991c24 1356->1357 1358 2991c45-2991c57 GetVolumeInformationA 1356->1358 1357->1358 1359 2991c26-2991c3b 1357->1359 1358->1355 1359->1359 1360 2991c3d-2991c3f 1359->1360 1360->1358 1361 2991c41-2991c43 1360->1361 1361->1355
                                                                                            APIs
                                                                                              • Part of subcall function 02991AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02991AD4
                                                                                              • Part of subcall function 02991AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02991AE9
                                                                                              • Part of subcall function 02991AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02991B20
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 02991C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02991C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2794401326-2393279970
                                                                                            • Opcode ID: 7a48e0d1c1e29291f51f9c15e4b82c6e8ddb9ec767d11f59d8d7fd0cca26b814
                                                                                            • Instruction ID: f9130381bdb9cccc9ce690a96e37a7904bfcc8c06bdf65ea7c7e2d086e405087
                                                                                            • Opcode Fuzzy Hash: 7a48e0d1c1e29291f51f9c15e4b82c6e8ddb9ec767d11f59d8d7fd0cca26b814
                                                                                            • Instruction Fuzzy Hash: 1C018472A04119BBEF10DAECC8C59EFBABCBB48655F100875E606E2140E2309D44D6A0
                                                                                            APIs
                                                                                              • Part of subcall function 02991AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02991AD4
                                                                                              • Part of subcall function 02991AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02991AE9
                                                                                              • Part of subcall function 02991AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02991B20
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 02991BA3
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,02991EFD,00000000,00000000,00000000,00000000), ref: 02991BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2794401326-1857712256
                                                                                            • Opcode ID: 678e254c1060a0f44b458da3c0348248b50389a244d38f53909228bd916f8151
                                                                                            • Instruction ID: 5a44f07b42d1df6af9db1edc5b6a7e8d2c446a983888e3131747e9464b5bdfae
                                                                                            • Opcode Fuzzy Hash: 678e254c1060a0f44b458da3c0348248b50389a244d38f53909228bd916f8151
                                                                                            • Instruction Fuzzy Hash: 89014FB7D05118BFEB019AEDC8819EFFABDAB48664F150566A605E7140D5705E088AE0
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(00000001), ref: 02992693
                                                                                            • gethostbyname.WS2_32(00000001), ref: 0299269F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: 020570a44e6d3beac01d5a1b4c90a300058e0caeda0dc7770385db727ff1636b
                                                                                            • Instruction ID: 0268ca7d3a8b326aeb5d4df26a3de176a23af5073e0c145473811b3072e63415
                                                                                            • Opcode Fuzzy Hash: 020570a44e6d3beac01d5a1b4c90a300058e0caeda0dc7770385db727ff1636b
                                                                                            • Instruction Fuzzy Hash: CBE08C30A08611AFDB108B2CF444BE537A8AF06330F054582F840C3194C7309C808780
                                                                                            APIs
                                                                                              • Part of subcall function 0299DD05: GetTickCount.KERNEL32 ref: 0299DD0F
                                                                                              • Part of subcall function 0299DD05: InterlockedExchange.KERNEL32(029A36B4,00000001), ref: 0299DD44
                                                                                              • Part of subcall function 0299DD05: GetCurrentThreadId.KERNEL32 ref: 0299DD53
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,0299A445), ref: 0299E558
                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,74DF0F10,?,00000000,?,0299A445), ref: 0299E583
                                                                                            • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,0299A445), ref: 0299E5B2
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                            • String ID:
                                                                                            • API String ID: 3683885500-0
                                                                                            • Opcode ID: 0dfe556452f52f78fe090e11282ed3ce17d0d479a378bcded515b2234e94da0c
                                                                                            • Instruction ID: 366a63f5005dc290511966e46c5d02b12a70d00631267b5942d2dd61845ce4c5
                                                                                            • Opcode Fuzzy Hash: 0dfe556452f52f78fe090e11282ed3ce17d0d479a378bcded515b2234e94da0c
                                                                                            • Instruction Fuzzy Hash: 8C2105B2A843003AFA20BB3D9C57FAB3A1DDFD5770F040455FE4AA11C2EA51D8108AF2
                                                                                            APIs
                                                                                            • Sleep.KERNELBASE(000003E8), ref: 029988A5
                                                                                              • Part of subcall function 0299F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0299E342,00000000,75A8EA50,80000001,00000000,0299E513,?,00000000,00000000,?,000000E4), ref: 0299F089
                                                                                              • Part of subcall function 0299F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0299E342,00000000,75A8EA50,80000001,00000000,0299E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0299F093
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$FileSystem$Sleep
                                                                                            • String ID: localcfg$rresolv
                                                                                            • API String ID: 1561729337-486471987
                                                                                            • Opcode ID: 6c9d5df1b21182e06b0aed0cff442d3067a937a0110272a9f16a20dd41ccbcb8
                                                                                            • Instruction ID: 84bf3da307b62ec72a4c572d52a0f9393c81be18b4823d1cd3da8e78a3150b04
                                                                                            • Opcode Fuzzy Hash: 6c9d5df1b21182e06b0aed0cff442d3067a937a0110272a9f16a20dd41ccbcb8
                                                                                            • Instruction Fuzzy Hash: C9219571E8C3016AFB14EBAD6C46B7A7A9EAB85730F54081EFE18960C1EBA1454089F1
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,029A22F8,029942B6,00000000,00000001,029A22F8,00000000,?,029998FD), ref: 02994021
                                                                                            • GetLastError.KERNEL32(?,029998FD,00000001,00000100,029A22F8,0299A3C7), ref: 0299402C
                                                                                            • Sleep.KERNEL32(000001F4,?,029998FD,00000001,00000100,029A22F8,0299A3C7), ref: 02994046
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 408151869-0
                                                                                            • Opcode ID: c91282ee2fb8b10b18d48b1e80454dffc9bf912a5f604cfa433c2eddd94df1b0
                                                                                            • Instruction ID: 337c8e256e4c13b58887398662a2698f69a98354358e8ef2de6c86e4a82b4554
                                                                                            • Opcode Fuzzy Hash: c91282ee2fb8b10b18d48b1e80454dffc9bf912a5f604cfa433c2eddd94df1b0
                                                                                            • Instruction Fuzzy Hash: 1EF082316442016ADB320E2DAC4AB2A3265EB81734F255A24F3B5E20D0C7304482DA54
                                                                                            APIs
                                                                                            • GetEnvironmentVariableA.KERNEL32(0299DC19,?,00000104), ref: 0299DB7F
                                                                                            • lstrcpyA.KERNEL32(?,029A28F8), ref: 0299DBA4
                                                                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 0299DBC2
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                            • String ID:
                                                                                            • API String ID: 2536392590-0
                                                                                            • Opcode ID: 5f22e4afebc8f7d65694c211eaa7e63ca094f66152759f19e889c480a137799e
                                                                                            • Instruction ID: 5b08a21bf175daf017f31b4116a02f5298be8a13b2d323f41660b3263ae12a9c
                                                                                            • Opcode Fuzzy Hash: 5f22e4afebc8f7d65694c211eaa7e63ca094f66152759f19e889c480a137799e
                                                                                            • Instruction Fuzzy Hash: 8AF09A70540309ABEF209F68DD8AFE93BA9AF00318F2045A4BB95A40D0D7F2D595CB60
                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0299EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0299EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0299EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 86c3127784eeaf403875e3850180c98ba6740ecbbb91be48ca3e843ea7870466
                                                                                            • Instruction ID: c4f14326da4d9ba7f253a89842d749f2c3b3f73198976570bb36af40d33631d4
                                                                                            • Opcode Fuzzy Hash: 86c3127784eeaf403875e3850180c98ba6740ecbbb91be48ca3e843ea7870466
                                                                                            • Instruction Fuzzy Hash: 32E09AF5C54204BFE701ABB4DC4AEBB77BCFF08314F500A50B911D6080DA709A14CBA4
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 029930D8
                                                                                            • gethostbyname.WS2_32(?), ref: 029930E2
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynamegethostname
                                                                                            • String ID:
                                                                                            • API String ID: 3961807697-0
                                                                                            • Opcode ID: d09f85c081a6f4ff4bc1b42d0c52fde11213e96636984ce8785f7279a41a7611
                                                                                            • Instruction ID: 36f6cfbca9c3bf776a7a8c8b56292e76c8476be2242d9b3ce8cf410c82e940ec
                                                                                            • Opcode Fuzzy Hash: d09f85c081a6f4ff4bc1b42d0c52fde11213e96636984ce8785f7279a41a7611
                                                                                            • Instruction Fuzzy Hash: 0AE06D72D00219ABCF00EBA8EC89FAA77ACBF44318F080461F945E3244EA34E5048BA0
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,0299DB55,7FFF0001), ref: 0299EC13
                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,0299DB55,7FFF0001), ref: 0299EC1A
                                                                                              • Part of subcall function 0299EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0299EBFE,7FFF0001,?,0299DB55,7FFF0001), ref: 0299EBD3
                                                                                              • Part of subcall function 0299EBCC: RtlAllocateHeap.NTDLL(00000000,?,0299DB55,7FFF0001), ref: 0299EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1357844191-0
                                                                                            • Opcode ID: 0d14d46249faf4c10f605a19d20d68d921f08b979e4fdcd7139effc7f77bda7b
                                                                                            • Instruction ID: 59587fd5b5530bdb5a9c2ed579870b6d64912a32c6721c971c3795e923bbe22f
                                                                                            • Opcode Fuzzy Hash: 0d14d46249faf4c10f605a19d20d68d921f08b979e4fdcd7139effc7f77bda7b
                                                                                            • Instruction Fuzzy Hash: EAE01232544218BEDF016A99E808BE93B9ADF45372F108016F94D49460DB3289A0DA94
                                                                                            APIs
                                                                                              • Part of subcall function 0299EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0299EC0A,00000000,80000001,?,0299DB55,7FFF0001), ref: 0299EBAD
                                                                                              • Part of subcall function 0299EBA0: HeapSize.KERNEL32(00000000,?,0299DB55,7FFF0001), ref: 0299EBB4
                                                                                            • GetProcessHeap.KERNEL32(00000000,0299EA27,00000000,0299EA27,00000000), ref: 0299EC41
                                                                                            • RtlFreeHeap.NTDLL(00000000), ref: 0299EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$FreeSize
                                                                                            • String ID:
                                                                                            • API String ID: 1305341483-0
                                                                                            • Opcode ID: 2de9a51a26b34fd61aad9e6b6a1810df976832dab01e9625ba79e631f03b798b
                                                                                            • Instruction ID: 61e03df27ca035dfb088fbd0794194831b2a49aa911c26c310d98312d49ad757
                                                                                            • Opcode Fuzzy Hash: 2de9a51a26b34fd61aad9e6b6a1810df976832dab01e9625ba79e631f03b798b
                                                                                            • Instruction Fuzzy Hash: A1C0123294A330AFC9516654B80CFEB6B5C9F46621F09480AF445660409760584186E1
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0299EBFE,7FFF0001,?,0299DB55,7FFF0001), ref: 0299EBD3
                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0299DB55,7FFF0001), ref: 0299EBDA
                                                                                              • Part of subcall function 0299EB74: GetProcessHeap.KERNEL32(00000000,00000000,0299EC28,00000000,?,0299DB55,7FFF0001), ref: 0299EB81
                                                                                              • Part of subcall function 0299EB74: HeapSize.KERNEL32(00000000,?,0299DB55,7FFF0001), ref: 0299EB88
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                            • String ID:
                                                                                            • API String ID: 2559512979-0
                                                                                            • Opcode ID: 666bcbc34dee3839accf92235cd8ea30f6bec6ce7288c78c981b77173f2f4003
                                                                                            • Instruction ID: 2fd598bdeaeebb614fc464e7a903af1736b9229edc7bc3881d8c7d727c5262a5
                                                                                            • Opcode Fuzzy Hash: 666bcbc34dee3839accf92235cd8ea30f6bec6ce7288c78c981b77173f2f4003
                                                                                            • Instruction Fuzzy Hash: 29C08C32A4C3206FCA0127A8BC0CFEE3E98EF4A3A2F044809F609C2150CB304C508BE6
                                                                                            APIs
                                                                                            • recv.WS2_32(000000C8,?,00000000,0299CA44), ref: 0299F476
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: recv
                                                                                            • String ID:
                                                                                            • API String ID: 1507349165-0
                                                                                            • Opcode ID: 274a14bf457033cc19e89244b76150b2b29644083ebca6c33b8ef8a63fe05ff1
                                                                                            • Instruction ID: 90b30e64a8ebc32ac9e3c6120fc6fa42eb88b114e8aa70226b36c59123672546
                                                                                            • Opcode Fuzzy Hash: 274a14bf457033cc19e89244b76150b2b29644083ebca6c33b8ef8a63fe05ff1
                                                                                            • Instruction Fuzzy Hash: AEF01272201559AB9F119E5DDC88DAB7BAEFBCA3607040521FA18D7110D631D8218BA0
                                                                                            APIs
                                                                                            • closesocket.WS2_32(00000000), ref: 02991992
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesocket
                                                                                            • String ID:
                                                                                            • API String ID: 2781271927-0
                                                                                            • Opcode ID: 0cea37d38b318bc11f561452c8bd0f7f5c611e1f4f5c9b025a7b9319caab9648
                                                                                            • Instruction ID: 5f0e11f504e0aa4aa42d914e69ca8a29f8a9cf92581c827ce8066aeaa100a9d5
                                                                                            • Opcode Fuzzy Hash: 0cea37d38b318bc11f561452c8bd0f7f5c611e1f4f5c9b025a7b9319caab9648
                                                                                            • Instruction Fuzzy Hash: 0FD012365487326A5A11275DB8045BFEB9CEF85772711941AFC4CC0150D735C85187D6
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(80000011,00000000), ref: 0299DDB5
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID:
                                                                                            • API String ID: 1586166983-0
                                                                                            • Opcode ID: 983419230cf22ff885b0b3027ed6569d2f11c6f53a3149a08a615c323c772ca9
                                                                                            • Instruction ID: 4945573bb5a33b139758e25a9261dba448587975babf39d70f8760bef3f9b6fb
                                                                                            • Opcode Fuzzy Hash: 983419230cf22ff885b0b3027ed6569d2f11c6f53a3149a08a615c323c772ca9
                                                                                            • Instruction Fuzzy Hash: C3F058316043128FCF20AE3C98C4666B3ECAF86279F18482AE55592940D731D855CB61
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02999816,EntryPoint), ref: 0299638F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02999816,EntryPoint), ref: 029963A9
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 029963CA
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 029963EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: f85b860aef81acbca56376c4148d7700b742a69b7e5c3333148e9b5f9a32c0a5
                                                                                            • Instruction ID: f40ad37e6b089e694dbeea2bb1d551f5c99bd67dae48d260c98a49732744acdd
                                                                                            • Opcode Fuzzy Hash: f85b860aef81acbca56376c4148d7700b742a69b7e5c3333148e9b5f9a32c0a5
                                                                                            • Instruction Fuzzy Hash: 091191B1A44219BFEB118F69DC4AFAB3BACEF457B5F004424F908E6280D770DC108AA0
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02991839,02999646), ref: 02991012
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 029910C2
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 029910E1
                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02991101
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02991121
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02991140
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02991160
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02991180
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0299119F
                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 029911BF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 029911DF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 029911FE
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0299121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 7d9f295bd5de40eadd4862958e93b6730ebac031c841eb5141dee3ca4874fb64
                                                                                            • Instruction ID: b319adc402e1c11ea1896a2933765dd638386839e2a0072637b0b19d5cdcf004
                                                                                            • Opcode Fuzzy Hash: 7d9f295bd5de40eadd4862958e93b6730ebac031c841eb5141dee3ca4874fb64
                                                                                            • Instruction Fuzzy Hash: 18516071ECA702EBEF509A6DE85076676AC7BC8274F1807969829D21D0D7B0C0D2CFD6
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0299B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0299B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0299B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0299B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0299B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0299B329
                                                                                            • wsprintfA.USER32 ref: 0299B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: 57bc1395e55c45e915db52af6e62e3eb6f4d44f14ee969f28e3f728608b13a70
                                                                                            • Instruction ID: 2511292d114430ec69e5b33d03f5bff02de8fa6ae04a07500001d4f389c168f0
                                                                                            • Opcode Fuzzy Hash: 57bc1395e55c45e915db52af6e62e3eb6f4d44f14ee969f28e3f728608b13a70
                                                                                            • Instruction Fuzzy Hash: 0E5108B1E00319AACF14DFD9D9A5AEFBBF9FF48318F104469E605A6150D3345A89CB90
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: f841c7f7d9e1a73863608ccef2119bd2e0882b96d29714d3d42514ce5fb399ac
                                                                                            • Instruction ID: 2c09854a7e1c1186e626138d7e25b563d22e417900e6b0ea2546373bb62c6e36
                                                                                            • Opcode Fuzzy Hash: f841c7f7d9e1a73863608ccef2119bd2e0882b96d29714d3d42514ce5fb399ac
                                                                                            • Instruction Fuzzy Hash: 4D616B72A40308AFEF609FA8DC45FEA77E9FF48310F148469F969D2161EA71A950CF50
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$ $AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-4264063882
                                                                                            • Opcode ID: 590a233840a4377b58f5284753b34d5e560794c3b50b2db7c2a6464950d24b2d
                                                                                            • Instruction ID: 0c4b303abdba5763317a58a5114a630572c7b1a26b1d1e6676249b26c700335b
                                                                                            • Opcode Fuzzy Hash: 590a233840a4377b58f5284753b34d5e560794c3b50b2db7c2a6464950d24b2d
                                                                                            • Instruction Fuzzy Hash: 26A12671A44305AFEF20CB5CDC85FBE3B6EEB40338F14086AF906A6090DB319948CB95
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0299139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 02991571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-179334549
                                                                                            • Opcode ID: 98d29e7061ec23ef4a176276877d9b2c474d83ec196f8a5ab7855fcc081cce2f
                                                                                            • Instruction ID: 0b3bacae0de7abc945a66bb08a50af647938d280bd641e08ce62ff6a01718b59
                                                                                            • Opcode Fuzzy Hash: 98d29e7061ec23ef4a176276877d9b2c474d83ec196f8a5ab7855fcc081cce2f
                                                                                            • Instruction Fuzzy Hash: 9CF15CB59083429FDB20DF68C888B6AB7E9FFC8314F044D5DF99A97290D7749844CB92
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 02992A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 02992A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 02992AA0
                                                                                            • htons.WS2_32(00000000), ref: 02992ADB
                                                                                            • select.WS2_32 ref: 02992B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 02992B4A
                                                                                            • htons.WS2_32(?), ref: 02992B71
                                                                                            • htons.WS2_32(?), ref: 02992B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02992BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 4383f3fb79ad02706cb6693e94ea1ff06e8a2fba29f661c7c42e936bfc4f48b5
                                                                                            • Instruction ID: debb27829bb1203825b3f08237c2eced9f3a71f2eeb60dbfb3dd6f828e462b54
                                                                                            • Opcode Fuzzy Hash: 4383f3fb79ad02706cb6693e94ea1ff06e8a2fba29f661c7c42e936bfc4f48b5
                                                                                            • Instruction Fuzzy Hash: 3A619F71D08305AFDB209F69DC48B7ABBECEF89765F014849FD4997140E7B4A844CBA2
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 029970C2
                                                                                            • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0299719E
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 029971B2
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 02997208
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 02997291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 029972C2
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 029972D0
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 02997314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0299738D
                                                                                            • RegCloseKey.ADVAPI32(74DF0F10), ref: 029973D8
                                                                                              • Part of subcall function 0299F1A5: lstrlenA.KERNEL32(000000C8,000000E4,029A22F8,000000C8,02997150,?), ref: 0299F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"
                                                                                            • API String ID: 4293430545-3817095088
                                                                                            • Opcode ID: 8f8b0f8204969a642c09287599ebee346ef2f0ff95710d122403197a57f6f0b7
                                                                                            • Instruction ID: e4adcc1da6096ccf8947c4f22683e353ce74042d0f204dd205149b0422bfa872
                                                                                            • Opcode Fuzzy Hash: 8f8b0f8204969a642c09287599ebee346ef2f0ff95710d122403197a57f6f0b7
                                                                                            • Instruction Fuzzy Hash: F9B17DB2954209ABEF15DFE8DC45BEEB7BDAF44321F100466F501E2190EB719A84CFA4
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0299AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0299ADA6
                                                                                              • Part of subcall function 0299AD08: gethostname.WS2_32(?,00000080), ref: 0299AD1C
                                                                                              • Part of subcall function 0299AD08: lstrlenA.KERNEL32(?), ref: 0299AD60
                                                                                              • Part of subcall function 0299AD08: lstrlenA.KERNEL32(?), ref: 0299AD69
                                                                                              • Part of subcall function 0299AD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 0299AD7F
                                                                                              • Part of subcall function 029930B5: gethostname.WS2_32(?,00000080), ref: 029930D8
                                                                                              • Part of subcall function 029930B5: gethostbyname.WS2_32(?), ref: 029930E2
                                                                                            • wsprintfA.USER32 ref: 0299AEA5
                                                                                              • Part of subcall function 0299A7A3: inet_ntoa.WS2_32(00000000), ref: 0299A7A9
                                                                                            • wsprintfA.USER32 ref: 0299AE4F
                                                                                            • wsprintfA.USER32 ref: 0299AE5E
                                                                                              • Part of subcall function 0299EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 0299EF92
                                                                                              • Part of subcall function 0299EF7C: lstrlenA.KERNEL32(?), ref: 0299EF99
                                                                                              • Part of subcall function 0299EF7C: lstrlenA.KERNEL32(00000000), ref: 0299EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: 14008397abf0a667d3ecbd2dc404b5d8420b5b55e670fcf401cc4ab36b5e6084
                                                                                            • Instruction ID: fec1610690d55674f747b6fd75b6c152ced77a9909357a2b6de5066058097cf4
                                                                                            • Opcode Fuzzy Hash: 14008397abf0a667d3ecbd2dc404b5d8420b5b55e670fcf401cc4ab36b5e6084
                                                                                            • Instruction Fuzzy Hash: 3041ECB290034CABEF25EFA4DC45FEE3BADFF48314F14442AB91592151EA71E5548F60
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,02992F0F,?,029920FF,029A2000), ref: 02992E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02992F0F,?,029920FF,029A2000), ref: 02992E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02992E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02992F0F,?,029920FF,029A2000), ref: 02992E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,02992F0F,?,029920FF,029A2000), ref: 02992E4F
                                                                                            • htons.WS2_32(00000035), ref: 02992E88
                                                                                            • inet_addr.WS2_32(?), ref: 02992E93
                                                                                            • gethostbyname.WS2_32(?), ref: 02992EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02992F0F,?,029920FF,029A2000), ref: 02992EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,02992F0F,?,029920FF,029A2000), ref: 02992EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: c2d3663af689e592250043b2aa41a91bc259a20473961e3cf21665567fa0d8a5
                                                                                            • Instruction ID: 8da7bcb8e44a95a07393c877dbac14ae1ceeef87a85f40d36f0a447f17a851bc
                                                                                            • Opcode Fuzzy Hash: c2d3663af689e592250043b2aa41a91bc259a20473961e3cf21665567fa0d8a5
                                                                                            • Instruction Fuzzy Hash: 90316B31E4430ABBDF119BAC9888BAE7BACAF05375F144515ED14E7280EB30D9518B90
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,02999DD7,?,00000022,?,?,00000000,00000001), ref: 02999340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02999DD7,?,00000022,?,?,00000000,00000001), ref: 0299936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,02999DD7,?,00000022,?,?,00000000,00000001), ref: 02999375
                                                                                            • wsprintfA.USER32 ref: 029993CE
                                                                                            • wsprintfA.USER32 ref: 0299940C
                                                                                            • wsprintfA.USER32 ref: 0299948D
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 029994F1
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02999526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02999571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: runas
                                                                                            • API String ID: 3696105349-4000483414
                                                                                            • Opcode ID: 96fb825911fec9aacf39c319d8790d27236dc502691747a550542300668863c3
                                                                                            • Instruction ID: 3a558e4ecddedc9a85716f63949cbc149f835337f8862c8f50f3c6b575224753
                                                                                            • Opcode Fuzzy Hash: 96fb825911fec9aacf39c319d8790d27236dc502691747a550542300668863c3
                                                                                            • Instruction Fuzzy Hash: 84A18BB2940248AFFF219FA8CC45FEE3BADEF44754F10042AFA0592141E7719954CFA1
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0299B467
                                                                                              • Part of subcall function 0299EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 0299EF92
                                                                                              • Part of subcall function 0299EF7C: lstrlenA.KERNEL32(?), ref: 0299EF99
                                                                                              • Part of subcall function 0299EF7C: lstrlenA.KERNEL32(00000000), ref: 0299EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: ea95d4156b864639ff96b4b860cd22da3dd3673e87111516cf33f68e721c3a80
                                                                                            • Instruction ID: beac15ebbdddff2e65e206f7696bc0a87bfea96a50c6439d0b06d70acdfe2ed1
                                                                                            • Opcode Fuzzy Hash: ea95d4156b864639ff96b4b860cd22da3dd3673e87111516cf33f68e721c3a80
                                                                                            • Instruction Fuzzy Hash: 9A4144B25402197EEF01AB98DCC1EFF7B7DEF89668F144026F905A2040DB75AD148BB5
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02992078
                                                                                            • GetTickCount.KERNEL32 ref: 029920D4
                                                                                            • GetTickCount.KERNEL32 ref: 029920DB
                                                                                            • GetTickCount.KERNEL32 ref: 0299212B
                                                                                            • GetTickCount.KERNEL32 ref: 02992132
                                                                                            • GetTickCount.KERNEL32 ref: 02992142
                                                                                              • Part of subcall function 0299F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0299E342,00000000,75A8EA50,80000001,00000000,0299E513,?,00000000,00000000,?,000000E4), ref: 0299F089
                                                                                              • Part of subcall function 0299F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0299E342,00000000,75A8EA50,80000001,00000000,0299E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0299F093
                                                                                              • Part of subcall function 0299E854: lstrcpyA.KERNEL32(00000001,?,?,0299D8DF,00000001,localcfg,except_info,00100000,029A0264), ref: 0299E88B
                                                                                              • Part of subcall function 0299E854: lstrlenA.KERNEL32(00000001,?,0299D8DF,00000001,localcfg,except_info,00100000,029A0264), ref: 0299E899
                                                                                              • Part of subcall function 02991C5F: wsprintfA.USER32 ref: 02991CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: 87050ee5d1471c0e7eecdf536479a16b6ce6fa3b07d654abf015dc4b6a3810e2
                                                                                            • Instruction ID: 665f18714a33cca9f3a4607114b58225a21427572999b48f808080f7e37bb400
                                                                                            • Opcode Fuzzy Hash: 87050ee5d1471c0e7eecdf536479a16b6ce6fa3b07d654abf015dc4b6a3810e2
                                                                                            • Instruction Fuzzy Hash: 3651F470E883466EEB2CEF38ED45B767BD9AF84324F10081ADE45C6590DBB494A4CE91
                                                                                            APIs
                                                                                              • Part of subcall function 0299A4C7: GetTickCount.KERNEL32 ref: 0299A4D1
                                                                                              • Part of subcall function 0299A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0299A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0299C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0299C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0299C363
                                                                                            • GetTickCount.KERNEL32 ref: 0299C378
                                                                                            • GetTickCount.KERNEL32 ref: 0299C44D
                                                                                            • InterlockedIncrement.KERNEL32(0299C4E4), ref: 0299C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0299B535,00000000,?,0299C4E0), ref: 0299C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0299C4E0,029A3588,02998810), ref: 0299C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: 2abf1957decbbf357f371c5ce7b93fb76e276887f3cf466e0fefdef49379f57f
                                                                                            • Instruction ID: 769d6273d4fdb83ad3b1e817db17989db11b92255257762a421c4322d8882aa3
                                                                                            • Opcode Fuzzy Hash: 2abf1957decbbf357f371c5ce7b93fb76e276887f3cf466e0fefdef49379f57f
                                                                                            • Instruction Fuzzy Hash: F8516BB1A00B418FDB249F69C98562ABBE9FB49324B505D3ED18BC7A90D774F844CB14
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0299BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0299BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0299BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0299BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0299BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0299BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-1625972887
                                                                                            • Opcode ID: 922ffb1c441996f0d3f9dfac12f029bd52cd553c812883f5075eed47f47fe7a4
                                                                                            • Instruction ID: 3602ab1f778d574baa6a67e8f5da3873e1e226f2d308c9ca46dca51c87fb171f
                                                                                            • Opcode Fuzzy Hash: 922ffb1c441996f0d3f9dfac12f029bd52cd553c812883f5075eed47f47fe7a4
                                                                                            • Instruction Fuzzy Hash: 72519231A0031AEFDF11EB6CE9A0B6EBBADAF4436CF044465E8459B250D734E941CF90
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,02999A60,?,?,02999E9D), ref: 02996A7D
                                                                                            • GetDiskFreeSpaceA.KERNEL32(02999E9D,02999A60,?,?,?,029A22F8,?,?,?,02999A60,?,?,02999E9D), ref: 02996ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,02999A60,?,?,02999E9D), ref: 02996B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02999A60,?,?,02999E9D), ref: 02996B4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02999A60,?,?,02999E9D), ref: 02996B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,02999A60,?,?,02999E9D), ref: 02996B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02999A60,?,?,02999E9D), ref: 02996B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02999A60,?,?,02999E9D), ref: 02996B80
                                                                                            • GetLastError.KERNEL32(?,?,?,02999A60,?,?,02999E9D,?,?,?,?,?,02999E9D,?,00000022,?), ref: 02996B96
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3188212458-0
                                                                                            • Opcode ID: a10d5b19b303f000d4053deeed844a42ca91cd75a5b907f4ef3bbc976297ba19
                                                                                            • Instruction ID: abd62b790b8d55af20d329cc2253eec68da88e36b2b61bb426acf0d2e26261ba
                                                                                            • Opcode Fuzzy Hash: a10d5b19b303f000d4053deeed844a42ca91cd75a5b907f4ef3bbc976297ba19
                                                                                            • Instruction Fuzzy Hash: E031B3B2D0824DAFDF019FA88945AEF7B7DEF84324F14486AE651A3240E7309955CFA1
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0299D7C3), ref: 02996F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0299D7C3), ref: 02996FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02996FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0299701F
                                                                                            • wsprintfA.USER32 ref: 02997036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a9b3c432283d4b4165ef63d6be2f180b5e72c6ba73d8b685cfb221b4f1954b01
                                                                                            • Instruction ID: af8498f7a69ad977bc2e904938a3e11a714bcfae30959def0bf0605e347e41ba
                                                                                            • Opcode Fuzzy Hash: a9b3c432283d4b4165ef63d6be2f180b5e72c6ba73d8b685cfb221b4f1954b01
                                                                                            • Instruction Fuzzy Hash: 2531FA72A04219AFDF01DFA8D849BEA7BBCEF04364F048566F859DB140EB35D618CB94
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,029A22F8,000000E4,02996DDC,000000C8), ref: 02996CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02996CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02996D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02996D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                            • API String ID: 1082366364-3395550214
                                                                                            • Opcode ID: f79e2e5e40e57a89617dcf2739553b6576f5a0fb07f971b2a98f27f83d9f9e2c
                                                                                            • Instruction ID: 32450936bc1b2ddbf2dd7a7582aadbcd26db8519b95fa24c9575e6cd367d1419
                                                                                            • Opcode Fuzzy Hash: f79e2e5e40e57a89617dcf2739553b6576f5a0fb07f971b2a98f27f83d9f9e2c
                                                                                            • Instruction Fuzzy Hash: DC21D171EC938479FF22573E5C98FB72E8D8F82769F1D0445F848A6181CB95888682F5
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,02999947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,029A22F8), ref: 029997B1
                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,029A22F8), ref: 029997EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,029A22F8), ref: 029997F9
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,029A22F8), ref: 02999831
                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,029A22F8), ref: 0299984E
                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,029A22F8), ref: 0299985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: fe01f53c06778b9d5ff5b6994f3ab078797cb82b997a299917a6aaca91bc1d6a
                                                                                            • Instruction ID: f35e6f721271028e98bda75b708cd9a9c514456aeac726728351dc903501628b
                                                                                            • Opcode Fuzzy Hash: fe01f53c06778b9d5ff5b6994f3ab078797cb82b997a299917a6aaca91bc1d6a
                                                                                            • Instruction Fuzzy Hash: 76211BB1D41219BBEF119FA5DC49FEF7BBCEF09664F000865BA19E1140EB319654CAA0
                                                                                            APIs
                                                                                              • Part of subcall function 0299DD05: GetTickCount.KERNEL32 ref: 0299DD0F
                                                                                              • Part of subcall function 0299DD05: InterlockedExchange.KERNEL32(029A36B4,00000001), ref: 0299DD44
                                                                                              • Part of subcall function 0299DD05: GetCurrentThreadId.KERNEL32 ref: 0299DD53
                                                                                              • Part of subcall function 0299DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0299DDB5
                                                                                            • lstrcpynA.KERNEL32(?,02991E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0299EAAA,?,?), ref: 0299E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0299EAAA,?,?,00000001,?,02991E84,?), ref: 0299E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0299EAAA,?,?,00000001,?,02991E84,?,0000000A), ref: 0299E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0299EAAA,?,?,00000001,?,02991E84,?), ref: 0299E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 9ded98d54facd268f903cac12bd507e1e0fd3d5ef4018976036adc36c2fad42d
                                                                                            • Instruction ID: 57f550ecfc9ddd3fa449af315d719105d612ab5338af2b1d5eb1dcf5a0bf0a10
                                                                                            • Opcode Fuzzy Hash: 9ded98d54facd268f903cac12bd507e1e0fd3d5ef4018976036adc36c2fad42d
                                                                                            • Instruction Fuzzy Hash: A2511D72D0020AAFCF11EFE8C9849AEBBF9BF48314F14456AE445A7210E735EA15CF64
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: 0c04f28995d35686fdf10b98b254a93245a5ee1f32326bd664932b4dcadf6af4
                                                                                            • Instruction ID: 5aed6c05acd23fe61cc50f90a0f8bbed6c0449446d72c0c235a8bd573ba02158
                                                                                            • Opcode Fuzzy Hash: 0c04f28995d35686fdf10b98b254a93245a5ee1f32326bd664932b4dcadf6af4
                                                                                            • Instruction Fuzzy Hash: 02216F72908215FFDF119B68ED49EAF3A6CDF44374B104815F602E1040FB31DA10D6B4
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,029A22F8), ref: 0299907B
                                                                                            • wsprintfA.USER32 ref: 029990E9
                                                                                            • CreateFileA.KERNEL32(029A22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0299910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02999122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0299912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02999134
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: 03298ca2c060c9bf49994dd640b14f56d5e6c0d13830d2cfa5a830ec127385e5
                                                                                            • Instruction ID: 5220d03d033f2f92dc440368694a52749754f9168fea70e7b1ff29235bb685c2
                                                                                            • Opcode Fuzzy Hash: 03298ca2c060c9bf49994dd640b14f56d5e6c0d13830d2cfa5a830ec127385e5
                                                                                            • Instruction Fuzzy Hash: 78119AB2A442147FFB256775DC09FFF3A6EDFC5710F008465BB4AA5040EA709E11CAA0
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0299DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0299DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0299DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0299E538,?,74DF0F10,?,00000000,?,0299A445), ref: 0299DD3B
                                                                                            • InterlockedExchange.KERNEL32(029A36B4,00000001), ref: 0299DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0299DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: efcaab998b43f7ebfa2b17cfe944095d6327a7db4e0ea4192483b3ea8633dd7a
                                                                                            • Instruction ID: ec8536436e238f8aa5539bfddcd44757ac0156b3a7e2564f33fb5eb4a897a9ee
                                                                                            • Opcode Fuzzy Hash: efcaab998b43f7ebfa2b17cfe944095d6327a7db4e0ea4192483b3ea8633dd7a
                                                                                            • Instruction Fuzzy Hash: 7FF082729CC3149FDB806FADA9CEB3A7BA9EF46362F000855E609C2641C7205465CFF6
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0299AD1C
                                                                                            • lstrlenA.KERNEL32(?), ref: 0299AD60
                                                                                            • lstrlenA.KERNEL32(?), ref: 0299AD69
                                                                                            • lstrcpyA.KERNEL32(?,LocalHost), ref: 0299AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 588a57b06e53b4b6e94942fe645cb2526000772d4df08b2d24ecae2ab2c4ebd7
                                                                                            • Instruction ID: 740a18726ed12eb01344b12710a3b15837c8556dc054861099ae7dff8b51883e
                                                                                            • Opcode Fuzzy Hash: 588a57b06e53b4b6e94942fe645cb2526000772d4df08b2d24ecae2ab2c4ebd7
                                                                                            • Instruction Fuzzy Hash: D701F5708882895DDF31463C9844BB93FAEEF8B77AF101055E4C09B165EF24848787A2
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,029998FD,00000001,00000100,029A22F8,0299A3C7), ref: 02994290
                                                                                            • CloseHandle.KERNEL32(0299A3C7), ref: 029943AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 029943AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID:
                                                                                            • API String ID: 1371578007-0
                                                                                            • Opcode ID: 2b13d8b53101801d71e01aec10af6f273664e813536046ce3ac0c5992a53a41f
                                                                                            • Instruction ID: 43b068f9a6acecbed40d8dad60f3e5dc477ef8465d785e4f17066767f1bd5813
                                                                                            • Opcode Fuzzy Hash: 2b13d8b53101801d71e01aec10af6f273664e813536046ce3ac0c5992a53a41f
                                                                                            • Instruction Fuzzy Hash: 0C419C71C00209BAEF11ABB9DE86FAFBFBDEF40324F105555F605A2180D7358A51CBA0
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,029964CF,00000000), ref: 0299609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,029964CF,00000000), ref: 029960C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0299614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0299619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: df0d4b96d8b60324a15ab5a0d73262ac46edbf0ad23242e50be2b3a34e852fd7
                                                                                            • Instruction ID: 420cf6a408ab88c2c44b6e3a2c1491295e34ba08f12987c9cf406e08bbc31001
                                                                                            • Opcode Fuzzy Hash: df0d4b96d8b60324a15ab5a0d73262ac46edbf0ad23242e50be2b3a34e852fd7
                                                                                            • Instruction Fuzzy Hash: 53416C71E04209AFDF24CF69C884BA9B7BDEF44368F188469E815D7291E730E950CF90
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 47b75006fd309817c26bbf5fc384768aa2f6b29fcba8481e2196c15c395a3f61
                                                                                            • Instruction ID: 6ac2ccd09f372aa06ec44736a644ff2044d2155414924f300677005f5e2d5a10
                                                                                            • Opcode Fuzzy Hash: 47b75006fd309817c26bbf5fc384768aa2f6b29fcba8481e2196c15c395a3f61
                                                                                            • Instruction Fuzzy Hash: EF317E72E00319BBDF109FA9CC81BBEB7F8EF88721F104856E945E6281E374D6518B54
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0299272E
                                                                                            • htons.WS2_32(00000001), ref: 02992752
                                                                                            • htons.WS2_32(0000000F), ref: 029927D5
                                                                                            • htons.WS2_32(00000001), ref: 029927E3
                                                                                            • sendto.WS2_32(?,029A2BF8,00000009,00000000,00000010,00000010), ref: 02992802
                                                                                              • Part of subcall function 0299EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0299EBFE,7FFF0001,?,0299DB55,7FFF0001), ref: 0299EBD3
                                                                                              • Part of subcall function 0299EBCC: RtlAllocateHeap.NTDLL(00000000,?,0299DB55,7FFF0001), ref: 0299EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1128258776-0
                                                                                            • Opcode ID: ab787fbbbcf42eddf52c28357c09abd2b41983b6780a540df5fe1229a13a9858
                                                                                            • Instruction ID: ba4517b8fe86057e3d14af9cf7a81ff88125cf9409e1ef1c59e50ebad7e30ef6
                                                                                            • Opcode Fuzzy Hash: ab787fbbbcf42eddf52c28357c09abd2b41983b6780a540df5fe1229a13a9858
                                                                                            • Instruction Fuzzy Hash: 7B315B34E8A382AFDB10CF78D890A757764EF5A328B19485DDC558B312D733E452CB90
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,029A22F8), ref: 0299915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 02999166
                                                                                            • CharToOemA.USER32(?,?), ref: 02999174
                                                                                            • wsprintfA.USER32 ref: 029991A9
                                                                                              • Part of subcall function 02999064: GetTempPathA.KERNEL32(00000400,?,00000000,029A22F8), ref: 0299907B
                                                                                              • Part of subcall function 02999064: wsprintfA.USER32 ref: 029990E9
                                                                                              • Part of subcall function 02999064: CreateFileA.KERNEL32(029A22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0299910E
                                                                                              • Part of subcall function 02999064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02999122
                                                                                              • Part of subcall function 02999064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0299912D
                                                                                              • Part of subcall function 02999064: CloseHandle.KERNEL32(00000000), ref: 02999134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 029991E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: 088d6331322b061a967b256df226a124700ad53ffb860796c8cfb60f82dac0c7
                                                                                            • Instruction ID: f1cd59d01446fc4b1893693d083ea001733a4be62eae5049b1c600d12bf3fc82
                                                                                            • Opcode Fuzzy Hash: 088d6331322b061a967b256df226a124700ad53ffb860796c8cfb60f82dac0c7
                                                                                            • Instruction Fuzzy Hash: 820192F6D402187BEB20A6618C4DFEF3B7CDBD5701F000091BB49E2040D67096848FB0
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02992491,?,?,?,0299E844,-00000030,?,?,?,00000001), ref: 02992429
                                                                                            • lstrlenA.KERNEL32(?,?,02992491,?,?,?,0299E844,-00000030,?,?,?,00000001,02991E3D,00000001,localcfg,lid_file_upd), ref: 0299243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 02992452
                                                                                            • lstrlenA.KERNEL32(?,?,02992491,?,?,?,0299E844,-00000030,?,?,?,00000001,02991E3D,00000001,localcfg,lid_file_upd), ref: 02992467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: cd11d1a52d2742a0a4b2fde6f5f71ecd9098c18534750e514b8c722f60d6c8ea
                                                                                            • Instruction ID: e369a1d042c7bd3ea488a5900665b83e2ce0a6aa5ece976c7ddc98292db1a5f2
                                                                                            • Opcode Fuzzy Hash: cd11d1a52d2742a0a4b2fde6f5f71ecd9098c18534750e514b8c722f60d6c8ea
                                                                                            • Instruction Fuzzy Hash: 2001DA31A00219BFCF11EF69DC859DE7BADEF45364B11C425ED59D7201E330EA54CA90
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: f49e3cf996e1858eb83b5708d8240b21ceb80de375f222c74cfbe7366a653573
                                                                                            • Instruction ID: 870210f62053df0d66812d668683cb235c657d3a2745d53652f7dd2261a222f4
                                                                                            • Opcode Fuzzy Hash: f49e3cf996e1858eb83b5708d8240b21ceb80de375f222c74cfbe7366a653573
                                                                                            • Instruction Fuzzy Hash: 774179729042999FDF21DFB88D44BEE3BEDAF49320F240056F9A4D3152D635EA05CBA0
                                                                                            APIs
                                                                                              • Part of subcall function 0299DD05: GetTickCount.KERNEL32 ref: 0299DD0F
                                                                                              • Part of subcall function 0299DD05: InterlockedExchange.KERNEL32(029A36B4,00000001), ref: 0299DD44
                                                                                              • Part of subcall function 0299DD05: GetCurrentThreadId.KERNEL32 ref: 0299DD53
                                                                                            • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,02995EC1), ref: 0299E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,02995EC1), ref: 0299E6E9
                                                                                            • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,74DF0F10,00000000,?,02995EC1), ref: 0299E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: 89ABCDEF
                                                                                            • API String ID: 3343386518-71641322
                                                                                            • Opcode ID: dbc9e03a69fd492e2ee9a05a25490fd6ebc47b9ddfbaf70806a731848ee52b13
                                                                                            • Instruction ID: 5d9e0282c0401b3f5022fd3618a1bf0505f631aa9e6149b6d220a7f8a2cf38aa
                                                                                            • Opcode Fuzzy Hash: dbc9e03a69fd492e2ee9a05a25490fd6ebc47b9ddfbaf70806a731848ee52b13
                                                                                            • Instruction Fuzzy Hash: E931AB31A04715DFDF31CF68D884B6677E8AF05739F10892BE9968B541E771E880CB91
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0299E2A3,00000000,00000000,00000000,00020106,00000000,0299E2A3,00000000,000000E4), ref: 0299E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0299E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,029A22F8), ref: 0299E127
                                                                                            • RegDeleteValueA.ADVAPI32(0299E2A3,?,?,?,?,?,000000C8,029A22F8), ref: 0299E158
                                                                                            • RegCloseKey.ADVAPI32(0299E2A3,?,?,?,?,000000C8,029A22F8,?,?,?,?,?,?,?,?,0299E2A3), ref: 0299E161
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 506cde947a24d8cedf03515a68294530d961329dc6988f2f58dd60c0d42925b2
                                                                                            • Instruction ID: 22f577bbd2e684cd8c13f4c0a31873460e6d0138c9b94f3d57fb5b644065748c
                                                                                            • Opcode Fuzzy Hash: 506cde947a24d8cedf03515a68294530d961329dc6988f2f58dd60c0d42925b2
                                                                                            • Instruction Fuzzy Hash: 7D212C71A00229BBDF219EA8DC89EAE7F7DEF09760F004062F944E6150E6718A54DBA0
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0299A3C7,00000000,00000000,000007D0,00000001), ref: 02993FB8
                                                                                            • GetLastError.KERNEL32 ref: 02993FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 02993FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02993FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 9e4ab4b75fdefa584b7f1ac68b9fd93d794fb2eb502bc6bb5650ee260b6f6319
                                                                                            • Instruction ID: c722cc996c0fcd94f3840f6fca680ff4c4e3b382ebdb20aad1b25499a1483e91
                                                                                            • Opcode Fuzzy Hash: 9e4ab4b75fdefa584b7f1ac68b9fd93d794fb2eb502bc6bb5650ee260b6f6319
                                                                                            • Instruction Fuzzy Hash: B501937291421AABEF11DF94D986BEE7BBCEB04366F104461F902E2050D7709A64CBA6
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0299A3C7,00000000,00000000,000007D0,00000001), ref: 02993F44
                                                                                            • GetLastError.KERNEL32 ref: 02993F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 02993F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02993F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: ed35d6fb2b86bd5a1676734e7984463c4372613c20763056660df77998a0c9a8
                                                                                            • Instruction ID: bc2c6ff666271e69ae47ee1a3768473c1aca01d59f889481e5a9578ac25a58ad
                                                                                            • Opcode Fuzzy Hash: ed35d6fb2b86bd5a1676734e7984463c4372613c20763056660df77998a0c9a8
                                                                                            • Instruction Fuzzy Hash: AF01D372915219ABEF01DE94D985BEF7BBCEB04365F104565FA02E2040D7309A24CBA6
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02994E9E
                                                                                            • GetTickCount.KERNEL32 ref: 02994EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 02994EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02994EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: eaca2eeaae0b62a297539e5b215b1a9da30fc924d91bb0fd7eaad45106e22541
                                                                                            • Instruction ID: 81dcb0b6d7c66d23eba0e791edc89d81cb83ea6c30d4d52542e70d40832997e7
                                                                                            • Opcode Fuzzy Hash: eaca2eeaae0b62a297539e5b215b1a9da30fc924d91bb0fd7eaad45106e22541
                                                                                            • Instruction Fuzzy Hash: 60E0863268532557DA1026FDAC85F6B764DAF46371F010931E609D2140D657985385F1
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0299A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0299A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0299C2E9,0299C4E0,00000000,localcfg,?,0299C4E0,029A3588,02998810), ref: 0299A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0299A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: e62719eb9dfa49ac13cb82327aa16ee0a43b21fbb093cb2dd443a012346ecf07
                                                                                            • Instruction ID: 714a01bd931ae815ec6795d26217e1d3a8241ae6c0e925ac0c20a53bb864ee49
                                                                                            • Opcode Fuzzy Hash: e62719eb9dfa49ac13cb82327aa16ee0a43b21fbb093cb2dd443a012346ecf07
                                                                                            • Instruction Fuzzy Hash: A7E0263334432557CA0017A9AC84F7E3388EF4A7B1F020421FA0CD3140C616A851C1F6
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02994BDD
                                                                                            • GetTickCount.KERNEL32 ref: 02994BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,02E1B1BC,029950F2), ref: 02994BF9
                                                                                            • InterlockedExchange.KERNEL32(02E1B1B0,00000001), ref: 02994C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 9755bbecd5a587d55aa3a50f28ca9316dc6c620a8073c5b650c76ab9d8cf60ba
                                                                                            • Instruction ID: ff0b02e847c9db026663e64462c7dc8924c28f709639f6a3b0c591c076ef74a9
                                                                                            • Opcode Fuzzy Hash: 9755bbecd5a587d55aa3a50f28ca9316dc6c620a8073c5b650c76ab9d8cf60ba
                                                                                            • Instruction Fuzzy Hash: B1E0863668532557CA1026A99C85FAA775CAF45371F060876F708D2140D5569452C1F1
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02993103
                                                                                            • GetTickCount.KERNEL32 ref: 0299310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0299311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02993128
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 25190ce33768d4c47694d20b47457a062a831944b63e75822e8c38a4891f8b2f
                                                                                            • Instruction ID: 0c7753707e9886981bb3611de8ee6bc171c231203502740fac168ef9a9036dc2
                                                                                            • Opcode Fuzzy Hash: 25190ce33768d4c47694d20b47457a062a831944b63e75822e8c38a4891f8b2f
                                                                                            • Instruction Fuzzy Hash: 2AE0C231648325ABDF102FBAAD46B696A5AEF847B5F010871F201D20A0C6504C10CDB1
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: 457d6f0332fcf57fd5aba45327559473620cbc845a4c85f0ef563cbb055d4774
                                                                                            • Instruction ID: 3cf3bada1d19ec2bc0a061be4f22df0c386ee79012828e9055d23608c61b4202
                                                                                            • Opcode Fuzzy Hash: 457d6f0332fcf57fd5aba45327559473620cbc845a4c85f0ef563cbb055d4774
                                                                                            • Instruction Fuzzy Hash: 8021B132A18615AFDF109FBCD89566ABBBEFF62364B69059ED401DB101CB30E940CB94
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0299C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 81ac3fd3842f2e0ac077a3b2cb2af72a429eee3834e44939e176302928209cc8
                                                                                            • Instruction ID: 87f11ef30650f0933bf23f895330bb041861b674f3fdd0c91af3e9b7d22cf99f
                                                                                            • Opcode Fuzzy Hash: 81ac3fd3842f2e0ac077a3b2cb2af72a429eee3834e44939e176302928209cc8
                                                                                            • Instruction Fuzzy Hash: 3B119A72500200FFDB429AA9CD44E567FA6FF88318B34819CF6188E166D633D863DB50
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 029926C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 029926E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: e47f7718dbef920e7a37bcd9fdf2a52773d689b45e6e6107c434e77d79144b53
                                                                                            • Instruction ID: f66ac9c079c785f3cf0eb3600f7be4438820809a5b82256a744a36bada32a811
                                                                                            • Opcode Fuzzy Hash: e47f7718dbef920e7a37bcd9fdf2a52773d689b45e6e6107c434e77d79144b53
                                                                                            • Instruction Fuzzy Hash: CFF0FE365483097BEF00AFA8EC05AAA379DDF45771F144426FD08DA490DB71D9509798
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0299EB54,_alldiv,0299F0B7,80000001,00000000,00989680,00000000,?,?,?,0299E342,00000000,75A8EA50,80000001,00000000), ref: 0299EAF2
                                                                                            • GetProcAddress.KERNEL32(76E90000,00000000), ref: 0299EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: 4984d9b82e6c59238ff4e12527418bff0703c3090f6e0fba46b8ddc586d605ae
                                                                                            • Instruction ID: b9e6a47894e8d51e8ad78c020d84caba20b18afdf9da429377cc72f61e0ae8f7
                                                                                            • Opcode Fuzzy Hash: 4984d9b82e6c59238ff4e12527418bff0703c3090f6e0fba46b8ddc586d605ae
                                                                                            • Instruction Fuzzy Hash: F5D0C734A44312579F118F6E951BB6A76DC6F44715B408855E446D1100D730D414D645
                                                                                            APIs
                                                                                              • Part of subcall function 02992D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,02992F01,?,029920FF,029A2000), ref: 02992D3A
                                                                                              • Part of subcall function 02992D21: LoadLibraryA.KERNEL32(?), ref: 02992D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02992F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 02992F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2921995017.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Offset: 02990000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_2990000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 11d7c6f4f043635406ef38618b7412437ef5d2354ee6f803bac7f90499714074
                                                                                            • Instruction ID: 89631c475eee79060c919f819c6f6ba0b13a614137c93bc6226e2e5adfe0553a
                                                                                            • Opcode Fuzzy Hash: 11d7c6f4f043635406ef38618b7412437ef5d2354ee6f803bac7f90499714074
                                                                                            • Instruction Fuzzy Hash: 5651BF7190420AAFDF01DF68D888AFAB779FF06314F1045A9EC96D7210E732DA19CB94