Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Uc84uB877e.exe

Overview

General Information

Sample name:Uc84uB877e.exe
renamed because original name is a hash value
Original sample name:57d8986f5db1704c0d6a46f1c6cbd77e.exe
Analysis ID:1505415
MD5:57d8986f5db1704c0d6a46f1c6cbd77e
SHA1:8d1761161e37a7c071d19700cb2b3a073d28f6f0
SHA256:6144c9369be2e903bdd67a73d031dac6e9edf69d54956ce1de82749ad4c0759f
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

  • System is w10x64
  • Uc84uB877e.exe (PID: 7500 cmdline: "C:\Users\user\Desktop\Uc84uB877e.exe" MD5: 57D8986F5DB1704C0D6A46F1C6CBD77E)
    • cmd.exe (PID: 7584 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rxarouyf\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7640 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\cwworbfr.exe" C:\Windows\SysWOW64\rxarouyf\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7696 cmdline: "C:\Windows\System32\sc.exe" create rxarouyf binPath= "C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d\"C:\Users\user\Desktop\Uc84uB877e.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7744 cmdline: "C:\Windows\System32\sc.exe" description rxarouyf "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7804 cmdline: "C:\Windows\System32\sc.exe" start rxarouyf MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 7888 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cwworbfr.exe (PID: 7868 cmdline: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d"C:\Users\user\Desktop\Uc84uB877e.exe" MD5: EB62495EFD3197B9366AB0FF28F8B331)
    • svchost.exe (PID: 7984 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
00000000.00000002.1747369440.000000000058B000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x1000:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x27ab:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xf0fc:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      11.3.cwworbfr.exe.510000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        11.3.cwworbfr.exe.510000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        11.3.cwworbfr.exe.510000.0.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
        • 0xed10:$s2: loader_id
        • 0xed40:$s3: start_srv
        • 0xed70:$s4: lid_file_upd
        • 0xed64:$s5: localcfg
        • 0xf494:$s6: Incorrect respons
        • 0xf574:$s7: mx connect error
        • 0xf4f0:$s8: Error sending command (sent = %d/%d)
        • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        11.2.cwworbfr.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
          11.2.cwworbfr.exe.400000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
          • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
          • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
          Click to see the 39 entries

          System Summary

          barindex
          Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d"C:\Users\user\Desktop\Uc84uB877e.exe", ParentImage: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe, ParentProcessId: 7868, ParentProcessName: cwworbfr.exe, ProcessCommandLine: svchost.exe, ProcessId: 7984, ProcessName: svchost.exe
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create rxarouyf binPath= "C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d\"C:\Users\user\Desktop\Uc84uB877e.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create rxarouyf binPath= "C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d\"C:\Users\user\Desktop\Uc84uB877e.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\Uc84uB877e.exe", ParentImage: C:\Users\user\Desktop\Uc84uB877e.exe, ParentProcessId: 7500, ParentProcessName: Uc84uB877e.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create rxarouyf binPath= "C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d\"C:\Users\user\Desktop\Uc84uB877e.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7696, ProcessName: sc.exe
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.8.49, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 7984, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d"C:\Users\user\Desktop\Uc84uB877e.exe", ParentImage: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe, ParentProcessId: 7868, ParentProcessName: cwworbfr.exe, ProcessCommandLine: svchost.exe, ProcessId: 7984, ProcessName: svchost.exe
          Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7984, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\rxarouyf
          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create rxarouyf binPath= "C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d\"C:\Users\user\Desktop\Uc84uB877e.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create rxarouyf binPath= "C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d\"C:\Users\user\Desktop\Uc84uB877e.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\Uc84uB877e.exe", ParentImage: C:\Users\user\Desktop\Uc84uB877e.exe, ParentProcessId: 7500, ParentProcessName: Uc84uB877e.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create rxarouyf binPath= "C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d\"C:\Users\user\Desktop\Uc84uB877e.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7696, ProcessName: sc.exe
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
          Source: jotunheim.name:443Avira URL Cloud: Label: malware
          Source: 11.2.cwworbfr.exe.460e67.1.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
          Source: vanaheim.cnVirustotal: Detection: 15%Perma Link
          Source: vanaheim.cn:443Virustotal: Detection: 7%Perma Link
          Source: jotunheim.name:443Virustotal: Detection: 12%Perma Link
          Source: Uc84uB877e.exeReversingLabs: Detection: 75%
          Source: Uc84uB877e.exeVirustotal: Detection: 64%Perma Link
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
          Source: C:\Users\user\AppData\Local\Temp\cwworbfr.exeJoe Sandbox ML: detected
          Source: Uc84uB877e.exeJoe Sandbox ML: detected

          Compliance

          barindex
          Source: C:\Users\user\Desktop\Uc84uB877e.exeUnpacked PE file: 0.2.Uc84uB877e.exe.400000.0.unpack
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeUnpacked PE file: 11.2.cwworbfr.exe.400000.0.unpack
          Source: Uc84uB877e.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\Uc84uB877e.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

          Change of critical system settings

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\rxarouyfJump to behavior

          Networking

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.109 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.8.49 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 74.125.133.27 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
          Source: Malware configuration extractorURLs: vanaheim.cn:443
          Source: Malware configuration extractorURLs: jotunheim.name:443
          Source: Joe Sandbox ViewIP Address: 67.195.228.109 67.195.228.109
          Source: Joe Sandbox ViewIP Address: 52.101.8.49 52.101.8.49
          Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
          Source: Joe Sandbox ViewIP Address: 77.232.41.29 77.232.41.29
          Source: Joe Sandbox ViewASN Name: YAHOO-GQ1US YAHOO-GQ1US
          Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
          Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
          Source: Joe Sandbox ViewASN Name: EUT-ASEUTIPNetworkRU EUT-ASEUTIPNetworkRU
          Source: global trafficTCP traffic: 192.168.2.4:49731 -> 52.101.8.49:25
          Source: global trafficTCP traffic: 192.168.2.4:50620 -> 67.195.228.109:25
          Source: global trafficTCP traffic: 192.168.2.4:50621 -> 74.125.133.27:25
          Source: global trafficTCP traffic: 192.168.2.4:50624 -> 217.69.139.150:25
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
          Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
          Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
          Source: global trafficDNS traffic detected: DNS query: yahoo.com
          Source: global trafficDNS traffic detected: DNS query: mta7.am0.yahoodns.net
          Source: global trafficDNS traffic detected: DNS query: google.com
          Source: global trafficDNS traffic detected: DNS query: smtp.google.com
          Source: global trafficDNS traffic detected: DNS query: mail.ru
          Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50622
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50625
          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50625 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 50622 -> 443

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Source: Yara matchFile source: 11.3.cwworbfr.exe.510000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.cwworbfr.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.cwworbfr.exe.460e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.svchost.exe.32d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.svchost.exe.32d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Uc84uB877e.exe.4f0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Uc84uB877e.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.cwworbfr.exe.510000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.cwworbfr.exe.510000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.Uc84uB877e.exe.510000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Uc84uB877e.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.cwworbfr.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.1715768332.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1786515513.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000003.1785845697.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Uc84uB877e.exe PID: 7500, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cwworbfr.exe PID: 7868, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7984, type: MEMORYSTR

          System Summary

          barindex
          Source: 11.3.cwworbfr.exe.510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.3.cwworbfr.exe.510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 11.2.cwworbfr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.2.cwworbfr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.2.Uc84uB877e.exe.4f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.2.Uc84uB877e.exe.4f0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.3.Uc84uB877e.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.3.Uc84uB877e.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 11.2.cwworbfr.exe.460e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.2.cwworbfr.exe.460e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 11.3.cwworbfr.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.3.cwworbfr.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 14.2.svchost.exe.32d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 14.2.svchost.exe.32d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 14.2.svchost.exe.32d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 14.2.svchost.exe.32d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 11.2.cwworbfr.exe.460e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.2.cwworbfr.exe.460e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.2.Uc84uB877e.exe.4f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.2.Uc84uB877e.exe.4f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.2.Uc84uB877e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.2.Uc84uB877e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 11.2.cwworbfr.exe.510000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.2.cwworbfr.exe.510000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 11.2.cwworbfr.exe.510000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.2.cwworbfr.exe.510000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.3.Uc84uB877e.exe.510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.3.Uc84uB877e.exe.510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0.2.Uc84uB877e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0.2.Uc84uB877e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 11.2.cwworbfr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 11.2.cwworbfr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000000.00000002.1747369440.000000000058B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000000.00000003.1715768332.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000000.00000003.1715768332.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0000000B.00000002.1786515513.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000B.00000002.1786515513.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0000000B.00000002.1786560021.0000000000553000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000B.00000003.1785845697.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000B.00000003.1785845697.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\rxarouyf\Jump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_0040C9130_2_0040C913
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_0041A4300_2_0041A430
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeCode function: 11_2_0040C91311_2_0040C913
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeCode function: 11_2_0041A43011_2_0041A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032DC91314_2_032DC913
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: String function: 0040EE2A appears 40 times
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: String function: 00402544 appears 53 times
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: String function: 004F27AB appears 35 times
          Source: Uc84uB877e.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 11.3.cwworbfr.exe.510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.3.cwworbfr.exe.510000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 11.2.cwworbfr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.2.cwworbfr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.2.Uc84uB877e.exe.4f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.2.Uc84uB877e.exe.4f0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.3.Uc84uB877e.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.3.Uc84uB877e.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 11.2.cwworbfr.exe.460e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.2.cwworbfr.exe.460e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 11.3.cwworbfr.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.3.cwworbfr.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 14.2.svchost.exe.32d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 14.2.svchost.exe.32d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 14.2.svchost.exe.32d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 14.2.svchost.exe.32d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 11.2.cwworbfr.exe.460e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.2.cwworbfr.exe.460e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.2.Uc84uB877e.exe.4f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.2.Uc84uB877e.exe.4f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.2.Uc84uB877e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.2.Uc84uB877e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 11.2.cwworbfr.exe.510000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.2.cwworbfr.exe.510000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 11.2.cwworbfr.exe.510000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.2.cwworbfr.exe.510000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.3.Uc84uB877e.exe.510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.3.Uc84uB877e.exe.510000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0.2.Uc84uB877e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0.2.Uc84uB877e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 11.2.cwworbfr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 11.2.cwworbfr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000000.00000002.1747369440.000000000058B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000000.00000003.1715768332.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000000.00000003.1715768332.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0000000B.00000002.1786515513.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000B.00000002.1786515513.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0000000B.00000002.1786560021.0000000000553000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000B.00000003.1785845697.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000B.00000003.1785845697.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: Uc84uB877e.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@22/3@9/5
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_0058C02E CreateToolhelp32Snapshot,Module32First,0_2_0058C02E
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032D9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,14_2_032D9A6B
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
          Source: C:\Users\user\Desktop\Uc84uB877e.exeFile created: C:\Users\user\AppData\Local\Temp\cwworbfr.exeJump to behavior
          Source: Uc84uB877e.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Uc84uB877e.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Uc84uB877e.exeReversingLabs: Detection: 75%
          Source: Uc84uB877e.exeVirustotal: Detection: 64%
          Source: C:\Users\user\Desktop\Uc84uB877e.exeFile read: C:\Users\user\Desktop\Uc84uB877e.exeJump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_11-15040
          Source: unknownProcess created: C:\Users\user\Desktop\Uc84uB877e.exe "C:\Users\user\Desktop\Uc84uB877e.exe"
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rxarouyf\
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\cwworbfr.exe" C:\Windows\SysWOW64\rxarouyf\
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create rxarouyf binPath= "C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d\"C:\Users\user\Desktop\Uc84uB877e.exe\"" type= own start= auto DisplayName= "wifi support"
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description rxarouyf "wifi internet conection"
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start rxarouyf
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d"C:\Users\user\Desktop\Uc84uB877e.exe"
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rxarouyf\Jump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\cwworbfr.exe" C:\Windows\SysWOW64\rxarouyf\Jump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create rxarouyf binPath= "C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d\"C:\Users\user\Desktop\Uc84uB877e.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description rxarouyf "wifi internet conection"Jump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start rxarouyfJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: msvcr100.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeSection loaded: msvcr100.dllJump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

          Data Obfuscation

          barindex
          Source: C:\Users\user\Desktop\Uc84uB877e.exeUnpacked PE file: 0.2.Uc84uB877e.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeUnpacked PE file: 11.2.cwworbfr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
          Source: C:\Users\user\Desktop\Uc84uB877e.exeUnpacked PE file: 0.2.Uc84uB877e.exe.400000.0.unpack
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeUnpacked PE file: 11.2.cwworbfr.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_0058F316 push 0000002Bh; iretd 0_2_0058F31C
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeCode function: 11_2_00557796 push 0000002Bh; iretd 11_2_0055779C
          Source: Uc84uB877e.exeStatic PE information: section name: .text entropy: 7.407058736943905

          Persistence and Installation Behavior

          barindex
          Source: unknownExecutable created and started: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe (copy)Jump to dropped file
          Source: C:\Users\user\Desktop\Uc84uB877e.exeFile created: C:\Users\user\AppData\Local\Temp\cwworbfr.exeJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe (copy)Jump to dropped file
          Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rxarouyfJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create rxarouyf binPath= "C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d\"C:\Users\user\Desktop\Uc84uB877e.exe\"" type= own start= auto DisplayName= "wifi support"

          Hooking and other Techniques for Hiding and Protection

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\uc84ub877e.exeJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,14_2_032D199C
          Source: C:\Users\user\Desktop\Uc84uB877e.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15938
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_11-15466
          Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_14-7595
          Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_14-6131
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_11-15424
          Source: C:\Users\user\Desktop\Uc84uB877e.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15414
          Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_14-6410
          Source: C:\Users\user\Desktop\Uc84uB877e.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14986
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_11-15057
          Source: C:\Users\user\Desktop\Uc84uB877e.exeAPI coverage: 6.5 %
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeAPI coverage: 5.0 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 8004Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_0041A430 GetSystemTimes followed by cmp: cmp dword ptr [00421ffch], 0ah and CTI: jne 0041A687h0_2_0041A430
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeCode function: 11_2_0041A430 GetSystemTimes followed by cmp: cmp dword ptr [00421ffch], 0ah and CTI: jne 0041A687h11_2_0041A430
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
          Source: svchost.exe, 0000000E.00000002.2919140840.0000000003600000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\Uc84uB877e.exeAPI call chain: ExitProcess graph end nodegraph_0-15416
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeAPI call chain: ExitProcess graph end nodegraph_11-15427

          Anti Debugging

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_14-7656
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_004F092B mov eax, dword ptr fs:[00000030h]0_2_004F092B
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_004F0D90 mov eax, dword ptr fs:[00000030h]0_2_004F0D90
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_0058B90B push dword ptr fs:[00000030h]0_2_0058B90B
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeCode function: 11_2_0046092B mov eax, dword ptr fs:[00000030h]11_2_0046092B
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeCode function: 11_2_00460D90 mov eax, dword ptr fs:[00000030h]11_2_00460D90
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeCode function: 11_2_00553D8B push dword ptr fs:[00000030h]11_2_00553D8B
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032D9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,14_2_032D9A6B

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.109 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.8.49 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 74.125.133.27 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 32D0000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 32D0000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 32D0000Jump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 30EE008Jump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rxarouyf\Jump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\cwworbfr.exe" C:\Windows\SysWOW64\rxarouyf\Jump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create rxarouyf binPath= "C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d\"C:\Users\user\Desktop\Uc84uB877e.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description rxarouyf "wifi internet conection"Jump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start rxarouyfJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
          Source: C:\Users\user\Desktop\Uc84uB877e.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Source: C:\Users\user\Desktop\Uc84uB877e.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 11.3.cwworbfr.exe.510000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.cwworbfr.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.cwworbfr.exe.460e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.svchost.exe.32d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.svchost.exe.32d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Uc84uB877e.exe.4f0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Uc84uB877e.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.cwworbfr.exe.510000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.cwworbfr.exe.510000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.Uc84uB877e.exe.510000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Uc84uB877e.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.cwworbfr.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.1715768332.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1786515513.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000003.1785845697.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Uc84uB877e.exe PID: 7500, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cwworbfr.exe PID: 7868, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7984, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 11.3.cwworbfr.exe.510000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.cwworbfr.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.cwworbfr.exe.460e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.svchost.exe.32d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.svchost.exe.32d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Uc84uB877e.exe.4f0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Uc84uB877e.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.cwworbfr.exe.510000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.cwworbfr.exe.510000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.Uc84uB877e.exe.510000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Uc84uB877e.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.cwworbfr.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.1715768332.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1786515513.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000003.1785845697.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Uc84uB877e.exe PID: 7500, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: cwworbfr.exe PID: 7868, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7984, type: MEMORYSTR
          Source: C:\Users\user\Desktop\Uc84uB877e.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
          Source: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exeCode function: 11_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,11_2_004088B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032D88B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,14_2_032D88B0
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure1
          Valid Accounts
          41
          Native API
          1
          DLL Side-Loading
          1
          DLL Side-Loading
          3
          Disable or Modify Tools
          OS Credential Dumping12
          System Time Discovery
          Remote Services1
          Archive Collected Data
          1
          Ingress Tool Transfer
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Command and Scripting Interpreter
          1
          Valid Accounts
          1
          Valid Accounts
          1
          Deobfuscate/Decode Files or Information
          LSASS Memory1
          Account Discovery
          Remote Desktop ProtocolData from Removable Media12
          Encrypted Channel
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts3
          Service Execution
          14
          Windows Service
          1
          Access Token Manipulation
          3
          Obfuscated Files or Information
          Security Account Manager1
          File and Directory Discovery
          SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
          Windows Service
          22
          Software Packing
          NTDS15
          System Information Discovery
          Distributed Component Object ModelInput Capture112
          Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
          Process Injection
          1
          DLL Side-Loading
          LSA Secrets111
          Security Software Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          File Deletion
          Cached Domain Credentials11
          Virtualization/Sandbox Evasion
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
          Masquerading
          DCSync1
          Process Discovery
          Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Valid Accounts
          Proc Filesystem1
          System Owner/User Discovery
          Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
          Virtualization/Sandbox Evasion
          /etc/passwd and /etc/shadow1
          System Network Configuration Discovery
          Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          Access Token Manipulation
          Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
          Process Injection
          Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1505415 Sample: Uc84uB877e.exe Startdate: 06/09/2024 Architecture: WINDOWS Score: 100 43 yahoo.com 2->43 45 vanaheim.cn 2->45 47 6 other IPs or domains 2->47 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 10 other signatures 2->61 8 cwworbfr.exe 2->8         started        11 Uc84uB877e.exe 2 2->11         started        signatures3 process4 file5 63 Detected unpacking (changes PE section rights) 8->63 65 Detected unpacking (overwrites its own PE header) 8->65 67 Writes to foreign memory regions 8->67 73 2 other signatures 8->73 14 svchost.exe 1 8->14         started        41 C:\Users\user\AppData\Local\...\cwworbfr.exe, PE32 11->41 dropped 69 Uses netsh to modify the Windows network and firewall settings 11->69 71 Modifies the windows firewall 11->71 18 cmd.exe 1 11->18         started        21 netsh.exe 2 11->21         started        23 cmd.exe 2 11->23         started        25 3 other processes 11->25 signatures6 process7 dnsIp8 49 mta7.am0.yahoodns.net 67.195.228.109, 25 YAHOO-GQ1US United States 14->49 51 microsoft-com.mail.protection.outlook.com 52.101.8.49, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->51 53 3 other IPs or domains 14->53 75 System process connects to network (likely due to code injection or exploit) 14->75 77 Found API chain indicative of debugger detection 14->77 79 Deletes itself after installation 14->79 81 Adds extensions / path to Windows Defender exclusion list (Registry) 14->81 39 C:\Windows\SysWOW64\...\cwworbfr.exe (copy), PE32 18->39 dropped 27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          Uc84uB877e.exe75%ReversingLabsWin32.Trojan.GCleaner
          Uc84uB877e.exe64%VirustotalBrowse
          Uc84uB877e.exe100%Joe Sandbox ML
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\cwworbfr.exe100%Joe Sandbox ML
          No Antivirus matches
          SourceDetectionScannerLabelLink
          mxs.mail.ru0%VirustotalBrowse
          mta7.am0.yahoodns.net1%VirustotalBrowse
          microsoft-com.mail.protection.outlook.com0%VirustotalBrowse
          vanaheim.cn16%VirustotalBrowse
          yahoo.com0%VirustotalBrowse
          google.com0%VirustotalBrowse
          smtp.google.com0%VirustotalBrowse
          mail.ru0%VirustotalBrowse
          SourceDetectionScannerLabelLink
          vanaheim.cn:443100%Avira URL Cloudphishing
          jotunheim.name:443100%Avira URL Cloudmalware
          vanaheim.cn:4438%VirustotalBrowse
          jotunheim.name:44313%VirustotalBrowse
          NameIPActiveMaliciousAntivirus DetectionReputation
          mxs.mail.ru
          217.69.139.150
          truetrueunknown
          mta7.am0.yahoodns.net
          67.195.228.109
          truetrueunknown
          microsoft-com.mail.protection.outlook.com
          52.101.8.49
          truetrueunknown
          vanaheim.cn
          77.232.41.29
          truetrueunknown
          smtp.google.com
          74.125.133.27
          truefalseunknown
          google.com
          unknown
          unknowntrueunknown
          yahoo.com
          unknown
          unknowntrueunknown
          mail.ru
          unknown
          unknowntrueunknown
          NameMaliciousAntivirus DetectionReputation
          vanaheim.cn:443true
          • 8%, Virustotal, Browse
          • Avira URL Cloud: phishing
          unknown
          jotunheim.name:443true
          • 13%, Virustotal, Browse
          • Avira URL Cloud: malware
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          67.195.228.109
          mta7.am0.yahoodns.netUnited States
          36647YAHOO-GQ1UStrue
          52.101.8.49
          microsoft-com.mail.protection.outlook.comUnited States
          8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
          217.69.139.150
          mxs.mail.ruRussian Federation
          47764MAILRU-ASMailRuRUtrue
          74.125.133.27
          smtp.google.comUnited States
          15169GOOGLEUSfalse
          77.232.41.29
          vanaheim.cnRussian Federation
          28968EUT-ASEUTIPNetworkRUtrue
          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1505415
          Start date and time:2024-09-06 09:07:07 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 10s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:19
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:Uc84uB877e.exe
          renamed because original name is a hash value
          Original Sample Name:57d8986f5db1704c0d6a46f1c6cbd77e.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@22/3@9/5
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 71
          • Number of non-executed functions: 259
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
          • Excluded IPs from analysis (whitelisted): 20.70.246.20, 20.236.44.162, 20.112.250.133, 20.76.201.171, 20.231.239.246
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtEnumerateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          TimeTypeDescription
          03:08:52API Interceptor3x Sleep call for process: svchost.exe modified
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          67.195.228.109Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
            file.exeGet hashmaliciousPhorpiexBrowse
              file.exeGet hashmaliciousPhorpiexBrowse
                RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                  gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                    file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                      l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                        document_excel.exeGet hashmaliciousUnknownBrowse
                          data.log.exeGet hashmaliciousUnknownBrowse
                            message.txt.exeGet hashmaliciousUnknownBrowse
                              52.101.8.49vekvtia.exeGet hashmaliciousTofseeBrowse
                                Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                  .exeGet hashmaliciousUnknownBrowse
                                    ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                      kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                        Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                          L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                            file.exeGet hashmaliciousTofseeBrowse
                                              mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                                                U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                  217.69.139.150knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                    foufdsk.exeGet hashmaliciousTofseeBrowse
                                                      bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                        Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                          SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                            Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                              ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                  vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                    AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                      77.232.41.29qkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                        vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                          knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                            foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                              UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  mta7.am0.yahoodns.netbEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                  • 67.195.204.77
                                                                                  Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                  • 67.195.228.109
                                                                                  setup.exeGet hashmaliciousTofseeBrowse
                                                                                  • 98.136.96.76
                                                                                  m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                  • 67.195.204.77
                                                                                  SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                  • 67.195.204.74
                                                                                  AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                  • 67.195.228.94
                                                                                  dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                  • 67.195.228.94
                                                                                  rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                  • 98.136.96.91
                                                                                  SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeGet hashmaliciousPhorpiexBrowse
                                                                                  • 67.195.228.94
                                                                                  SecuriteInfo.com.Win32.BotX-gen.31335.5127.exeGet hashmaliciousTofseeBrowse
                                                                                  • 67.195.204.73
                                                                                  microsoft-com.mail.protection.outlook.comqkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                  • 52.101.42.0
                                                                                  vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                  • 52.101.8.49
                                                                                  knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                  • 52.101.11.0
                                                                                  foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                  • 52.101.40.26
                                                                                  UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                  • 52.101.40.26
                                                                                  bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                  • 52.101.11.0
                                                                                  Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                  • 52.101.8.49
                                                                                  igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                  • 52.101.40.26
                                                                                  fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                  • 52.101.42.0
                                                                                  SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                  • 52.101.11.0
                                                                                  vanaheim.cnqkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                  • 77.232.41.29
                                                                                  vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                  • 77.232.41.29
                                                                                  knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                  • 77.232.41.29
                                                                                  foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                  • 77.232.41.29
                                                                                  UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                  • 77.232.41.29
                                                                                  bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                  • 77.232.41.29
                                                                                  Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                  • 213.226.112.95
                                                                                  igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                  • 213.226.112.95
                                                                                  fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                  • 213.226.112.95
                                                                                  SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                  • 213.226.112.95
                                                                                  mxs.mail.ruqkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                  • 94.100.180.31
                                                                                  vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                  • 94.100.180.31
                                                                                  knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                  • 217.69.139.150
                                                                                  foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                  • 217.69.139.150
                                                                                  UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                  • 94.100.180.31
                                                                                  bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                  • 217.69.139.150
                                                                                  Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                  • 217.69.139.150
                                                                                  igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                  • 94.100.180.31
                                                                                  fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                  • 94.100.180.31
                                                                                  SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                  • 217.69.139.150
                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  YAHOO-GQ1USmpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                  • 67.195.2.108
                                                                                  154.213.187.80-x86-2024-09-01T00_09_56.elfGet hashmaliciousMiraiBrowse
                                                                                  • 98.137.238.184
                                                                                  teste.x86.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                                                  • 98.137.238.174
                                                                                  https://ashanioliver14.wixsite.com/my-site-1Get hashmaliciousUnknownBrowse
                                                                                  • 67.195.160.105
                                                                                  Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                  • 67.195.228.109
                                                                                  igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                  • 67.195.228.110
                                                                                  fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                  • 67.195.228.94
                                                                                  SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                  • 67.195.228.106
                                                                                  .exeGet hashmaliciousUnknownBrowse
                                                                                  • 67.195.228.84
                                                                                  botx.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                  • 98.137.77.194
                                                                                  MAILRU-ASMailRuRUqkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                  • 94.100.180.31
                                                                                  vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                  • 94.100.180.31
                                                                                  knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                  • 217.69.139.150
                                                                                  foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                  • 217.69.139.150
                                                                                  UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                  • 94.100.180.31
                                                                                  tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  • 5.181.61.0
                                                                                  tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  • 5.181.61.0
                                                                                  bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                  • 217.69.139.150
                                                                                  http://manga-netflix10737.tinyblogging.com.xx3.kz/Get hashmaliciousUnknownBrowse
                                                                                  • 94.100.180.209
                                                                                  SecuriteInfo.com.Trojan.Crypt.23519.13317.exeGet hashmaliciousUnknownBrowse
                                                                                  • 188.93.63.129
                                                                                  EUT-ASEUTIPNetworkRUqkkcfptf.exeGet hashmaliciousTofseeBrowse
                                                                                  • 77.232.41.29
                                                                                  vekvtia.exeGet hashmaliciousTofseeBrowse
                                                                                  • 77.232.41.29
                                                                                  knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                  • 77.232.41.29
                                                                                  foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                  • 77.232.41.29
                                                                                  UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                  • 77.232.41.29
                                                                                  bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                  • 77.232.41.29
                                                                                  Set-up.exeGet hashmaliciousCryptbotBrowse
                                                                                  • 77.232.42.234
                                                                                  Set-up.exeGet hashmaliciousCryptbotBrowse
                                                                                  • 77.232.42.234
                                                                                  file.exeGet hashmaliciousCryptbotBrowse
                                                                                  • 77.232.42.234
                                                                                  file.exeGet hashmaliciousCryptbotBrowse
                                                                                  • 77.232.42.234
                                                                                  MICROSOFT-CORP-MSN-AS-BLOCKUSfile.exeGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.253.72
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 94.245.104.56
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 94.245.104.56
                                                                                  All-in-one Calculation Tool.xlsmGet hashmaliciousUnknownBrowse
                                                                                  • 52.111.243.31
                                                                                  All-in-one Calculation Tool.xlsmGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.57
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.57
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 94.245.104.56
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 20.75.60.91
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.51
                                                                                  http://geminiak.weebly.com/Get hashmaliciousUnknownBrowse
                                                                                  • 51.104.148.203
                                                                                  No context
                                                                                  No context
                                                                                  Process:C:\Users\user\Desktop\Uc84uB877e.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):12080640
                                                                                  Entropy (8bit):5.489599224206667
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:rBpz9/vh9yxWe+0sgzP/LjRZoJHWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWu:tpz9WxrsgvjRKJ
                                                                                  MD5:EB62495EFD3197B9366AB0FF28F8B331
                                                                                  SHA1:1A80AB4D400B0A02951C3E3949BAE9214FCBD3F7
                                                                                  SHA-256:0C66E9F5568B33F698296107B918DC05A0B31CBE9B873332AF828A46C674746D
                                                                                  SHA-512:8C9B056EEBA96B43354515CB3F3F3237FB4401565D4BB7627A4CB4DE399BA5EF277CC524E6241B0DB2CFD0B8B5A2F78F6ADEB64D1E55BFB8720A026369DAF46B
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wv..3...3...3...YS.2...\a`.)...\aU.!...\aa.V...:oX.6...3...\...\ad.2...\aQ.2...\aV.2...Rich3...........................PE..L.....^d..........................................@..........................p......o...........................................<....P...............................................................................................................text............................... ..`.rdata...&.......(..................@..@.data...`a....... ..................@....rsrc........P...p..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):12080640
                                                                                  Entropy (8bit):5.489599224206667
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:rBpz9/vh9yxWe+0sgzP/LjRZoJHWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWu:tpz9WxrsgvjRKJ
                                                                                  MD5:EB62495EFD3197B9366AB0FF28F8B331
                                                                                  SHA1:1A80AB4D400B0A02951C3E3949BAE9214FCBD3F7
                                                                                  SHA-256:0C66E9F5568B33F698296107B918DC05A0B31CBE9B873332AF828A46C674746D
                                                                                  SHA-512:8C9B056EEBA96B43354515CB3F3F3237FB4401565D4BB7627A4CB4DE399BA5EF277CC524E6241B0DB2CFD0B8B5A2F78F6ADEB64D1E55BFB8720A026369DAF46B
                                                                                  Malicious:true
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wv..3...3...3...YS.2...\a`.)...\aU.!...\aa.V...:oX.6...3...\...\ad.2...\aQ.2...\aV.2...Rich3...........................PE..L.....^d..........................................@..........................p......o...........................................<....P...............................................................................................................text............................... ..`.rdata...&.......(..................@..@.data...`a....... ..................@....rsrc........P...p..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\SysWOW64\netsh.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):3773
                                                                                  Entropy (8bit):4.7109073551842435
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                  MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                  SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                  SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                  SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                  Malicious:false
                                                                                  Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):6.603627230255947
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:Uc84uB877e.exe
                                                                                  File size:195'584 bytes
                                                                                  MD5:57d8986f5db1704c0d6a46f1c6cbd77e
                                                                                  SHA1:8d1761161e37a7c071d19700cb2b3a073d28f6f0
                                                                                  SHA256:6144c9369be2e903bdd67a73d031dac6e9edf69d54956ce1de82749ad4c0759f
                                                                                  SHA512:cbe09dd61dbf004195fef0dbe15c4abe6eaa6d7f6cfdf87b6019f46a585eedd3f97ff9f9da924bd9e673655096e005058cf3a2f6799b31cbce9ab9966ddeb6b6
                                                                                  SSDEEP:3072:jH+lBBpz9/vh9yxqucBeJAD/MsgzPl5LjRZkpyqp29yOyb1:SBpz9/vh9yxWe+0sgzP/LjRZoJH
                                                                                  TLSH:D6146B1131E1C027EEA65F304A708AAD0E3BBCF66A74518E32B0F66E1F736D24A55753
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wv..3...3...3....YS.2...\a`.)...\aU.!...\aa.V...:oX.6...3...\...\ad.2...\aQ.2...\aV.2...Rich3...........................PE..L..
                                                                                  Icon Hash:cb97354d5555599a
                                                                                  Entrypoint:0x401abc
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x645ECF9E [Fri May 12 23:45:34 2023 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:5
                                                                                  OS Version Minor:1
                                                                                  File Version Major:5
                                                                                  File Version Minor:1
                                                                                  Subsystem Version Major:5
                                                                                  Subsystem Version Minor:1
                                                                                  Import Hash:4f367ac621adeab4fe7fbfb9dbd8862f
                                                                                  Instruction
                                                                                  call 00007FB6DCC1F426h
                                                                                  jmp 00007FB6DCC1AEFEh
                                                                                  mov edi, edi
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  sub esp, 00000328h
                                                                                  mov dword ptr [0041FB10h], eax
                                                                                  mov dword ptr [0041FB0Ch], ecx
                                                                                  mov dword ptr [0041FB08h], edx
                                                                                  mov dword ptr [0041FB04h], ebx
                                                                                  mov dword ptr [0041FB00h], esi
                                                                                  mov dword ptr [0041FAFCh], edi
                                                                                  mov word ptr [0041FB28h], ss
                                                                                  mov word ptr [0041FB1Ch], cs
                                                                                  mov word ptr [0041FAF8h], ds
                                                                                  mov word ptr [0041FAF4h], es
                                                                                  mov word ptr [0041FAF0h], fs
                                                                                  mov word ptr [0041FAECh], gs
                                                                                  pushfd
                                                                                  pop dword ptr [0041FB20h]
                                                                                  mov eax, dword ptr [ebp+00h]
                                                                                  mov dword ptr [0041FB14h], eax
                                                                                  mov eax, dword ptr [ebp+04h]
                                                                                  mov dword ptr [0041FB18h], eax
                                                                                  lea eax, dword ptr [ebp+08h]
                                                                                  mov dword ptr [0041FB24h], eax
                                                                                  mov eax, dword ptr [ebp-00000320h]
                                                                                  mov dword ptr [0041FA60h], 00010001h
                                                                                  mov eax, dword ptr [0041FB18h]
                                                                                  mov dword ptr [0041FA14h], eax
                                                                                  mov dword ptr [0041FA08h], C0000409h
                                                                                  mov dword ptr [0041FA0Ch], 00000001h
                                                                                  mov eax, dword ptr [0041E004h]
                                                                                  mov dword ptr [ebp-00000328h], eax
                                                                                  mov eax, dword ptr [0041E008h]
                                                                                  mov dword ptr [ebp-00000324h], eax
                                                                                  call dword ptr [000000DCh]
                                                                                  Programming Language:
                                                                                  • [C++] VS2010 build 30319
                                                                                  • [ASM] VS2010 build 30319
                                                                                  • [ C ] VS2010 build 30319
                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                  • [RES] VS2010 build 30319
                                                                                  • [LNK] VS2010 build 30319
                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1cdb40x3c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x250000x11580.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x18c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x1981f0x19a0068a638f7ed222b53f81f7f73042698a4False0.7719798018292683data7.407058736943905IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x1b0000x26d40x28006279b1dd134c708ad7f9d0e1a43c0455False0.33798828125data4.907849131870923IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0x1e0000x61600x2000c97c8f042aa5aa9cdb9a8d13ed6a041dFalse0.1861572265625data2.1375112584926774IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc0x250000x115800x116007610357289834bc6da1e807960246f4cFalse0.49373313848920863data5.46528798707114IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  AFX_DIALOG_LAYOUT0x312d80x2data5.0
                                                                                  LEBELIKOYALIPIDEKOMAKISIHU0x302b80xbf7ASCII text, with very long lines (3063), with no line terminatorsTurkishTurkey0.6010447273914463
                                                                                  VORAPABONADIDOS0x30eb00x3faASCII text, with very long lines (1018), with no line terminatorsTurkishTurkey0.630648330058939
                                                                                  RT_CURSOR0x312e00x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                                                  RT_CURSOR0x314100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                                                  RT_ICON0x258000xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.601545842217484
                                                                                  RT_ICON0x266a80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6814079422382672
                                                                                  RT_ICON0x26f500x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.7396313364055299
                                                                                  RT_ICON0x276180x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7861271676300579
                                                                                  RT_ICON0x27b800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5698132780082987
                                                                                  RT_ICON0x2a1280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.6897279549718575
                                                                                  RT_ICON0x2b1d00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.7102459016393443
                                                                                  RT_ICON0x2bb580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8457446808510638
                                                                                  RT_ICON0x2c0380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.4064498933901919
                                                                                  RT_ICON0x2cee00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5640794223826715
                                                                                  RT_ICON0x2d7880x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6273041474654378
                                                                                  RT_ICON0x2de500x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6351156069364162
                                                                                  RT_ICON0x2e3b80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.4643527204502814
                                                                                  RT_ICON0x2f4600x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.4504098360655738
                                                                                  RT_ICON0x2fde80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.5
                                                                                  RT_DIALOG0x33b900x84data0.7651515151515151
                                                                                  RT_STRING0x33c180x3c2data0.46153846153846156
                                                                                  RT_STRING0x33fe00x638data0.43467336683417085
                                                                                  RT_STRING0x346180x46data0.6714285714285714
                                                                                  RT_STRING0x346600x8b6data0.41524663677130047
                                                                                  RT_STRING0x34f180x652data0.430778739184178
                                                                                  RT_STRING0x355700x782data0.42351716961498437
                                                                                  RT_STRING0x35cf80x728data0.42740174672489084
                                                                                  RT_STRING0x364200x15adata0.5086705202312138
                                                                                  RT_ACCELERATOR0x312b00x28data1.025
                                                                                  RT_GROUP_CURSOR0x339b80x22data1.088235294117647
                                                                                  RT_GROUP_ICON0x2bfc00x76dataTurkishTurkey0.6610169491525424
                                                                                  RT_GROUP_ICON0x302500x68dataTurkishTurkey0.7115384615384616
                                                                                  RT_VERSION0x339e00x1acdata0.5887850467289719
                                                                                  DLLImport
                                                                                  KERNEL32.dllGetComputerNameA, FillConsoleOutputCharacterA, GetNumaProcessorNode, DebugActiveProcessStop, GetDefaultCommConfigW, CallNamedPipeA, WriteConsoleOutputW, HeapAlloc, GlobalSize, GetEnvironmentStringsW, CreateDirectoryW, GetComputerNameW, GetSystemDefaultLCID, GetModuleHandleW, GetConsoleAliasesLengthA, GetCommandLineA, GetSystemTimes, GlobalAlloc, LoadLibraryW, GetConsoleAliasExesLengthW, LeaveCriticalSection, SetConsoleMode, GetFileAttributesW, SetConsoleTitleA, GetShortPathNameA, InterlockedExchange, GetStartupInfoA, GetLastError, GetProcAddress, SetStdHandle, SearchPathA, BuildCommDCBW, GetNumaHighestNodeNumber, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, WritePrivateProfileStringA, QueryDosDeviceW, VirtualLock, FoldStringW, GetModuleFileNameA, FreeEnvironmentStringsW, FindAtomW, CopyFileExA, SetFilePointer, WriteConsoleW, MultiByteToWideChar, EncodePointer, DecodePointer, ExitProcess, HeapSetInformation, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, GetStdHandle, GetModuleFileNameW, HeapCreate, EnterCriticalSection, Sleep, HeapSize, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, WideCharToMultiByte, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringW, GetStringTypeW, HeapFree, RtlUnwind, HeapReAlloc, IsProcessorFeaturePresent, GetConsoleCP, GetConsoleMode, FlushFileBuffers, ReadFile, CloseHandle, CreateFileW
                                                                                  USER32.dllGetUserObjectInformationW
                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  TurkishTurkey
                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Sep 6, 2024 09:08:10.197094917 CEST4973125192.168.2.452.101.8.49
                                                                                  Sep 6, 2024 09:08:11.211843014 CEST4973125192.168.2.452.101.8.49
                                                                                  Sep 6, 2024 09:08:13.227391958 CEST4973125192.168.2.452.101.8.49
                                                                                  Sep 6, 2024 09:08:13.507591009 CEST49732443192.168.2.477.232.41.29
                                                                                  Sep 6, 2024 09:08:13.507652998 CEST4434973277.232.41.29192.168.2.4
                                                                                  Sep 6, 2024 09:08:13.507730961 CEST49732443192.168.2.477.232.41.29
                                                                                  Sep 6, 2024 09:08:17.227437019 CEST4973125192.168.2.452.101.8.49
                                                                                  Sep 6, 2024 09:08:25.227438927 CEST4973125192.168.2.452.101.8.49
                                                                                  Sep 6, 2024 09:08:30.222445011 CEST5062025192.168.2.467.195.228.109
                                                                                  Sep 6, 2024 09:08:31.227404118 CEST5062025192.168.2.467.195.228.109
                                                                                  Sep 6, 2024 09:08:33.227374077 CEST5062025192.168.2.467.195.228.109
                                                                                  Sep 6, 2024 09:08:37.227386951 CEST5062025192.168.2.467.195.228.109
                                                                                  Sep 6, 2024 09:08:45.227524042 CEST5062025192.168.2.467.195.228.109
                                                                                  Sep 6, 2024 09:08:50.244066954 CEST5062125192.168.2.474.125.133.27
                                                                                  Sep 6, 2024 09:08:51.258747101 CEST5062125192.168.2.474.125.133.27
                                                                                  Sep 6, 2024 09:08:53.274395943 CEST5062125192.168.2.474.125.133.27
                                                                                  Sep 6, 2024 09:08:53.493256092 CEST49732443192.168.2.477.232.41.29
                                                                                  Sep 6, 2024 09:08:53.493328094 CEST4434973277.232.41.29192.168.2.4
                                                                                  Sep 6, 2024 09:08:53.493403912 CEST49732443192.168.2.477.232.41.29
                                                                                  Sep 6, 2024 09:08:53.603115082 CEST50622443192.168.2.477.232.41.29
                                                                                  Sep 6, 2024 09:08:53.603169918 CEST4435062277.232.41.29192.168.2.4
                                                                                  Sep 6, 2024 09:08:53.603260040 CEST50622443192.168.2.477.232.41.29
                                                                                  Sep 6, 2024 09:08:57.274279118 CEST5062125192.168.2.474.125.133.27
                                                                                  Sep 6, 2024 09:09:05.289947033 CEST5062125192.168.2.474.125.133.27
                                                                                  Sep 6, 2024 09:09:10.259876966 CEST5062425192.168.2.4217.69.139.150
                                                                                  Sep 6, 2024 09:09:11.274297953 CEST5062425192.168.2.4217.69.139.150
                                                                                  Sep 6, 2024 09:09:13.290086031 CEST5062425192.168.2.4217.69.139.150
                                                                                  Sep 6, 2024 09:09:17.305537939 CEST5062425192.168.2.4217.69.139.150
                                                                                  Sep 6, 2024 09:09:25.305548906 CEST5062425192.168.2.4217.69.139.150
                                                                                  Sep 6, 2024 09:09:33.618231058 CEST50622443192.168.2.477.232.41.29
                                                                                  Sep 6, 2024 09:09:33.618309975 CEST4435062277.232.41.29192.168.2.4
                                                                                  Sep 6, 2024 09:09:33.618388891 CEST50622443192.168.2.477.232.41.29
                                                                                  Sep 6, 2024 09:09:33.728956938 CEST50625443192.168.2.477.232.41.29
                                                                                  Sep 6, 2024 09:09:33.729020119 CEST4435062577.232.41.29192.168.2.4
                                                                                  Sep 6, 2024 09:09:33.729116917 CEST50625443192.168.2.477.232.41.29
                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Sep 6, 2024 09:08:10.187361002 CEST5127253192.168.2.41.1.1.1
                                                                                  Sep 6, 2024 09:08:10.194421053 CEST53512721.1.1.1192.168.2.4
                                                                                  Sep 6, 2024 09:08:13.179357052 CEST6372153192.168.2.41.1.1.1
                                                                                  Sep 6, 2024 09:08:13.459815025 CEST53637211.1.1.1192.168.2.4
                                                                                  Sep 6, 2024 09:08:18.484210014 CEST53504961.1.1.1192.168.2.4
                                                                                  Sep 6, 2024 09:08:30.196765900 CEST4943353192.168.2.41.1.1.1
                                                                                  Sep 6, 2024 09:08:30.211720943 CEST53494331.1.1.1192.168.2.4
                                                                                  Sep 6, 2024 09:08:30.212537050 CEST5409653192.168.2.41.1.1.1
                                                                                  Sep 6, 2024 09:08:30.221754074 CEST53540961.1.1.1192.168.2.4
                                                                                  Sep 6, 2024 09:08:50.227936983 CEST5404753192.168.2.41.1.1.1
                                                                                  Sep 6, 2024 09:08:50.235552073 CEST53540471.1.1.1192.168.2.4
                                                                                  Sep 6, 2024 09:08:50.236193895 CEST6083653192.168.2.41.1.1.1
                                                                                  Sep 6, 2024 09:08:50.243479967 CEST53608361.1.1.1192.168.2.4
                                                                                  Sep 6, 2024 09:09:10.243578911 CEST5617853192.168.2.41.1.1.1
                                                                                  Sep 6, 2024 09:09:10.250900030 CEST53561781.1.1.1192.168.2.4
                                                                                  Sep 6, 2024 09:09:10.251498938 CEST5039453192.168.2.41.1.1.1
                                                                                  Sep 6, 2024 09:09:10.259407043 CEST53503941.1.1.1192.168.2.4
                                                                                  Sep 6, 2024 09:10:03.812284946 CEST5780053192.168.2.41.1.1.1
                                                                                  Sep 6, 2024 09:10:04.058898926 CEST53578001.1.1.1192.168.2.4
                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Sep 6, 2024 09:08:10.187361002 CEST192.168.2.41.1.1.10x3daaStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:13.179357052 CEST192.168.2.41.1.1.10x4884Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:30.196765900 CEST192.168.2.41.1.1.10xf8a0Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:30.212537050 CEST192.168.2.41.1.1.10x7c5bStandard query (0)mta7.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:50.227936983 CEST192.168.2.41.1.1.10xc427Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:50.236193895 CEST192.168.2.41.1.1.10x8d62Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:09:10.243578911 CEST192.168.2.41.1.1.10x4565Standard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                  Sep 6, 2024 09:09:10.251498938 CEST192.168.2.41.1.1.10x9efaStandard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:10:03.812284946 CEST192.168.2.41.1.1.10x8e18Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Sep 6, 2024 09:08:10.194421053 CEST1.1.1.1192.168.2.40x3daaNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:10.194421053 CEST1.1.1.1192.168.2.40x3daaNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:10.194421053 CEST1.1.1.1192.168.2.40x3daaNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:10.194421053 CEST1.1.1.1192.168.2.40x3daaNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:13.459815025 CEST1.1.1.1192.168.2.40x4884No error (0)vanaheim.cn77.232.41.29A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:30.211720943 CEST1.1.1.1192.168.2.40xf8a0No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:30.211720943 CEST1.1.1.1192.168.2.40xf8a0No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:30.211720943 CEST1.1.1.1192.168.2.40xf8a0No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:30.221754074 CEST1.1.1.1192.168.2.40x7c5bNo error (0)mta7.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:30.221754074 CEST1.1.1.1192.168.2.40x7c5bNo error (0)mta7.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:30.221754074 CEST1.1.1.1192.168.2.40x7c5bNo error (0)mta7.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:30.221754074 CEST1.1.1.1192.168.2.40x7c5bNo error (0)mta7.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:30.221754074 CEST1.1.1.1192.168.2.40x7c5bNo error (0)mta7.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:30.221754074 CEST1.1.1.1192.168.2.40x7c5bNo error (0)mta7.am0.yahoodns.net67.195.228.111A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:30.221754074 CEST1.1.1.1192.168.2.40x7c5bNo error (0)mta7.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:30.221754074 CEST1.1.1.1192.168.2.40x7c5bNo error (0)mta7.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:50.235552073 CEST1.1.1.1192.168.2.40xc427No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:50.243479967 CEST1.1.1.1192.168.2.40x8d62No error (0)smtp.google.com74.125.133.27A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:50.243479967 CEST1.1.1.1192.168.2.40x8d62No error (0)smtp.google.com74.125.71.26A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:50.243479967 CEST1.1.1.1192.168.2.40x8d62No error (0)smtp.google.com74.125.133.26A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:50.243479967 CEST1.1.1.1192.168.2.40x8d62No error (0)smtp.google.com74.125.71.27A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:08:50.243479967 CEST1.1.1.1192.168.2.40x8d62No error (0)smtp.google.com108.177.15.26A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:09:10.250900030 CEST1.1.1.1192.168.2.40x4565No error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                  Sep 6, 2024 09:09:10.259407043 CEST1.1.1.1192.168.2.40x9efaNo error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:09:10.259407043 CEST1.1.1.1192.168.2.40x9efaNo error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:10:04.058898926 CEST1.1.1.1192.168.2.40x8e18No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:10:04.058898926 CEST1.1.1.1192.168.2.40x8e18No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:10:04.058898926 CEST1.1.1.1192.168.2.40x8e18No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                  Sep 6, 2024 09:10:04.058898926 CEST1.1.1.1192.168.2.40x8e18No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false

                                                                                  Click to jump to process

                                                                                  Click to jump to process

                                                                                  Click to dive into process behavior distribution

                                                                                  Click to jump to process

                                                                                  Target ID:0
                                                                                  Start time:03:07:56
                                                                                  Start date:06/09/2024
                                                                                  Path:C:\Users\user\Desktop\Uc84uB877e.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\Uc84uB877e.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:195'584 bytes
                                                                                  MD5 hash:57D8986F5DB1704C0D6A46F1C6CBD77E
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1747369440.000000000058B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.1715768332.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.1715768332.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.1715768332.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  Target ID:1
                                                                                  Start time:03:08:02
                                                                                  Start date:06/09/2024
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rxarouyf\
                                                                                  Imagebase:0x240000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:2
                                                                                  Start time:03:08:02
                                                                                  Start date:06/09/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:3
                                                                                  Start time:03:08:02
                                                                                  Start date:06/09/2024
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\cwworbfr.exe" C:\Windows\SysWOW64\rxarouyf\
                                                                                  Imagebase:0x240000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:4
                                                                                  Start time:03:08:02
                                                                                  Start date:06/09/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:5
                                                                                  Start time:03:08:03
                                                                                  Start date:06/09/2024
                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\sc.exe" create rxarouyf binPath= "C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d\"C:\Users\user\Desktop\Uc84uB877e.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                  Imagebase:0x670000
                                                                                  File size:61'440 bytes
                                                                                  MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  Target ID:6
                                                                                  Start time:03:08:03
                                                                                  Start date:06/09/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:7
                                                                                  Start time:03:08:03
                                                                                  Start date:06/09/2024
                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\sc.exe" description rxarouyf "wifi internet conection"
                                                                                  Imagebase:0x670000
                                                                                  File size:61'440 bytes
                                                                                  MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  Target ID:8
                                                                                  Start time:03:08:03
                                                                                  Start date:06/09/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:9
                                                                                  Start time:03:08:04
                                                                                  Start date:06/09/2024
                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\sc.exe" start rxarouyf
                                                                                  Imagebase:0x670000
                                                                                  File size:61'440 bytes
                                                                                  MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  Target ID:10
                                                                                  Start time:03:08:04
                                                                                  Start date:06/09/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:11
                                                                                  Start time:03:08:04
                                                                                  Start date:06/09/2024
                                                                                  Path:C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe /d"C:\Users\user\Desktop\Uc84uB877e.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:12'080'640 bytes
                                                                                  MD5 hash:EB62495EFD3197B9366AB0FF28F8B331
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1786515513.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1786515513.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.1786515513.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.1786560021.0000000000553000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000003.1785845697.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000003.1785845697.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000003.1785845697.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                  Has exited:true

                                                                                  Target ID:12
                                                                                  Start time:03:08:04
                                                                                  Start date:06/09/2024
                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                  Imagebase:0x1560000
                                                                                  File size:82'432 bytes
                                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  Target ID:13
                                                                                  Start time:03:08:04
                                                                                  Start date:06/09/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  Target ID:14
                                                                                  Start time:03:08:08
                                                                                  Start date:06/09/2024
                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:svchost.exe
                                                                                  Imagebase:0x790000
                                                                                  File size:46'504 bytes
                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                  Has exited:false

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:4%
                                                                                    Dynamic/Decrypted Code Coverage:2.1%
                                                                                    Signature Coverage:26.3%
                                                                                    Total number of Nodes:1598
                                                                                    Total number of Limit Nodes:20
                                                                                    execution_graph 14954 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15072 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14954->15072 14956 409a95 14957 409aa3 GetModuleHandleA GetModuleFileNameA 14956->14957 14963 40a3c7 14956->14963 14970 409ac4 14957->14970 14958 40a41c CreateThread WSAStartup 15241 40e52e 14958->15241 16119 40405e CreateEventA 14958->16119 14960 409afd GetCommandLineA 14971 409b22 14960->14971 14961 40a406 DeleteFileA 14961->14963 14964 40a40d 14961->14964 14962 40a445 15260 40eaaf 14962->15260 14963->14958 14963->14961 14963->14964 14966 40a3ed GetLastError 14963->14966 14964->14958 14966->14964 14968 40a3f8 Sleep 14966->14968 14967 40a44d 15264 401d96 14967->15264 14968->14961 14970->14960 14974 409c0c 14971->14974 14981 409b47 14971->14981 14972 40a457 15312 4080c9 14972->15312 15073 4096aa 14974->15073 14985 409b96 lstrlenA 14981->14985 14988 409b58 14981->14988 14982 40a1d2 14989 40a1e3 GetCommandLineA 14982->14989 14983 409c39 14986 40a167 GetModuleHandleA GetModuleFileNameA 14983->14986 15079 404280 CreateEventA 14983->15079 14985->14988 14987 409c05 ExitProcess 14986->14987 14991 40a189 14986->14991 14988->14987 14995 40675c 21 API calls 14988->14995 15015 40a205 14989->15015 14991->14987 14997 40a1b2 GetDriveTypeA 14991->14997 14998 409be3 14995->14998 14997->14987 15000 40a1c5 14997->15000 14998->14987 15178 406a60 CreateFileA 14998->15178 15222 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15000->15222 15006 40a491 15007 40a49f GetTickCount 15006->15007 15009 40a4be Sleep 15006->15009 15014 40a4b7 GetTickCount 15006->15014 15358 40c913 15006->15358 15007->15006 15007->15009 15009->15006 15011 409ca0 GetTempPathA 15012 409e3e 15011->15012 15013 409cba 15011->15013 15018 409e6b GetEnvironmentVariableA 15012->15018 15022 409e04 15012->15022 15134 4099d2 lstrcpyA 15013->15134 15014->15009 15019 40a285 lstrlenA 15015->15019 15031 40a239 15015->15031 15018->15022 15023 409e7d 15018->15023 15019->15031 15217 40ec2e 15022->15217 15024 4099d2 16 API calls 15023->15024 15025 409e9d 15024->15025 15025->15022 15030 409eb0 lstrcpyA lstrlenA 15025->15030 15028 409d5f 15197 406cc9 15028->15197 15029 40a3c2 15234 4098f2 15029->15234 15034 409ef4 15030->15034 15230 406ec3 15031->15230 15038 406dc2 6 API calls 15034->15038 15040 409f03 15034->15040 15035 40a39d StartServiceCtrlDispatcherA 15035->15029 15037 40a35f 15037->15029 15037->15037 15043 40a37b 15037->15043 15038->15040 15039 409cf6 15141 409326 15039->15141 15041 409f32 RegOpenKeyExA 15040->15041 15042 409f48 RegSetValueExA RegCloseKey 15041->15042 15046 409f70 15041->15046 15042->15046 15043->15035 15052 409f9d GetModuleHandleA GetModuleFileNameA 15046->15052 15047 409e0c DeleteFileA 15047->15012 15048 409dde GetFileAttributesExA 15048->15047 15050 409df7 15048->15050 15050->15022 15051 409dff 15050->15051 15207 4096ff 15051->15207 15054 409fc2 15052->15054 15055 40a093 15052->15055 15054->15055 15060 409ff1 GetDriveTypeA 15054->15060 15056 40a103 CreateProcessA 15055->15056 15059 40a0a4 wsprintfA 15055->15059 15057 40a13a 15056->15057 15058 40a12a DeleteFileA 15056->15058 15057->15022 15064 4096ff 3 API calls 15057->15064 15058->15057 15213 402544 15059->15213 15060->15055 15062 40a00d 15060->15062 15067 40a02d lstrcatA 15062->15067 15064->15022 15068 40a046 15067->15068 15069 40a052 lstrcatA 15068->15069 15070 40a064 lstrcatA 15068->15070 15069->15070 15070->15055 15071 40a081 lstrcatA 15070->15071 15071->15055 15072->14956 15074 4096b9 15073->15074 15461 4073ff 15074->15461 15076 4096e2 15077 4096f7 15076->15077 15481 40704c 15076->15481 15077->14982 15077->14983 15080 4042a5 15079->15080 15086 40429d 15079->15086 15506 403ecd 15080->15506 15082 4042b0 15510 404000 15082->15510 15085 4043c1 CloseHandle 15085->15086 15086->14986 15106 40675c 15086->15106 15087 4042ce 15516 403f18 WriteFile 15087->15516 15092 4043ba CloseHandle 15092->15085 15093 404318 15094 403f18 4 API calls 15093->15094 15095 404331 15094->15095 15096 403f18 4 API calls 15095->15096 15097 40434a 15096->15097 15524 40ebcc GetProcessHeap RtlAllocateHeap 15097->15524 15100 403f18 4 API calls 15101 404389 15100->15101 15102 40ec2e codecvt 4 API calls 15101->15102 15103 40438f 15102->15103 15104 403f8c 4 API calls 15103->15104 15105 40439f CloseHandle CloseHandle 15104->15105 15105->15086 15107 406784 CreateFileA 15106->15107 15108 40677a SetFileAttributesA 15106->15108 15109 4067a4 CreateFileA 15107->15109 15110 4067b5 15107->15110 15108->15107 15109->15110 15111 4067c5 15110->15111 15112 4067ba SetFileAttributesA 15110->15112 15113 406977 15111->15113 15114 4067cf GetFileSize 15111->15114 15112->15111 15113->14986 15113->15011 15113->15012 15115 4067e5 15114->15115 15116 406965 15114->15116 15115->15116 15118 4067ed ReadFile 15115->15118 15117 40696e FindCloseChangeNotification 15116->15117 15117->15113 15118->15116 15119 406811 SetFilePointer 15118->15119 15119->15116 15120 40682a ReadFile 15119->15120 15120->15116 15121 406848 SetFilePointer 15120->15121 15121->15116 15122 406867 15121->15122 15123 4068d5 15122->15123 15124 406878 ReadFile 15122->15124 15123->15117 15126 40ebcc 4 API calls 15123->15126 15125 4068d0 15124->15125 15127 406891 15124->15127 15125->15123 15128 4068f8 15126->15128 15127->15124 15127->15125 15128->15116 15129 406900 SetFilePointer 15128->15129 15130 40695a 15129->15130 15131 40690d ReadFile 15129->15131 15133 40ec2e codecvt 4 API calls 15130->15133 15131->15130 15132 406922 15131->15132 15132->15117 15133->15116 15135 4099eb 15134->15135 15136 409a2f lstrcatA 15135->15136 15137 40ee2a 15136->15137 15138 409a4b lstrcatA 15137->15138 15139 406a60 13 API calls 15138->15139 15140 409a60 15139->15140 15140->15012 15140->15039 15191 406dc2 15140->15191 15530 401910 15141->15530 15144 40934a GetModuleHandleA GetModuleFileNameA 15146 40937f 15144->15146 15147 4093a4 15146->15147 15148 4093d9 15146->15148 15149 4093c3 wsprintfA 15147->15149 15150 409401 wsprintfA 15148->15150 15151 409415 15149->15151 15150->15151 15154 406cc9 5 API calls 15151->15154 15175 4094a0 15151->15175 15153 4094ac 15155 40962f 15153->15155 15156 4094e8 RegOpenKeyExA 15153->15156 15159 409439 15154->15159 15162 409646 15155->15162 15560 401820 15155->15560 15157 409502 15156->15157 15158 4094fb 15156->15158 15163 40951f RegQueryValueExA 15157->15163 15158->15155 15166 40958a 15158->15166 15545 40ef1e lstrlenA 15159->15545 15165 4095d6 15162->15165 15540 4091eb 15162->15540 15167 409539 15163->15167 15174 409530 15163->15174 15165->15047 15165->15048 15166->15162 15172 409593 15166->15172 15170 409556 RegQueryValueExA 15167->15170 15168 409462 15171 40947e wsprintfA 15168->15171 15169 40956e RegCloseKey 15169->15158 15170->15169 15170->15174 15171->15175 15172->15165 15547 40f0e4 15172->15547 15174->15169 15532 406edd 15175->15532 15176 4095bb 15176->15165 15554 4018e0 15176->15554 15179 406b8c GetLastError 15178->15179 15180 406a8f GetDiskFreeSpaceA 15178->15180 15189 406b86 15179->15189 15181 406ac5 15180->15181 15190 406ad7 15180->15190 15608 40eb0e 15181->15608 15185 406b56 FindCloseChangeNotification 15188 406b65 GetLastError CloseHandle 15185->15188 15185->15189 15186 406b36 GetLastError CloseHandle 15187 406b7f DeleteFileA 15186->15187 15187->15189 15188->15187 15189->14987 15602 406987 15190->15602 15192 406dd7 15191->15192 15196 406e24 15191->15196 15193 406cc9 5 API calls 15192->15193 15194 406ddc 15193->15194 15194->15194 15195 406e02 GetVolumeInformationA 15194->15195 15194->15196 15195->15196 15196->15028 15198 406cdc GetModuleHandleA GetProcAddress 15197->15198 15199 406dbe lstrcpyA lstrcatA lstrcatA 15197->15199 15200 406d12 GetSystemDirectoryA 15198->15200 15203 406cfd 15198->15203 15199->15039 15201 406d27 GetWindowsDirectoryA 15200->15201 15202 406d1e 15200->15202 15205 406d42 15201->15205 15202->15201 15204 406d8b 15202->15204 15203->15200 15203->15204 15204->15199 15206 40ef1e lstrlenA 15205->15206 15206->15204 15208 402544 15207->15208 15209 40972d RegOpenKeyExA 15208->15209 15210 409740 15209->15210 15211 409765 15209->15211 15212 40974f RegDeleteValueA RegCloseKey 15210->15212 15211->15022 15212->15211 15214 402554 lstrcatA 15213->15214 15215 40ee2a 15214->15215 15216 40a0ec lstrcatA 15215->15216 15216->15056 15218 40ec37 15217->15218 15219 40a15d 15217->15219 15616 40eba0 15218->15616 15219->14986 15219->14987 15223 402544 15222->15223 15224 40919e wsprintfA 15223->15224 15225 4091bb 15224->15225 15619 409064 GetTempPathA 15225->15619 15228 4091d5 ShellExecuteA 15229 4091e7 15228->15229 15229->14987 15231 406ed5 15230->15231 15232 406ecc 15230->15232 15231->15037 15233 406e36 2 API calls 15232->15233 15233->15231 15235 4098f6 15234->15235 15236 404280 30 API calls 15235->15236 15237 409904 Sleep 15235->15237 15238 409915 15235->15238 15236->15235 15237->15235 15237->15238 15240 409947 15238->15240 15626 40977c 15238->15626 15240->14963 15648 40dd05 GetTickCount 15241->15648 15243 40e538 15655 40dbcf 15243->15655 15245 40e544 15246 40e555 GetFileSize 15245->15246 15249 40e5b8 15245->15249 15247 40e5b1 CloseHandle 15246->15247 15248 40e566 15246->15248 15247->15249 15665 40db2e 15248->15665 15674 40e3ca RegOpenKeyExA 15249->15674 15252 40e576 ReadFile 15252->15247 15254 40e58d 15252->15254 15669 40e332 15254->15669 15256 40e5f2 15258 40e3ca 19 API calls 15256->15258 15259 40e629 15256->15259 15258->15259 15259->14962 15261 40eabe 15260->15261 15263 40eaba 15260->15263 15262 40dd05 6 API calls 15261->15262 15261->15263 15262->15263 15263->14967 15265 40ee2a 15264->15265 15266 401db4 GetVersionExA 15265->15266 15267 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15266->15267 15269 401e24 15267->15269 15270 401e16 GetCurrentProcess 15267->15270 15727 40e819 15269->15727 15270->15269 15272 401e3d 15273 40e819 11 API calls 15272->15273 15274 401e4e 15273->15274 15275 401e77 15274->15275 15734 40df70 15274->15734 15743 40ea84 15275->15743 15278 401e6c 15280 40df70 12 API calls 15278->15280 15280->15275 15281 40e819 11 API calls 15282 401e93 15281->15282 15747 40199c inet_addr LoadLibraryA 15282->15747 15285 40e819 11 API calls 15286 401eb9 15285->15286 15287 401ed8 15286->15287 15288 40f04e 4 API calls 15286->15288 15289 40e819 11 API calls 15287->15289 15290 401ec9 15288->15290 15291 401eee 15289->15291 15292 40ea84 30 API calls 15290->15292 15300 401f0a 15291->15300 15760 401b71 15291->15760 15292->15287 15294 40e819 11 API calls 15296 401f23 15294->15296 15295 401efd 15297 40ea84 30 API calls 15295->15297 15305 401f3f 15296->15305 15764 401bdf 15296->15764 15297->15300 15299 40e819 11 API calls 15302 401f5e 15299->15302 15300->15294 15304 401f77 15302->15304 15306 40ea84 30 API calls 15302->15306 15303 40ea84 30 API calls 15303->15305 15771 4030b5 15304->15771 15305->15299 15306->15304 15309 406ec3 2 API calls 15311 401f8e GetTickCount 15309->15311 15311->14972 15313 406ec3 2 API calls 15312->15313 15314 4080eb 15313->15314 15315 4080f9 15314->15315 15316 4080ef 15314->15316 15318 40704c 16 API calls 15315->15318 15819 407ee6 15316->15819 15320 408110 15318->15320 15319 408269 CreateThread 15337 405e6c 15319->15337 16148 40877e 15319->16148 15322 408156 RegOpenKeyExA 15320->15322 15323 4080f4 15320->15323 15321 40675c 21 API calls 15327 408244 15321->15327 15322->15323 15324 40816d RegQueryValueExA 15322->15324 15323->15319 15323->15321 15325 4081f7 15324->15325 15326 40818d 15324->15326 15328 40820d RegCloseKey 15325->15328 15330 40ec2e codecvt 4 API calls 15325->15330 15326->15325 15331 40ebcc 4 API calls 15326->15331 15327->15319 15329 40ec2e codecvt 4 API calls 15327->15329 15328->15323 15329->15319 15336 4081dd 15330->15336 15332 4081a0 15331->15332 15332->15328 15333 4081aa RegQueryValueExA 15332->15333 15333->15325 15334 4081c4 15333->15334 15335 40ebcc 4 API calls 15334->15335 15335->15336 15336->15328 15887 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15337->15887 15339 405e71 15888 40e654 15339->15888 15341 405ec1 15342 403132 15341->15342 15343 40df70 12 API calls 15342->15343 15344 40313b 15343->15344 15345 40c125 15344->15345 15899 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15345->15899 15347 40c12d 15348 40e654 13 API calls 15347->15348 15349 40c2bd 15348->15349 15350 40e654 13 API calls 15349->15350 15351 40c2c9 15350->15351 15352 40e654 13 API calls 15351->15352 15353 40a47a 15352->15353 15354 408db1 15353->15354 15355 408dbc 15354->15355 15356 40e654 13 API calls 15355->15356 15357 408dec Sleep 15356->15357 15357->15006 15359 40c92f 15358->15359 15360 40c93c 15359->15360 15900 40c517 15359->15900 15362 40ca2b 15360->15362 15363 40e819 11 API calls 15360->15363 15362->15006 15364 40c96a 15363->15364 15365 40e819 11 API calls 15364->15365 15366 40c97d 15365->15366 15367 40e819 11 API calls 15366->15367 15368 40c990 15367->15368 15369 40c9aa 15368->15369 15370 40ebcc 4 API calls 15368->15370 15369->15362 15917 402684 15369->15917 15370->15369 15375 40ca26 15924 40c8aa 15375->15924 15378 40ca44 15379 40ca4b closesocket 15378->15379 15380 40ca83 15378->15380 15379->15375 15381 40ea84 30 API calls 15380->15381 15382 40caac 15381->15382 15383 40f04e 4 API calls 15382->15383 15384 40cab2 15383->15384 15385 40ea84 30 API calls 15384->15385 15386 40caca 15385->15386 15387 40ea84 30 API calls 15386->15387 15388 40cad9 15387->15388 15932 40c65c 15388->15932 15391 40cb60 closesocket 15391->15362 15393 40dad2 closesocket 15394 40e318 23 API calls 15393->15394 15394->15362 15395 40df4c 20 API calls 15455 40cb70 15395->15455 15400 40e654 13 API calls 15400->15455 15402 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15402->15455 15407 40ea84 30 API calls 15407->15455 15408 40d569 closesocket Sleep 15979 40e318 15408->15979 15409 40d815 wsprintfA 15409->15455 15410 40cc1c GetTempPathA 15410->15455 15411 407ead 6 API calls 15411->15455 15412 40c517 23 API calls 15412->15455 15414 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15414->15455 15415 40e8a1 30 API calls 15415->15455 15416 40d582 ExitProcess 15417 40cfe3 GetSystemDirectoryA 15417->15455 15418 40cfad GetEnvironmentVariableA 15418->15455 15419 40675c 21 API calls 15419->15455 15420 40d027 GetSystemDirectoryA 15420->15455 15421 40d105 lstrcatA 15421->15455 15422 40ef1e lstrlenA 15422->15455 15423 40cc9f CreateFileA 15425 40ccc6 WriteFile 15423->15425 15423->15455 15424 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15424->15455 15428 40cdcc CloseHandle 15425->15428 15429 40cced CloseHandle 15425->15429 15426 40d15b CreateFileA 15427 40d182 WriteFile CloseHandle 15426->15427 15426->15455 15427->15455 15428->15455 15435 40cd2f 15429->15435 15430 40cd16 wsprintfA 15430->15435 15431 40d149 SetFileAttributesA 15431->15426 15432 40d36e GetEnvironmentVariableA 15432->15455 15433 40d1bf SetFileAttributesA 15433->15455 15434 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15434->15455 15435->15430 15961 407fcf 15435->15961 15436 40d22d GetEnvironmentVariableA 15436->15455 15437 40d3af lstrcatA 15439 40d3f2 CreateFileA 15437->15439 15437->15455 15442 40d415 WriteFile CloseHandle 15439->15442 15439->15455 15441 407fcf 64 API calls 15441->15455 15442->15455 15443 40cd81 WaitForSingleObject CloseHandle CloseHandle 15445 40f04e 4 API calls 15443->15445 15444 40cda5 15446 407ee6 64 API calls 15444->15446 15445->15444 15450 40cdbd DeleteFileA 15446->15450 15447 40d4b1 CreateProcessA 15451 40d4e8 CloseHandle CloseHandle 15447->15451 15447->15455 15448 40d3e0 SetFileAttributesA 15448->15439 15449 40d26e lstrcatA 15452 40d2b1 CreateFileA 15449->15452 15449->15455 15450->15455 15451->15455 15452->15455 15456 40d2d8 WriteFile CloseHandle 15452->15456 15453 407ee6 64 API calls 15453->15455 15454 40d452 SetFileAttributesA 15454->15455 15455->15393 15455->15395 15455->15400 15455->15402 15455->15407 15455->15408 15455->15409 15455->15410 15455->15411 15455->15412 15455->15414 15455->15415 15455->15417 15455->15418 15455->15419 15455->15420 15455->15421 15455->15422 15455->15423 15455->15424 15455->15426 15455->15431 15455->15432 15455->15433 15455->15434 15455->15436 15455->15437 15455->15439 15455->15441 15455->15447 15455->15448 15455->15449 15455->15452 15455->15453 15455->15454 15458 40d29f SetFileAttributesA 15455->15458 15460 40d31d SetFileAttributesA 15455->15460 15940 40c75d 15455->15940 15952 407e2f 15455->15952 15974 407ead 15455->15974 15984 4031d0 15455->15984 16001 403c09 15455->16001 16011 403a00 15455->16011 16015 40e7b4 15455->16015 16018 40c06c 15455->16018 16024 406f5f GetUserNameA 15455->16024 16035 40e854 15455->16035 16045 407dd6 15455->16045 15456->15455 15458->15452 15460->15455 15462 40741b 15461->15462 15463 406dc2 6 API calls 15462->15463 15464 40743f 15463->15464 15465 407469 RegOpenKeyExA 15464->15465 15467 4077f9 15465->15467 15476 407487 ___ascii_stricmp 15465->15476 15466 407703 RegEnumKeyA 15468 407714 RegCloseKey 15466->15468 15466->15476 15467->15076 15468->15467 15469 4074d2 RegOpenKeyExA 15469->15476 15470 40772c 15472 407742 RegCloseKey 15470->15472 15473 40774b 15470->15473 15471 407521 RegQueryValueExA 15471->15476 15472->15473 15474 4077ec RegCloseKey 15473->15474 15474->15467 15475 4076e4 RegCloseKey 15475->15476 15476->15466 15476->15469 15476->15470 15476->15471 15476->15475 15478 40f1a5 lstrlenA 15476->15478 15479 40777e GetFileAttributesExA 15476->15479 15480 407769 15476->15480 15477 4077e3 RegCloseKey 15477->15474 15478->15476 15479->15480 15480->15477 15482 407073 15481->15482 15483 4070b9 RegOpenKeyExA 15482->15483 15484 4070d0 15483->15484 15498 4071b8 15483->15498 15485 406dc2 6 API calls 15484->15485 15488 4070d5 15485->15488 15486 40719b RegEnumValueA 15487 4071af RegCloseKey 15486->15487 15486->15488 15487->15498 15488->15486 15490 4071d0 15488->15490 15504 40f1a5 lstrlenA 15488->15504 15491 407205 RegCloseKey 15490->15491 15492 407227 15490->15492 15491->15498 15493 4072b8 ___ascii_stricmp 15492->15493 15494 40728e RegCloseKey 15492->15494 15495 4072cd RegCloseKey 15493->15495 15496 4072dd 15493->15496 15494->15498 15495->15498 15497 407311 RegCloseKey 15496->15497 15500 407335 15496->15500 15497->15498 15498->15077 15499 4073d5 RegCloseKey 15501 4073e4 15499->15501 15500->15499 15502 40737e GetFileAttributesExA 15500->15502 15503 407397 15500->15503 15502->15503 15503->15499 15505 40f1c3 15504->15505 15505->15488 15507 403ee2 15506->15507 15508 403edc 15506->15508 15507->15082 15509 406dc2 6 API calls 15508->15509 15509->15507 15511 40400b CreateFileA 15510->15511 15512 40402c GetLastError 15511->15512 15513 404052 15511->15513 15512->15513 15514 404037 15512->15514 15513->15085 15513->15086 15513->15087 15514->15513 15515 404041 Sleep 15514->15515 15515->15511 15515->15513 15517 403f7c 15516->15517 15518 403f4e GetLastError 15516->15518 15520 403f8c ReadFile 15517->15520 15518->15517 15519 403f5b WaitForSingleObject GetOverlappedResult 15518->15519 15519->15517 15521 403ff0 15520->15521 15522 403fc2 GetLastError 15520->15522 15521->15092 15521->15093 15522->15521 15523 403fcf WaitForSingleObject GetOverlappedResult 15522->15523 15523->15521 15527 40eb74 15524->15527 15528 40eb7b GetProcessHeap HeapSize 15527->15528 15529 404350 15527->15529 15528->15529 15529->15100 15531 401924 GetVersionExA 15530->15531 15531->15144 15533 406f55 15532->15533 15534 406eef AllocateAndInitializeSid 15532->15534 15533->15153 15535 406f44 15534->15535 15536 406f1c CheckTokenMembership 15534->15536 15535->15533 15566 406e36 GetUserNameW 15535->15566 15537 406f3b FreeSid 15536->15537 15538 406f2e 15536->15538 15537->15535 15538->15537 15541 409308 15540->15541 15543 40920e 15540->15543 15541->15165 15542 4092f1 Sleep 15542->15543 15543->15541 15543->15542 15544 4092bf ShellExecuteA 15543->15544 15544->15541 15544->15543 15546 40ef32 15545->15546 15546->15168 15548 40f0f1 15547->15548 15549 40f0ed 15547->15549 15550 40f119 15548->15550 15551 40f0fa lstrlenA SysAllocStringByteLen 15548->15551 15549->15176 15553 40f11c MultiByteToWideChar 15550->15553 15552 40f117 15551->15552 15551->15553 15552->15176 15553->15552 15555 401820 17 API calls 15554->15555 15556 4018f2 15555->15556 15557 4018f9 15556->15557 15569 401280 15556->15569 15557->15165 15559 401908 15559->15165 15581 401000 15560->15581 15562 401839 15563 401851 GetCurrentProcess 15562->15563 15564 40183d 15562->15564 15565 401864 15563->15565 15564->15162 15565->15162 15567 406e5f LookupAccountNameW 15566->15567 15568 406e97 15566->15568 15567->15568 15568->15533 15570 4012e1 15569->15570 15571 4016f9 GetLastError 15570->15571 15574 4013a8 15570->15574 15572 401699 15571->15572 15572->15559 15573 401570 lstrlenW 15573->15574 15574->15572 15574->15573 15574->15574 15575 4015be GetStartupInfoW 15574->15575 15576 4015ff CreateProcessWithLogonW 15574->15576 15580 401668 CloseHandle 15574->15580 15575->15574 15577 4016bf GetLastError 15576->15577 15578 40163f WaitForSingleObject 15576->15578 15577->15572 15578->15574 15579 401659 CloseHandle 15578->15579 15579->15574 15580->15574 15582 40100d LoadLibraryA 15581->15582 15592 401023 15581->15592 15583 401021 15582->15583 15582->15592 15583->15562 15584 4010b5 GetProcAddress 15585 4010d1 GetProcAddress 15584->15585 15586 40127b 15584->15586 15585->15586 15587 4010f0 GetProcAddress 15585->15587 15586->15562 15587->15586 15588 401110 GetProcAddress 15587->15588 15588->15586 15589 401130 GetProcAddress 15588->15589 15589->15586 15590 40114f GetProcAddress 15589->15590 15590->15586 15591 40116f GetProcAddress 15590->15591 15591->15586 15593 40118f GetProcAddress 15591->15593 15592->15584 15601 4010ae 15592->15601 15593->15586 15594 4011ae GetProcAddress 15593->15594 15594->15586 15595 4011ce GetProcAddress 15594->15595 15595->15586 15596 4011ee GetProcAddress 15595->15596 15596->15586 15597 401209 GetProcAddress 15596->15597 15597->15586 15598 401225 GetProcAddress 15597->15598 15598->15586 15599 401241 GetProcAddress 15598->15599 15599->15586 15600 40125c GetProcAddress 15599->15600 15600->15586 15601->15562 15604 4069b9 WriteFile 15602->15604 15605 406a3c 15604->15605 15607 4069ff 15604->15607 15605->15185 15605->15186 15606 406a10 WriteFile 15606->15605 15606->15607 15607->15605 15607->15606 15609 40eb17 15608->15609 15610 40eb21 15608->15610 15612 40eae4 15609->15612 15610->15190 15613 40eb02 GetProcAddress 15612->15613 15614 40eaed LoadLibraryA 15612->15614 15613->15610 15614->15613 15615 40eb01 15614->15615 15615->15610 15617 40eba7 GetProcessHeap HeapSize 15616->15617 15618 40ebbf GetProcessHeap HeapFree 15616->15618 15617->15618 15618->15219 15620 40908d 15619->15620 15621 4090e2 wsprintfA 15620->15621 15622 40ee2a 15621->15622 15623 4090fd CreateFileA 15622->15623 15624 40911a lstrlenA WriteFile CloseHandle 15623->15624 15625 40913f 15623->15625 15624->15625 15625->15228 15625->15229 15627 40ee2a 15626->15627 15628 409794 CreateProcessA 15627->15628 15629 4097c2 15628->15629 15630 4097bb 15628->15630 15631 4097d4 GetThreadContext 15629->15631 15630->15240 15632 409801 15631->15632 15633 4097f5 15631->15633 15640 40637c 15632->15640 15634 4097f6 TerminateProcess 15633->15634 15634->15630 15636 409816 15636->15634 15637 40981e WriteProcessMemory 15636->15637 15637->15633 15638 40983b SetThreadContext 15637->15638 15638->15633 15639 409858 ResumeThread 15638->15639 15639->15630 15641 406386 15640->15641 15642 40638a GetModuleHandleA VirtualAlloc 15640->15642 15641->15636 15643 4063b6 15642->15643 15647 4063f5 15642->15647 15644 4063be VirtualAllocEx 15643->15644 15645 4063d6 15644->15645 15644->15647 15646 4063df WriteProcessMemory 15645->15646 15646->15647 15647->15636 15649 40dd41 InterlockedExchange 15648->15649 15650 40dd20 GetCurrentThreadId 15649->15650 15651 40dd4a 15649->15651 15652 40dd53 GetCurrentThreadId 15650->15652 15653 40dd2e GetTickCount 15650->15653 15651->15652 15652->15243 15653->15651 15654 40dd39 Sleep 15653->15654 15654->15649 15656 40dbf0 15655->15656 15688 40db67 GetEnvironmentVariableA 15656->15688 15658 40dc19 15659 40dcda 15658->15659 15660 40db67 3 API calls 15658->15660 15659->15245 15661 40dc5c 15660->15661 15661->15659 15662 40db67 3 API calls 15661->15662 15663 40dc9b 15662->15663 15663->15659 15664 40db67 3 API calls 15663->15664 15664->15659 15666 40db3a 15665->15666 15668 40db55 15665->15668 15692 40ebed 15666->15692 15668->15247 15668->15252 15701 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15669->15701 15671 40e342 15672 40e3be 15671->15672 15704 40de24 15671->15704 15672->15247 15675 40e528 15674->15675 15676 40e3f4 15674->15676 15675->15256 15677 40e434 RegQueryValueExA 15676->15677 15678 40e458 15677->15678 15679 40e51d RegCloseKey 15677->15679 15680 40e46e RegQueryValueExA 15678->15680 15679->15675 15680->15678 15681 40e488 15680->15681 15681->15679 15682 40db2e 8 API calls 15681->15682 15683 40e499 15682->15683 15683->15679 15684 40e4b9 RegQueryValueExA 15683->15684 15685 40e4e8 15683->15685 15684->15683 15684->15685 15685->15679 15686 40e332 14 API calls 15685->15686 15687 40e513 15686->15687 15687->15679 15689 40db89 lstrcpyA CreateFileA 15688->15689 15690 40dbca 15688->15690 15689->15658 15690->15658 15693 40ec01 15692->15693 15694 40ebf6 15692->15694 15696 40eba0 codecvt 2 API calls 15693->15696 15695 40ebcc 4 API calls 15694->15695 15697 40ebfe 15695->15697 15698 40ec0a GetProcessHeap HeapReAlloc 15696->15698 15697->15668 15699 40eb74 2 API calls 15698->15699 15700 40ec28 15699->15700 15700->15668 15715 40eb41 15701->15715 15705 40de3a 15704->15705 15708 40de4e 15705->15708 15719 40dd84 15705->15719 15708->15671 15709 40de9e 15709->15708 15711 40ebed 8 API calls 15709->15711 15710 40de76 15723 40ddcf 15710->15723 15713 40def6 15711->15713 15713->15708 15714 40ddcf lstrcmpA 15713->15714 15714->15708 15716 40eb4a 15715->15716 15718 40eb54 15715->15718 15717 40eae4 2 API calls 15716->15717 15717->15718 15718->15671 15720 40dd96 15719->15720 15721 40ddc5 15719->15721 15720->15721 15722 40ddad lstrcmpiA 15720->15722 15721->15709 15721->15710 15722->15720 15722->15721 15724 40dddd 15723->15724 15726 40de20 15723->15726 15725 40ddfa lstrcmpA 15724->15725 15724->15726 15725->15724 15726->15708 15728 40dd05 6 API calls 15727->15728 15729 40e821 15728->15729 15730 40dd84 lstrcmpiA 15729->15730 15731 40e82c 15730->15731 15733 40e844 15731->15733 15775 402480 15731->15775 15733->15272 15735 40dd05 6 API calls 15734->15735 15736 40df7c 15735->15736 15737 40dd84 lstrcmpiA 15736->15737 15741 40df89 15737->15741 15738 40dfc4 15738->15278 15739 40ddcf lstrcmpA 15739->15741 15740 40ec2e codecvt 4 API calls 15740->15741 15741->15738 15741->15739 15741->15740 15742 40dd84 lstrcmpiA 15741->15742 15742->15741 15744 40ea98 15743->15744 15784 40e8a1 15744->15784 15746 401e84 15746->15281 15748 4019d5 GetProcAddress GetProcAddress GetProcAddress 15747->15748 15751 4019ce 15747->15751 15749 401ab3 FreeLibrary 15748->15749 15750 401a04 15748->15750 15749->15751 15750->15749 15752 401a14 GetProcessHeap 15750->15752 15751->15285 15752->15751 15754 401a2e HeapAlloc 15752->15754 15754->15751 15755 401a42 15754->15755 15756 401a52 HeapReAlloc 15755->15756 15758 401a62 15755->15758 15756->15758 15757 401aa1 FreeLibrary 15757->15751 15758->15757 15759 401a96 HeapFree 15758->15759 15759->15757 15812 401ac3 LoadLibraryA 15760->15812 15763 401bcf 15763->15295 15765 401ac3 12 API calls 15764->15765 15766 401c09 15765->15766 15767 401c0d GetComputerNameA 15766->15767 15770 401c41 15766->15770 15768 401c45 GetVolumeInformationA 15767->15768 15769 401c1f 15767->15769 15768->15770 15769->15768 15769->15770 15770->15303 15772 40ee2a 15771->15772 15773 4030d0 gethostname gethostbyname 15772->15773 15774 401f82 15773->15774 15774->15309 15774->15311 15778 402419 lstrlenA 15775->15778 15777 402491 15777->15733 15779 40243d lstrlenA 15778->15779 15782 402474 15778->15782 15780 402464 lstrlenA 15779->15780 15781 40244e lstrcmpiA 15779->15781 15780->15779 15780->15782 15781->15780 15783 40245c 15781->15783 15782->15777 15783->15780 15783->15782 15785 40dd05 6 API calls 15784->15785 15786 40e8b4 15785->15786 15787 40dd84 lstrcmpiA 15786->15787 15788 40e8c0 15787->15788 15789 40e90a 15788->15789 15790 40e8c8 lstrcpynA 15788->15790 15792 402419 4 API calls 15789->15792 15800 40ea27 15789->15800 15791 40e8f5 15790->15791 15805 40df4c 15791->15805 15793 40e926 lstrlenA lstrlenA 15792->15793 15795 40e96a 15793->15795 15796 40e94c lstrlenA 15793->15796 15799 40ebcc 4 API calls 15795->15799 15795->15800 15796->15795 15797 40e901 15798 40dd84 lstrcmpiA 15797->15798 15798->15789 15801 40e98f 15799->15801 15800->15746 15801->15800 15802 40df4c 20 API calls 15801->15802 15803 40ea1e 15802->15803 15804 40ec2e codecvt 4 API calls 15803->15804 15804->15800 15806 40dd05 6 API calls 15805->15806 15807 40df51 15806->15807 15808 40f04e 4 API calls 15807->15808 15809 40df58 15808->15809 15810 40de24 10 API calls 15809->15810 15811 40df63 15810->15811 15811->15797 15813 401ae2 GetProcAddress 15812->15813 15816 401b68 GetComputerNameA GetVolumeInformationA 15812->15816 15814 401af5 15813->15814 15813->15816 15815 40ebed 8 API calls 15814->15815 15817 401b29 15814->15817 15815->15814 15816->15763 15817->15816 15818 40ec2e codecvt 4 API calls 15817->15818 15818->15816 15820 406ec3 2 API calls 15819->15820 15821 407ef4 15820->15821 15822 4073ff 17 API calls 15821->15822 15831 407fc9 15821->15831 15823 407f16 15822->15823 15823->15831 15832 407809 GetUserNameA 15823->15832 15825 407f63 15826 40ef1e lstrlenA 15825->15826 15825->15831 15827 407fa6 15826->15827 15828 40ef1e lstrlenA 15827->15828 15829 407fb7 15828->15829 15856 407a95 RegOpenKeyExA 15829->15856 15831->15323 15833 40783d LookupAccountNameA 15832->15833 15834 407a8d 15832->15834 15833->15834 15835 407874 GetLengthSid GetFileSecurityA 15833->15835 15834->15825 15835->15834 15836 4078a8 GetSecurityDescriptorOwner 15835->15836 15837 4078c5 EqualSid 15836->15837 15838 40791d GetSecurityDescriptorDacl 15836->15838 15837->15838 15839 4078dc LocalAlloc 15837->15839 15838->15834 15846 407941 15838->15846 15839->15838 15840 4078ef InitializeSecurityDescriptor 15839->15840 15842 407916 LocalFree 15840->15842 15843 4078fb SetSecurityDescriptorOwner 15840->15843 15841 40795b GetAce 15841->15846 15842->15838 15843->15842 15844 40790b SetFileSecurityA 15843->15844 15844->15842 15845 407980 EqualSid 15845->15846 15846->15834 15846->15841 15846->15845 15847 407a3d 15846->15847 15848 4079be EqualSid 15846->15848 15849 40799d DeleteAce 15846->15849 15847->15834 15850 407a43 LocalAlloc 15847->15850 15848->15846 15849->15846 15850->15834 15851 407a56 InitializeSecurityDescriptor 15850->15851 15852 407a62 SetSecurityDescriptorDacl 15851->15852 15853 407a86 LocalFree 15851->15853 15852->15853 15854 407a73 SetFileSecurityA 15852->15854 15853->15834 15854->15853 15855 407a83 15854->15855 15855->15853 15857 407ac4 15856->15857 15858 407acb GetUserNameA 15856->15858 15857->15831 15859 407da7 RegCloseKey 15858->15859 15860 407aed LookupAccountNameA 15858->15860 15859->15857 15860->15859 15861 407b24 RegGetKeySecurity 15860->15861 15861->15859 15862 407b49 GetSecurityDescriptorOwner 15861->15862 15863 407b63 EqualSid 15862->15863 15864 407bb8 GetSecurityDescriptorDacl 15862->15864 15863->15864 15866 407b74 LocalAlloc 15863->15866 15865 407da6 15864->15865 15873 407bdc 15864->15873 15865->15859 15866->15864 15867 407b8a InitializeSecurityDescriptor 15866->15867 15869 407bb1 LocalFree 15867->15869 15870 407b96 SetSecurityDescriptorOwner 15867->15870 15868 407bf8 GetAce 15868->15873 15869->15864 15870->15869 15871 407ba6 RegSetKeySecurity 15870->15871 15871->15869 15872 407c1d EqualSid 15872->15873 15873->15865 15873->15868 15873->15872 15874 407cd9 15873->15874 15875 407c5f EqualSid 15873->15875 15876 407c3a DeleteAce 15873->15876 15874->15865 15877 407d5a LocalAlloc 15874->15877 15879 407cf2 RegOpenKeyExA 15874->15879 15875->15873 15876->15873 15877->15865 15878 407d70 InitializeSecurityDescriptor 15877->15878 15880 407d7c SetSecurityDescriptorDacl 15878->15880 15881 407d9f LocalFree 15878->15881 15879->15877 15884 407d0f 15879->15884 15880->15881 15882 407d8c RegSetKeySecurity 15880->15882 15881->15865 15882->15881 15883 407d9c 15882->15883 15883->15881 15885 407d43 RegSetValueExA 15884->15885 15885->15877 15886 407d54 15885->15886 15886->15877 15887->15339 15889 40dd05 6 API calls 15888->15889 15892 40e65f 15889->15892 15890 40e6a5 15891 40ebcc 4 API calls 15890->15891 15895 40e6f5 15890->15895 15894 40e6b0 15891->15894 15892->15890 15893 40e68c lstrcmpA 15892->15893 15893->15892 15894->15895 15897 40e6b7 15894->15897 15898 40e6e0 lstrcpynA 15894->15898 15896 40e71d lstrcmpA 15895->15896 15895->15897 15896->15895 15897->15341 15898->15895 15899->15347 15901 40c525 15900->15901 15907 40c532 15900->15907 15905 40ec2e codecvt 4 API calls 15901->15905 15901->15907 15902 40c548 15903 40c54f 15902->15903 15906 40e7ff lstrcmpiA 15902->15906 15903->15360 15905->15907 15908 40c615 15906->15908 15907->15902 16052 40e7ff 15907->16052 15908->15903 15910 40ebcc 4 API calls 15908->15910 15910->15903 15911 40c5d1 15913 40ebcc 4 API calls 15911->15913 15912 40e819 11 API calls 15914 40c5b7 15912->15914 15913->15903 15915 40f04e 4 API calls 15914->15915 15916 40c5bf 15915->15916 15916->15902 15916->15911 15918 402692 inet_addr 15917->15918 15919 40268e 15917->15919 15918->15919 15920 40269e gethostbyname 15918->15920 15921 40f428 15919->15921 15920->15919 16055 40f315 15921->16055 15926 40c8d2 15924->15926 15925 40c907 15925->15362 15926->15925 15927 40c517 23 API calls 15926->15927 15927->15925 15928 40f43e 15929 40f473 recv 15928->15929 15930 40f458 15929->15930 15931 40f47c 15929->15931 15930->15929 15930->15931 15931->15378 15933 40c670 15932->15933 15934 40c67d 15932->15934 15935 40ebcc 4 API calls 15933->15935 15936 40ebcc 4 API calls 15934->15936 15937 40c699 15934->15937 15935->15934 15936->15937 15938 40c6f3 15937->15938 15939 40c73c send 15937->15939 15938->15391 15938->15455 15939->15938 15941 40c770 15940->15941 15942 40c77d 15940->15942 15943 40ebcc 4 API calls 15941->15943 15944 40c799 15942->15944 15946 40ebcc 4 API calls 15942->15946 15943->15942 15945 40c7b5 15944->15945 15947 40ebcc 4 API calls 15944->15947 15948 40f43e recv 15945->15948 15946->15944 15947->15945 15949 40c7cb 15948->15949 15950 40c7d3 15949->15950 15951 40f43e recv 15949->15951 15950->15455 15951->15950 16068 407db7 15952->16068 15955 407e70 15957 407e96 15955->15957 15959 40f04e 4 API calls 15955->15959 15956 40f04e 4 API calls 15958 407e4c 15956->15958 15957->15455 15958->15955 15960 40f04e 4 API calls 15958->15960 15959->15957 15960->15955 15962 406ec3 2 API calls 15961->15962 15963 407fdd 15962->15963 15964 4073ff 17 API calls 15963->15964 15973 4080c2 CreateProcessA 15963->15973 15965 407fff 15964->15965 15966 407809 21 API calls 15965->15966 15965->15973 15967 40804d 15966->15967 15968 40ef1e lstrlenA 15967->15968 15967->15973 15969 40809e 15968->15969 15970 40ef1e lstrlenA 15969->15970 15971 4080af 15970->15971 15972 407a95 24 API calls 15971->15972 15972->15973 15973->15443 15973->15444 15975 407db7 2 API calls 15974->15975 15976 407eb8 15975->15976 15977 40f04e 4 API calls 15976->15977 15978 407ece DeleteFileA 15977->15978 15978->15455 15980 40dd05 6 API calls 15979->15980 15981 40e31d 15980->15981 16072 40e177 15981->16072 15983 40e326 15983->15416 15985 4031f3 15984->15985 15995 4031ec 15984->15995 15986 40ebcc 4 API calls 15985->15986 16000 4031fc 15986->16000 15987 40344b 15988 403459 15987->15988 15989 40349d 15987->15989 15990 40f04e 4 API calls 15988->15990 15991 40ec2e codecvt 4 API calls 15989->15991 15992 40345f 15990->15992 15991->15995 15993 4030fa 4 API calls 15992->15993 15993->15995 15994 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15994->16000 15995->15455 15996 40344d 15997 40ec2e codecvt 4 API calls 15996->15997 15997->15987 15999 403141 lstrcmpiA 15999->16000 16000->15987 16000->15994 16000->15995 16000->15996 16000->15999 16098 4030fa GetTickCount 16000->16098 16002 4030fa 4 API calls 16001->16002 16003 403c1a 16002->16003 16007 403ce6 16003->16007 16103 403a72 16003->16103 16006 403a72 9 API calls 16009 403c5e 16006->16009 16007->15455 16008 403a72 9 API calls 16008->16009 16009->16007 16009->16008 16010 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16009->16010 16010->16009 16012 403a10 16011->16012 16013 4030fa 4 API calls 16012->16013 16014 403a1a 16013->16014 16014->15455 16016 40dd05 6 API calls 16015->16016 16017 40e7be 16016->16017 16017->15455 16019 40c105 16018->16019 16020 40c07e wsprintfA 16018->16020 16019->15455 16112 40bfce GetTickCount wsprintfA 16020->16112 16022 40c0ef 16113 40bfce GetTickCount wsprintfA 16022->16113 16025 407047 16024->16025 16026 406f88 16024->16026 16025->15455 16026->16026 16027 406f94 LookupAccountNameA 16026->16027 16028 407025 16027->16028 16029 406fcb 16027->16029 16030 406edd 5 API calls 16028->16030 16032 406fdb ConvertSidToStringSidA 16029->16032 16031 40702a wsprintfA 16030->16031 16031->16025 16032->16028 16033 406ff1 16032->16033 16034 407013 LocalFree 16033->16034 16034->16028 16036 40dd05 6 API calls 16035->16036 16037 40e85c 16036->16037 16038 40dd84 lstrcmpiA 16037->16038 16039 40e867 16038->16039 16040 40e885 lstrcpyA 16039->16040 16114 4024a5 16039->16114 16117 40dd69 16040->16117 16046 407db7 2 API calls 16045->16046 16047 407de1 16046->16047 16048 40f04e 4 API calls 16047->16048 16051 407e16 16047->16051 16049 407df2 16048->16049 16050 40f04e 4 API calls 16049->16050 16049->16051 16050->16051 16051->15455 16053 40dd84 lstrcmpiA 16052->16053 16054 40c58e 16053->16054 16054->15902 16054->15911 16054->15912 16056 40ca1d 16055->16056 16057 40f33b 16055->16057 16056->15375 16056->15928 16058 40f347 htons socket 16057->16058 16059 40f382 ioctlsocket 16058->16059 16060 40f374 closesocket 16058->16060 16061 40f3aa connect select 16059->16061 16062 40f39d 16059->16062 16060->16056 16061->16056 16064 40f3f2 __WSAFDIsSet 16061->16064 16063 40f39f closesocket 16062->16063 16063->16056 16064->16063 16065 40f403 ioctlsocket 16064->16065 16067 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16065->16067 16067->16056 16069 407dc8 InterlockedExchange 16068->16069 16070 407dc0 Sleep 16069->16070 16071 407dd4 16069->16071 16070->16069 16071->15955 16071->15956 16073 40e184 16072->16073 16074 40e2e4 16073->16074 16075 40e223 16073->16075 16088 40dfe2 16073->16088 16074->15983 16075->16074 16077 40dfe2 8 API calls 16075->16077 16081 40e23c 16077->16081 16078 40e1be 16078->16075 16079 40dbcf 3 API calls 16078->16079 16082 40e1d6 16079->16082 16080 40e21a CloseHandle 16080->16075 16081->16074 16092 40e095 RegCreateKeyExA 16081->16092 16082->16075 16082->16080 16083 40e1f9 WriteFile 16082->16083 16083->16080 16085 40e213 16083->16085 16085->16080 16086 40e2a3 16086->16074 16087 40e095 4 API calls 16086->16087 16087->16074 16089 40e024 16088->16089 16090 40dffc 16088->16090 16089->16078 16090->16089 16091 40db2e 8 API calls 16090->16091 16091->16089 16093 40e172 16092->16093 16094 40e0c0 16092->16094 16093->16086 16095 40e13d 16094->16095 16097 40e115 RegSetValueExA 16094->16097 16096 40e14e RegDeleteValueA RegCloseKey 16095->16096 16096->16093 16097->16094 16097->16095 16099 403122 InterlockedExchange 16098->16099 16100 40312e 16099->16100 16101 40310f GetTickCount 16099->16101 16100->16000 16101->16100 16102 40311a Sleep 16101->16102 16102->16099 16104 40f04e 4 API calls 16103->16104 16106 403a83 16104->16106 16105 403be6 16109 40ec2e codecvt 4 API calls 16105->16109 16107 403bc0 16106->16107 16108 403ac1 16106->16108 16111 403b66 lstrlenA 16106->16111 16107->16105 16110 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16107->16110 16108->16006 16108->16007 16109->16108 16110->16107 16111->16106 16111->16108 16112->16022 16113->16019 16115 402419 4 API calls 16114->16115 16116 4024b6 16115->16116 16116->16040 16118 40dd79 lstrlenA 16117->16118 16118->15455 16120 404084 16119->16120 16121 40407d 16119->16121 16122 403ecd 6 API calls 16120->16122 16123 40408f 16122->16123 16124 404000 3 API calls 16123->16124 16126 404095 16124->16126 16125 404130 16127 403ecd 6 API calls 16125->16127 16126->16125 16131 403f18 4 API calls 16126->16131 16128 404159 CreateNamedPipeA 16127->16128 16129 404167 Sleep 16128->16129 16130 404188 ConnectNamedPipe 16128->16130 16129->16125 16132 404176 CloseHandle 16129->16132 16134 404195 GetLastError 16130->16134 16144 4041ab 16130->16144 16133 4040da 16131->16133 16132->16130 16135 403f8c 4 API calls 16133->16135 16136 40425e DisconnectNamedPipe 16134->16136 16134->16144 16137 4040ec 16135->16137 16136->16130 16138 404127 CloseHandle 16137->16138 16140 404101 16137->16140 16138->16125 16139 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16139->16144 16141 403f18 4 API calls 16140->16141 16142 40411c ExitProcess 16141->16142 16143 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16143->16144 16144->16130 16144->16136 16144->16139 16144->16143 16145 40426a CloseHandle CloseHandle 16144->16145 16146 40e318 23 API calls 16145->16146 16147 40427b 16146->16147 16147->16147 16149 408791 16148->16149 16150 40879f 16148->16150 16152 40f04e 4 API calls 16149->16152 16151 4087bc 16150->16151 16153 40f04e 4 API calls 16150->16153 16154 40e819 11 API calls 16151->16154 16152->16150 16153->16151 16155 4087d7 16154->16155 16159 408803 16155->16159 16169 4026b2 gethostbyaddr 16155->16169 16157 4087eb 16157->16159 16160 40e8a1 30 API calls 16157->16160 16163 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16159->16163 16164 40e819 11 API calls 16159->16164 16165 4088a0 Sleep 16159->16165 16167 4026b2 2 API calls 16159->16167 16168 40e8a1 30 API calls 16159->16168 16174 40c4d6 16159->16174 16177 40c4e2 16159->16177 16180 402011 16159->16180 16215 408328 16159->16215 16160->16159 16163->16159 16164->16159 16165->16159 16167->16159 16168->16159 16170 4026fb 16169->16170 16171 4026cd 16169->16171 16170->16157 16172 4026e1 inet_ntoa 16171->16172 16173 4026de 16171->16173 16172->16173 16173->16157 16267 40c2dc 16174->16267 16178 40c2dc 141 API calls 16177->16178 16179 40c4ec 16178->16179 16179->16159 16181 402020 16180->16181 16182 40202e 16180->16182 16184 40f04e 4 API calls 16181->16184 16183 40204b 16182->16183 16185 40f04e 4 API calls 16182->16185 16186 40206e GetTickCount 16183->16186 16187 40f04e 4 API calls 16183->16187 16184->16182 16185->16183 16188 4020db GetTickCount 16186->16188 16200 402090 16186->16200 16191 402068 16187->16191 16189 402132 GetTickCount GetTickCount 16188->16189 16190 4020e7 16188->16190 16193 40f04e 4 API calls 16189->16193 16194 40212b GetTickCount 16190->16194 16205 402125 16190->16205 16208 401978 15 API calls 16190->16208 16607 402ef8 16190->16607 16191->16186 16192 4020d4 GetTickCount 16192->16188 16195 402159 16193->16195 16194->16189 16199 40e854 13 API calls 16195->16199 16212 4021b4 16195->16212 16196 402684 2 API calls 16196->16200 16198 40f04e 4 API calls 16202 4021d1 16198->16202 16204 40218e 16199->16204 16200->16192 16200->16196 16203 4020ce 16200->16203 16602 401978 16200->16602 16206 4021f2 16202->16206 16209 40ea84 30 API calls 16202->16209 16203->16192 16207 40e819 11 API calls 16204->16207 16205->16194 16206->16159 16210 40219c 16207->16210 16208->16190 16211 4021ec 16209->16211 16210->16212 16615 401c5f 16210->16615 16213 40f04e 4 API calls 16211->16213 16212->16198 16213->16206 16216 407dd6 6 API calls 16215->16216 16217 40833c 16216->16217 16218 406ec3 2 API calls 16217->16218 16244 408340 16217->16244 16219 40834f 16218->16219 16220 40835c 16219->16220 16226 40846b 16219->16226 16221 4073ff 17 API calls 16220->16221 16245 408373 16221->16245 16222 4085df 16223 408626 GetTempPathA 16222->16223 16224 408638 16222->16224 16232 408762 16222->16232 16223->16224 16687 406ba7 IsBadCodePtr 16224->16687 16225 40675c 21 API calls 16225->16222 16228 4084a7 RegOpenKeyExA 16226->16228 16241 408450 16226->16241 16230 4084c0 RegQueryValueExA 16228->16230 16231 40852f 16228->16231 16229 4086ad 16229->16232 16235 407e2f 6 API calls 16229->16235 16233 408521 RegCloseKey 16230->16233 16234 4084dd 16230->16234 16236 408564 RegOpenKeyExA 16231->16236 16247 4085a5 16231->16247 16240 40ec2e codecvt 4 API calls 16232->16240 16232->16244 16233->16231 16234->16233 16238 40ebcc 4 API calls 16234->16238 16248 4086bb 16235->16248 16237 408573 RegSetValueExA RegCloseKey 16236->16237 16236->16247 16237->16247 16243 4084f0 16238->16243 16239 40875b DeleteFileA 16239->16232 16240->16244 16241->16222 16241->16225 16243->16233 16246 4084f8 RegQueryValueExA 16243->16246 16244->16159 16245->16241 16245->16244 16249 4083ea RegOpenKeyExA 16245->16249 16246->16233 16250 408515 16246->16250 16247->16241 16251 40ec2e codecvt 4 API calls 16247->16251 16248->16239 16254 4086e0 lstrcpyA lstrlenA 16248->16254 16249->16241 16252 4083fd RegQueryValueExA 16249->16252 16253 40ec2e codecvt 4 API calls 16250->16253 16251->16241 16255 40842d RegSetValueExA 16252->16255 16256 40841e 16252->16256 16258 40851d 16253->16258 16259 407fcf 64 API calls 16254->16259 16257 408447 RegCloseKey 16255->16257 16256->16255 16256->16257 16257->16241 16258->16233 16260 408719 CreateProcessA 16259->16260 16261 40873d CloseHandle CloseHandle 16260->16261 16262 40874f 16260->16262 16261->16232 16263 407ee6 64 API calls 16262->16263 16264 408754 16263->16264 16265 407ead 6 API calls 16264->16265 16266 40875a 16265->16266 16266->16239 16283 40a4c7 GetTickCount 16267->16283 16270 40c300 GetTickCount 16272 40c337 16270->16272 16271 40c326 16271->16272 16273 40c32b GetTickCount 16271->16273 16277 40c363 GetTickCount 16272->16277 16278 40c45e 16272->16278 16273->16272 16274 40c4d2 16274->16159 16275 40c4ab InterlockedIncrement CreateThread 16275->16274 16276 40c4cb CloseHandle 16275->16276 16288 40b535 16275->16288 16276->16274 16277->16278 16279 40c373 16277->16279 16278->16274 16278->16275 16280 40c378 GetTickCount 16279->16280 16281 40c37f 16279->16281 16280->16281 16282 40c43b GetTickCount 16281->16282 16282->16278 16284 40a4f7 InterlockedExchange 16283->16284 16285 40a500 16284->16285 16286 40a4e4 GetTickCount 16284->16286 16285->16270 16285->16271 16285->16278 16286->16285 16287 40a4ef Sleep 16286->16287 16287->16284 16289 40b566 16288->16289 16290 40ebcc 4 API calls 16289->16290 16291 40b587 16290->16291 16292 40ebcc 4 API calls 16291->16292 16342 40b590 16292->16342 16293 40bdcd InterlockedDecrement 16294 40bde2 16293->16294 16296 40ec2e codecvt 4 API calls 16294->16296 16297 40bdea 16296->16297 16298 40ec2e codecvt 4 API calls 16297->16298 16300 40bdf2 16298->16300 16299 40bdb7 Sleep 16299->16342 16302 40be05 16300->16302 16303 40ec2e codecvt 4 API calls 16300->16303 16301 40bdcc 16301->16293 16303->16302 16304 40ebed 8 API calls 16304->16342 16307 40b6b6 lstrlenA 16307->16342 16308 4030b5 2 API calls 16308->16342 16309 40e819 11 API calls 16309->16342 16310 40b6ed lstrcpyA 16363 405ce1 16310->16363 16313 40b731 lstrlenA 16313->16342 16314 40b71f lstrcmpA 16314->16313 16314->16342 16315 40b772 GetTickCount 16315->16342 16316 40bd49 InterlockedIncrement 16460 40a628 16316->16460 16317 40ab81 lstrcpynA InterlockedIncrement 16317->16342 16320 40bc5b InterlockedIncrement 16320->16342 16321 40b7ce InterlockedIncrement 16373 40acd7 16321->16373 16324 40b912 GetTickCount 16324->16342 16325 40b826 InterlockedIncrement 16325->16315 16326 40b932 GetTickCount 16328 40bc6d InterlockedIncrement 16326->16328 16326->16342 16327 40bcdc closesocket 16327->16342 16328->16342 16329 405ce1 22 API calls 16329->16342 16330 4038f0 6 API calls 16330->16342 16334 40bba6 InterlockedIncrement 16334->16342 16336 40bc4c closesocket 16336->16342 16338 40ba71 wsprintfA 16394 40a7c1 16338->16394 16340 40a7c1 22 API calls 16340->16342 16341 40ef1e lstrlenA 16341->16342 16342->16293 16342->16299 16342->16301 16342->16304 16342->16307 16342->16308 16342->16309 16342->16310 16342->16313 16342->16314 16342->16315 16342->16316 16342->16317 16342->16320 16342->16321 16342->16324 16342->16325 16342->16326 16342->16327 16342->16329 16342->16330 16342->16334 16342->16336 16342->16338 16342->16340 16342->16341 16343 405ded 12 API calls 16342->16343 16345 403e10 16342->16345 16348 403e4f 16342->16348 16351 40384f 16342->16351 16371 40a7a3 inet_ntoa 16342->16371 16378 40abee 16342->16378 16390 401feb GetTickCount 16342->16390 16391 40a688 16342->16391 16414 403cfb 16342->16414 16417 40b3c5 16342->16417 16448 40ab81 16342->16448 16343->16342 16346 4030fa 4 API calls 16345->16346 16347 403e1d 16346->16347 16347->16342 16349 4030fa 4 API calls 16348->16349 16350 403e5c 16349->16350 16350->16342 16352 4030fa 4 API calls 16351->16352 16354 403863 16352->16354 16353 4038b2 16353->16342 16354->16353 16355 4038b9 16354->16355 16356 403889 16354->16356 16469 4035f9 16355->16469 16463 403718 16356->16463 16361 403718 6 API calls 16361->16353 16362 4035f9 6 API calls 16362->16353 16364 405cf4 16363->16364 16365 405cec 16363->16365 16367 404bd1 4 API calls 16364->16367 16475 404bd1 GetTickCount 16365->16475 16368 405d02 16367->16368 16480 405472 16368->16480 16372 40a7b9 16371->16372 16372->16342 16374 40f315 14 API calls 16373->16374 16375 40aceb 16374->16375 16376 40f315 14 API calls 16375->16376 16377 40acff 16375->16377 16376->16377 16377->16342 16379 40abfb 16378->16379 16382 40ac65 16379->16382 16543 402f22 16379->16543 16381 40f315 14 API calls 16381->16382 16382->16381 16383 40ac8a 16382->16383 16384 40ac6f 16382->16384 16383->16342 16386 40ab81 2 API calls 16384->16386 16385 40ac23 16385->16382 16388 402684 2 API calls 16385->16388 16387 40ac81 16386->16387 16551 4038f0 16387->16551 16388->16385 16390->16342 16565 40a63d 16391->16565 16393 40a696 16393->16342 16395 40a87d lstrlenA send 16394->16395 16396 40a7df 16394->16396 16398 40a899 16395->16398 16399 40a8bf 16395->16399 16396->16395 16397 40a8f2 16396->16397 16401 40a80a 16396->16401 16405 40a7fa wsprintfA 16396->16405 16403 40a978 recv 16397->16403 16406 40a9b0 wsprintfA 16397->16406 16407 40a982 16397->16407 16400 40a8a5 wsprintfA 16398->16400 16413 40a89e 16398->16413 16399->16397 16402 40a8c4 send 16399->16402 16400->16413 16401->16395 16401->16401 16402->16397 16404 40a8d8 wsprintfA 16402->16404 16403->16397 16403->16407 16404->16413 16405->16401 16406->16413 16408 4030b5 2 API calls 16407->16408 16407->16413 16409 40ab05 16408->16409 16410 40e819 11 API calls 16409->16410 16411 40ab17 16410->16411 16412 40a7a3 inet_ntoa 16411->16412 16412->16413 16413->16342 16415 4030fa 4 API calls 16414->16415 16416 403d0b 16415->16416 16416->16342 16418 405ce1 22 API calls 16417->16418 16419 40b3e6 16418->16419 16420 405ce1 22 API calls 16419->16420 16421 40b404 16420->16421 16423 40ef7c 3 API calls 16421->16423 16428 40b440 16421->16428 16422 40ef7c 3 API calls 16424 40b458 wsprintfA 16422->16424 16425 40b42b 16423->16425 16427 40ef7c 3 API calls 16424->16427 16426 40ef7c 3 API calls 16425->16426 16426->16428 16429 40b480 16427->16429 16428->16422 16430 40ef7c 3 API calls 16429->16430 16431 40b493 16430->16431 16432 40ef7c 3 API calls 16431->16432 16433 40b4bb 16432->16433 16570 40ad89 GetLocalTime SystemTimeToFileTime 16433->16570 16437 40b4cc 16438 40ef7c 3 API calls 16437->16438 16439 40b4dd 16438->16439 16440 40b211 7 API calls 16439->16440 16441 40b4ec 16440->16441 16442 40ef7c 3 API calls 16441->16442 16443 40b4fd 16442->16443 16444 40b211 7 API calls 16443->16444 16445 40b509 16444->16445 16446 40ef7c 3 API calls 16445->16446 16447 40b51a 16446->16447 16447->16342 16449 40ab8c 16448->16449 16451 40abe9 GetTickCount 16448->16451 16450 40aba8 lstrcpynA 16449->16450 16449->16451 16452 40abe1 InterlockedIncrement 16449->16452 16450->16449 16453 40a51d 16451->16453 16452->16449 16454 40a4c7 4 API calls 16453->16454 16455 40a52c 16454->16455 16456 40a542 GetTickCount 16455->16456 16458 40a539 GetTickCount 16455->16458 16456->16458 16459 40a56c 16458->16459 16459->16342 16461 40a4c7 4 API calls 16460->16461 16462 40a633 16461->16462 16462->16342 16464 40f04e 4 API calls 16463->16464 16466 40372a 16464->16466 16465 403847 16465->16353 16465->16361 16466->16465 16467 4037b3 GetCurrentThreadId 16466->16467 16467->16466 16468 4037c8 GetCurrentThreadId 16467->16468 16468->16466 16470 40f04e 4 API calls 16469->16470 16474 40360c 16470->16474 16471 4036f1 16471->16353 16471->16362 16472 4036da GetCurrentThreadId 16472->16471 16473 4036e5 GetCurrentThreadId 16472->16473 16473->16471 16474->16471 16474->16472 16476 404bff InterlockedExchange 16475->16476 16477 404c08 16476->16477 16478 404bec GetTickCount 16476->16478 16477->16364 16478->16477 16479 404bf7 Sleep 16478->16479 16479->16476 16499 404763 16480->16499 16482 405b58 16509 404699 16482->16509 16485 404763 lstrlenA 16486 405b6e 16485->16486 16530 404f9f 16486->16530 16488 405b79 16488->16342 16490 405549 lstrlenA 16495 40548a 16490->16495 16492 40558d lstrcpynA 16492->16495 16493 405a9f lstrcpyA 16493->16495 16494 405935 lstrcpynA 16494->16495 16495->16482 16495->16492 16495->16493 16495->16494 16496 405472 13 API calls 16495->16496 16497 4058e7 lstrcpyA 16495->16497 16498 404ae6 8 API calls 16495->16498 16503 404ae6 16495->16503 16507 40ef7c lstrlenA lstrlenA lstrlenA 16495->16507 16496->16495 16497->16495 16498->16495 16501 40477a 16499->16501 16500 404859 16500->16495 16501->16500 16502 40480d lstrlenA 16501->16502 16502->16501 16504 404af3 16503->16504 16506 404b03 16503->16506 16505 40ebed 8 API calls 16504->16505 16505->16506 16506->16490 16508 40efb4 16507->16508 16508->16495 16535 4045b3 16509->16535 16512 4045b3 7 API calls 16513 4046c6 16512->16513 16514 4045b3 7 API calls 16513->16514 16515 4046d8 16514->16515 16516 4045b3 7 API calls 16515->16516 16517 4046ea 16516->16517 16518 4045b3 7 API calls 16517->16518 16519 4046ff 16518->16519 16520 4045b3 7 API calls 16519->16520 16521 404711 16520->16521 16522 4045b3 7 API calls 16521->16522 16523 404723 16522->16523 16524 40ef7c 3 API calls 16523->16524 16525 404735 16524->16525 16526 40ef7c 3 API calls 16525->16526 16527 40474a 16526->16527 16528 40ef7c 3 API calls 16527->16528 16529 40475c 16528->16529 16529->16485 16531 404fac 16530->16531 16534 404fb0 16530->16534 16531->16488 16532 404ffd 16532->16488 16533 404fd5 IsBadCodePtr 16533->16534 16534->16532 16534->16533 16536 4045c1 16535->16536 16537 4045c8 16535->16537 16538 40ebcc 4 API calls 16536->16538 16539 40ebcc 4 API calls 16537->16539 16541 4045e1 16537->16541 16538->16537 16539->16541 16540 404691 16540->16512 16541->16540 16542 40ef7c 3 API calls 16541->16542 16542->16541 16558 402d21 GetModuleHandleA 16543->16558 16546 402fcf GetProcessHeap HeapFree 16550 402f44 16546->16550 16547 402f85 16547->16546 16547->16547 16548 402f4f 16549 402f6b GetProcessHeap HeapFree 16548->16549 16549->16550 16550->16385 16552 403900 16551->16552 16557 403980 16551->16557 16553 4030fa 4 API calls 16552->16553 16554 40390a 16553->16554 16555 40391b GetCurrentThreadId 16554->16555 16556 403939 GetCurrentThreadId 16554->16556 16554->16557 16555->16554 16556->16554 16557->16383 16559 402d46 LoadLibraryA 16558->16559 16560 402d5b GetProcAddress 16558->16560 16559->16560 16562 402d54 16559->16562 16560->16562 16564 402d6b 16560->16564 16561 402d97 GetProcessHeap HeapAlloc 16561->16562 16561->16564 16562->16547 16562->16548 16562->16550 16563 402db5 lstrcpynA 16563->16564 16564->16561 16564->16562 16564->16563 16566 40a645 16565->16566 16567 40a64d 16565->16567 16566->16393 16568 40a66e 16567->16568 16569 40a65e GetTickCount 16567->16569 16568->16393 16569->16568 16571 40adbf 16570->16571 16595 40ad08 gethostname 16571->16595 16574 4030b5 2 API calls 16575 40add3 16574->16575 16576 40a7a3 inet_ntoa 16575->16576 16578 40ade4 16575->16578 16576->16578 16577 40ae85 wsprintfA 16579 40ef7c 3 API calls 16577->16579 16578->16577 16581 40ae36 wsprintfA wsprintfA 16578->16581 16580 40aebb 16579->16580 16582 40ef7c 3 API calls 16580->16582 16583 40ef7c 3 API calls 16581->16583 16584 40aed2 16582->16584 16583->16578 16585 40b211 16584->16585 16586 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16585->16586 16587 40b2af GetLocalTime 16585->16587 16588 40b2d2 16586->16588 16587->16588 16589 40b2d9 SystemTimeToFileTime 16588->16589 16590 40b31c GetTimeZoneInformation 16588->16590 16592 40b2ec 16589->16592 16591 40b33a wsprintfA 16590->16591 16591->16437 16593 40b312 FileTimeToSystemTime 16592->16593 16593->16590 16596 40ad71 16595->16596 16601 40ad26 lstrlenA 16595->16601 16598 40ad85 16596->16598 16599 40ad79 lstrcpyA 16596->16599 16598->16574 16599->16598 16600 40ad68 lstrlenA 16600->16596 16601->16596 16601->16600 16603 40f428 14 API calls 16602->16603 16604 40198a 16603->16604 16605 401990 closesocket 16604->16605 16606 401998 16604->16606 16605->16606 16606->16200 16608 402d21 6 API calls 16607->16608 16609 402f01 16608->16609 16610 402f0f 16609->16610 16623 402df2 GetModuleHandleA 16609->16623 16612 402684 2 API calls 16610->16612 16614 402f1f 16610->16614 16613 402f1d 16612->16613 16613->16190 16614->16190 16619 401c80 16615->16619 16616 401d1c 16616->16616 16620 401d47 wsprintfA 16616->16620 16617 401cc2 wsprintfA 16618 402684 2 API calls 16617->16618 16618->16619 16619->16616 16619->16617 16621 401d79 16619->16621 16622 402684 2 API calls 16620->16622 16621->16212 16622->16621 16624 402e10 LoadLibraryA 16623->16624 16625 402e0b 16623->16625 16626 402e17 16624->16626 16625->16624 16625->16626 16627 402ef1 16626->16627 16628 402e28 GetProcAddress 16626->16628 16627->16610 16628->16627 16629 402e3e GetProcessHeap HeapAlloc 16628->16629 16633 402e62 16629->16633 16630 402ede GetProcessHeap HeapFree 16630->16627 16631 402e7f htons inet_addr 16632 402ea5 gethostbyname 16631->16632 16631->16633 16632->16633 16633->16627 16633->16630 16633->16631 16633->16632 16635 402ceb 16633->16635 16636 402cf2 16635->16636 16638 402d1c 16636->16638 16639 402d0e Sleep 16636->16639 16640 402a62 GetProcessHeap HeapAlloc 16636->16640 16638->16633 16639->16636 16639->16638 16641 402a92 16640->16641 16642 402a99 socket 16640->16642 16641->16636 16643 402cd3 GetProcessHeap HeapFree 16642->16643 16644 402ab4 16642->16644 16643->16641 16644->16643 16656 402abd 16644->16656 16645 402adb htons 16660 4026ff 16645->16660 16647 402b04 select 16647->16656 16648 402ca4 16649 402cb3 GetProcessHeap HeapFree closesocket 16648->16649 16649->16641 16650 402b3f recv 16650->16656 16651 402b66 htons 16651->16648 16651->16656 16652 402b87 htons 16652->16648 16652->16656 16654 402bf3 GetProcessHeap HeapAlloc 16654->16656 16656->16645 16656->16647 16656->16648 16656->16649 16656->16650 16656->16651 16656->16652 16656->16654 16657 402c17 htons 16656->16657 16659 402c4d GetProcessHeap HeapFree 16656->16659 16667 402923 16656->16667 16679 402904 16656->16679 16675 402871 16657->16675 16659->16656 16661 40271d 16660->16661 16662 402717 16660->16662 16664 40272b GetTickCount htons 16661->16664 16663 40ebcc 4 API calls 16662->16663 16663->16661 16665 4027cc htons htons sendto 16664->16665 16666 40278a 16664->16666 16665->16656 16666->16665 16668 402944 16667->16668 16670 40293d 16667->16670 16683 402816 htons 16668->16683 16670->16656 16671 402871 htons 16674 402950 16671->16674 16672 4029bd htons htons htons 16672->16670 16673 4029f6 GetProcessHeap HeapAlloc 16672->16673 16673->16670 16673->16674 16674->16670 16674->16671 16674->16672 16676 4028e3 16675->16676 16678 402889 16675->16678 16676->16656 16677 4028c3 htons 16677->16676 16677->16678 16678->16676 16678->16677 16680 402921 16679->16680 16681 402908 16679->16681 16680->16656 16682 402909 GetProcessHeap HeapFree 16681->16682 16682->16680 16682->16682 16684 40286b 16683->16684 16685 402836 16683->16685 16684->16674 16685->16684 16686 40285c htons 16685->16686 16686->16684 16686->16685 16688 406bc0 16687->16688 16689 406bbc 16687->16689 16690 40ebcc 4 API calls 16688->16690 16697 406bd4 16688->16697 16689->16229 16691 406be4 16690->16691 16692 406c07 CreateFileA 16691->16692 16693 406bfc 16691->16693 16691->16697 16695 406c34 WriteFile 16692->16695 16696 406c2a 16692->16696 16694 40ec2e codecvt 4 API calls 16693->16694 16694->16697 16699 406c49 CloseHandle DeleteFileA 16695->16699 16700 406c5a CloseHandle 16695->16700 16698 40ec2e codecvt 4 API calls 16696->16698 16697->16229 16698->16697 16699->16696 16701 40ec2e codecvt 4 API calls 16700->16701 16701->16697 14926 4f0005 14931 4f092b GetPEB 14926->14931 14928 4f0030 14933 4f003c 14928->14933 14932 4f0972 14931->14932 14932->14928 14934 4f0049 14933->14934 14948 4f0e0f SetErrorMode SetErrorMode 14934->14948 14939 4f0265 14940 4f02ce VirtualProtect 14939->14940 14942 4f030b 14940->14942 14941 4f0439 VirtualFree 14945 4f05f4 LoadLibraryA 14941->14945 14946 4f04be 14941->14946 14942->14941 14943 4f04e3 LoadLibraryA 14943->14946 14947 4f08c7 14945->14947 14946->14943 14946->14945 14949 4f0223 14948->14949 14950 4f0d90 14949->14950 14951 4f0dad 14950->14951 14952 4f0dbb GetPEB 14951->14952 14953 4f0238 VirtualAlloc 14951->14953 14952->14953 14953->14939 14852 41a810 14855 41a430 14852->14855 14854 41a815 14856 41a458 14855->14856 14857 41a4e8 6 API calls 14856->14857 14865 41a5f9 14856->14865 14858 41a551 6 API calls 14857->14858 14859 41a5c6 GetSystemDefaultLCID 14858->14859 14862 41a5e0 14859->14862 14863 41a5d5 RtlLeaveCriticalSection 14859->14863 14860 41a64a GetSystemTimes 14864 41a66e 14860->14864 14860->14865 14861 41a63a GetUserObjectInformationW 14861->14860 14862->14865 14866 41a5e9 LoadLibraryA 14862->14866 14863->14862 14867 41a66c 14864->14867 14868 41a677 FoldStringW 14864->14868 14865->14860 14865->14861 14865->14867 14866->14865 14869 41a691 GetConsoleAliasesLengthA CallNamedPipeA GetComputerNameA GetFileAttributesW GetConsoleAliasExesLengthW 14867->14869 14870 41a709 GlobalAlloc 14867->14870 14868->14867 14881 41a6ce 14869->14881 14871 41a726 14870->14871 14872 41a75c LoadLibraryW 14870->14872 14871->14872 14882 41a150 GetModuleHandleW GetProcAddress VirtualProtect 14872->14882 14875 41a76c 14883 41a3c0 14875->14883 14877 41a789 GlobalSize 14878 41a771 14877->14878 14878->14877 14879 41a7b3 InterlockedExchangeAdd 14878->14879 14880 41a7c9 14878->14880 14879->14878 14880->14854 14881->14870 14882->14875 14884 41a3e2 14883->14884 14885 41a3d6 QueryDosDeviceW 14883->14885 14894 41a2a0 14884->14894 14885->14884 14888 41a3f5 FreeEnvironmentStringsW 14889 41a3fd 14888->14889 14897 41a2e0 14889->14897 14892 41a414 RtlAllocateHeap GetNumaHighestNodeNumber 14893 41a428 14892->14893 14893->14878 14895 41a2b7 GetStartupInfoA LoadLibraryA 14894->14895 14896 41a2c9 14894->14896 14895->14896 14896->14888 14896->14889 14898 41a315 14897->14898 14899 41a304 BuildCommDCBW 14897->14899 14900 41a333 14898->14900 14901 41a31d WritePrivateProfileStringA UnhandledExceptionFilter 14898->14901 14899->14900 14903 41a369 GetComputerNameW GetShortPathNameA 14900->14903 14904 41a393 14900->14904 14905 41a2d0 14900->14905 14901->14900 14903->14900 14904->14892 14904->14893 14908 41a250 14905->14908 14909 41a27b 14908->14909 14910 41a26c VirtualLock 14908->14910 14909->14900 14910->14909 16702 4f0920 TerminateProcess 14911 58b88e 14912 58b89d 14911->14912 14915 58c02e 14912->14915 14916 58c049 14915->14916 14917 58c052 CreateToolhelp32Snapshot 14916->14917 14918 58c06e Module32First 14916->14918 14917->14916 14917->14918 14919 58c07d 14918->14919 14921 58b8a6 14918->14921 14922 58bced 14919->14922 14923 58bd18 14922->14923 14924 58bd29 VirtualAlloc 14923->14924 14925 58bd61 14923->14925 14924->14925 14925->14925
                                                                                    APIs
                                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                      • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                      • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                      • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                    • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                    • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                    • ExitProcess.KERNEL32 ref: 00409C06
                                                                                    • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                    • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                    • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                    • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                    • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                    • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                    • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                    • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                    • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                    • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                    • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                    • wsprintfA.USER32 ref: 0040A0B6
                                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                    • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                    • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                    • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                    • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                    • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                      • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                      • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                      • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                    • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                    • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                    • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                    • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                    • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                    • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                    • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                    • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                    • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                    • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                    • API String ID: 2089075347-2824936573
                                                                                    • Opcode ID: 5e9f80298255327e39bb5a43b3680402934ce1a896d3dc4b77bb4975c6ac572f
                                                                                    • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                    • Opcode Fuzzy Hash: 5e9f80298255327e39bb5a43b3680402934ce1a896d3dc4b77bb4975c6ac572f
                                                                                    • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 264 41a430-41a455 265 41a458-41a45e 264->265 266 41a460-41a46a 265->266 267 41a46f-41a479 265->267 266->267 268 41a47b-41a496 267->268 269 41a49c-41a4a3 267->269 268->269 269->265 270 41a4a5-41a4ad 269->270 272 41a4b0-41a4b6 270->272 273 41a4c4-41a4ce 272->273 274 41a4b8-41a4be 272->274 275 41a4d0 273->275 276 41a4d2-41a4d9 273->276 274->273 275->276 276->272 277 41a4db-41a4e2 276->277 278 41a4e8-41a5d3 InterlockedExchange SetConsoleTitleA GlobalSize FindAtomW SearchPathA SetConsoleMode GetDefaultCommConfigW CopyFileExA GetEnvironmentStringsW WriteConsoleOutputW GetNumaProcessorNode DebugActiveProcessStop GetSystemDefaultLCID 277->278 279 41a61b-41a629 277->279 286 41a5e0-41a5e7 278->286 287 41a5d5-41a5da RtlLeaveCriticalSection 278->287 280 41a630-41a638 279->280 284 41a64a-41a661 GetSystemTimes 280->284 285 41a63a-41a644 GetUserObjectInformationW 280->285 288 41a663-41a66a 284->288 289 41a66e-41a675 284->289 285->284 290 41a5f9-41a618 286->290 291 41a5e9-41a5f3 LoadLibraryA 286->291 287->286 288->280 292 41a66c 288->292 293 41a687-41a68f 289->293 294 41a677-41a681 FoldStringW 289->294 290->279 291->290 292->293 295 41a691-41a703 GetConsoleAliasesLengthA CallNamedPipeA GetComputerNameA GetFileAttributesW GetConsoleAliasExesLengthW 293->295 296 41a709-41a724 GlobalAlloc 293->296 294->293 295->296 298 41a726-41a731 296->298 299 41a75c-41a767 LoadLibraryW call 41a150 296->299 302 41a740-41a750 298->302 307 41a76c-41a77f call 41a3c0 299->307 305 41a752 302->305 306 41a757-41a75a 302->306 305->306 306->299 306->302 313 41a780-41a787 307->313 314 41a789-41a799 GlobalSize 313->314 315 41a79d-41a7a3 313->315 314->315 316 41a7a5 call 41a140 315->316 317 41a7aa-41a7b1 315->317 316->317 320 41a7c0-41a7c7 317->320 321 41a7b3-41a7ba InterlockedExchangeAdd 317->321 320->313 323 41a7c9-41a7d9 320->323 321->320 325 41a7e0-41a7e5 323->325 326 41a7e7-41a7ed 325->326 327 41a7ef-41a7f5 325->327 326->327 329 41a7f7-41a80b 326->329 327->325 327->329
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 0041A4EF
                                                                                    • SetConsoleTitleA.KERNEL32(00000000), ref: 0041A4F7
                                                                                    • GlobalSize.KERNEL32(00000000), ref: 0041A4FF
                                                                                    • FindAtomW.KERNEL32(00000000), ref: 0041A507
                                                                                    • SearchPathA.KERNEL32(0041C9B0,0041C998,0041C978,00000000,?,?), ref: 0041A52B
                                                                                    • SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041A535
                                                                                    • GetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 0041A55D
                                                                                    • CopyFileExA.KERNEL32(0041C9DC,0041C9CC,00000000,00000000,00000000,00000000), ref: 0041A575
                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0041A57B
                                                                                    • WriteConsoleOutputW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0041A59A
                                                                                    • GetNumaProcessorNode.KERNEL32(00000000,00000000), ref: 0041A5A4
                                                                                    • DebugActiveProcessStop.KERNEL32(00000000), ref: 0041A5AC
                                                                                    • GetSystemDefaultLCID.KERNEL32 ref: 0041A5C6
                                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 0041A5DA
                                                                                    • LoadLibraryA.KERNEL32(00000000), ref: 0041A5F3
                                                                                    • GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041A644
                                                                                    • GetSystemTimes.KERNELBASE(?,?,?), ref: 0041A659
                                                                                    • FoldStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041A681
                                                                                    • GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 0041A6A0
                                                                                    • CallNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041A6AD
                                                                                    • GetComputerNameA.KERNEL32(00000000,00000000), ref: 0041A6B5
                                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0041A6BC
                                                                                    • GetConsoleAliasExesLengthW.KERNEL32 ref: 0041A6C2
                                                                                    • GlobalAlloc.KERNELBASE(00000000,00421FFC), ref: 0041A70C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747152733.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_415000_Uc84uB877e.jbxd
                                                                                    Similarity
                                                                                    • API ID: Console$DefaultFileGlobalLengthSystem$ActiveAliasAliasesAllocAtomAttributesCallCommComputerConfigCopyCriticalDebugEnvironmentExchangeExesFindFoldInformationInterlockedLeaveLibraryLoadModeNameNamedNodeNumaObjectOutputPathPipeProcessProcessorSearchSectionSizeStopStringStringsTimesTitleUserWrite
                                                                                    • String ID: G9@$k`$}$
                                                                                    • API String ID: 341275787-167184026
                                                                                    • Opcode ID: 6435a0b693ee3c0f5add715273c27709e575e720a3cdb1bf64fd6a5124c8f2b1
                                                                                    • Instruction ID: 2b01aa1a40784374f893aeac6b5f14252f8cfe1257af145ca4da5efdbb9e3ae1
                                                                                    • Opcode Fuzzy Hash: 6435a0b693ee3c0f5add715273c27709e575e720a3cdb1bf64fd6a5124c8f2b1
                                                                                    • Instruction Fuzzy Hash: C2A12671641310ABD320AB61DC4AFDB7B64EB4C715F01803AF669A61E0DBB895418BEF

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 565 409326-409348 call 401910 GetVersionExA 568 409358-40935c 565->568 569 40934a-409356 565->569 570 409360-40937d GetModuleHandleA GetModuleFileNameA 568->570 569->570 571 409385-4093a2 570->571 572 40937f 570->572 573 4093a4-4093d7 call 402544 wsprintfA 571->573 574 4093d9-409412 call 402544 wsprintfA 571->574 572->571 579 409415-40942c call 40ee2a 573->579 574->579 582 4094a3-4094b3 call 406edd 579->582 583 40942e-409432 579->583 588 4094b9-4094f9 call 402544 RegOpenKeyExA 582->588 589 40962f-409632 582->589 583->582 585 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 583->585 585->582 598 409502-40952e call 402544 RegQueryValueExA 588->598 599 4094fb-409500 588->599 592 409634-409637 589->592 595 409639-40964a call 401820 592->595 596 40967b-409682 592->596 608 40964c-409662 595->608 609 40966d-409679 595->609 601 409683 call 4091eb 596->601 617 409530-409537 598->617 618 409539-409565 call 402544 RegQueryValueExA 598->618 603 40957a-40957f 599->603 612 409688-409690 601->612 613 409581-409584 603->613 614 40958a-40958d 603->614 615 409664-40966b 608->615 616 40962b-40962d 608->616 609->601 620 409692 612->620 621 409698-4096a0 612->621 613->592 613->614 614->596 622 409593-40959a 614->622 615->616 626 4096a2-4096a9 616->626 623 40956e-409577 RegCloseKey 617->623 618->623 634 409567 618->634 620->621 621->626 627 40961a-40961f 622->627 628 40959c-4095a1 622->628 623->603 631 409625 627->631 628->627 632 4095a3-4095c0 call 40f0e4 628->632 631->616 638 4095c2-4095db call 4018e0 632->638 639 40960c-409618 632->639 634->623 638->626 642 4095e1-4095f9 638->642 639->631 642->626 643 4095ff-409607 642->643 643->626
                                                                                    APIs
                                                                                    • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                    • wsprintfA.USER32 ref: 004093CE
                                                                                    • wsprintfA.USER32 ref: 0040940C
                                                                                    • wsprintfA.USER32 ref: 0040948D
                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                    • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                    • String ID: PromptOnSecureDesktop$runas
                                                                                    • API String ID: 3696105349-2220793183
                                                                                    • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                    • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                    • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                    • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 682 406a60-406a89 CreateFileA 683 406b8c-406ba1 GetLastError 682->683 684 406a8f-406ac3 GetDiskFreeSpaceA 682->684 685 406ba3-406ba6 683->685 686 406ac5-406adc call 40eb0e 684->686 687 406b1d-406b34 call 406987 684->687 686->687 694 406ade 686->694 692 406b56-406b63 FindCloseChangeNotification 687->692 693 406b36-406b54 GetLastError CloseHandle 687->693 698 406b65-406b7d GetLastError CloseHandle 692->698 699 406b86-406b8a 692->699 697 406b7f-406b80 DeleteFileA 693->697 695 406ae0-406ae5 694->695 696 406ae7-406afb call 40eca5 694->696 695->696 700 406afd-406aff 695->700 696->687 697->699 698->697 699->685 700->687 703 406b01 700->703 704 406b03-406b08 703->704 705 406b0a-406b17 call 40eca5 703->705 704->687 704->705 705->687
                                                                                    APIs
                                                                                    • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                    • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                    • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 1251348514-2980165447
                                                                                    • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                    • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                    • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                    • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                    • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                    • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time$CountFileInformationSystemTickVolume
                                                                                    • String ID:
                                                                                    • API String ID: 1209300637-0
                                                                                    • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                    • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                    • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                    • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 862 4f092b-4f0970 GetPEB 863 4f0972-4f0978 862->863 864 4f098c-4f098e 863->864 865 4f097a-4f098a call 4f0d35 863->865 864->863 867 4f0990 864->867 865->864 871 4f0992-4f0994 865->871 869 4f0996-4f0998 867->869 870 4f0a3b-4f0a3e 869->870 871->869 872 4f099d-4f09d3 871->872 873 4f09dc-4f09ee call 4f0d0c 872->873 876 4f09d5-4f09d8 873->876 877 4f09f0-4f0a3a 873->877 876->873 877->870
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: .$GetProcAddress.$l
                                                                                    • API String ID: 0-2784972518
                                                                                    • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                    • Instruction ID: ee8d9548c56cb374e40298a9480588cf3b25a9a1b09fae618662e7862dfbde42
                                                                                    • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                    • Instruction Fuzzy Hash: E3316EB6900609DFDB10CF99C880AAEBBF5FF48324F54404AD541A7312D7B5EA45CFA4
                                                                                    APIs
                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0058C056
                                                                                    • Module32First.KERNEL32(00000000,00000224), ref: 0058C076
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747369440.000000000058B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0058B000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                    • String ID:
                                                                                    • API String ID: 3833638111-0
                                                                                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                    • Instruction ID: 1c047ce1d7a7970932dc8347e05aa6472c0804a7d11ad3e76acb90db2e1285a3
                                                                                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                    • Instruction Fuzzy Hash: 9EF06231500711EBD7203AF9988DA6E7EECBF49764F100528EA52A10C0DBB0EC454B61
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                      • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                      • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$Process$AllocateSize
                                                                                    • String ID:
                                                                                    • API String ID: 2559512979-0
                                                                                    • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                    • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                    • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                    • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 332 4073ff-407419 333 40741b 332->333 334 40741d-407422 332->334 333->334 335 407424 334->335 336 407426-40742b 334->336 335->336 337 407430-407435 336->337 338 40742d 336->338 339 407437 337->339 340 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 337->340 338->337 339->340 345 407487-40749d call 40ee2a 340->345 346 4077f9-4077fe call 40ee2a 340->346 351 407703-40770e RegEnumKeyA 345->351 352 407801 346->352 354 4074a2-4074b1 call 406cad 351->354 355 407714-40771d RegCloseKey 351->355 353 407804-407808 352->353 358 4074b7-4074cc call 40f1a5 354->358 359 4076ed-407700 354->359 355->352 358->359 362 4074d2-4074f8 RegOpenKeyExA 358->362 359->351 363 407727-40772a 362->363 364 4074fe-407530 call 402544 RegQueryValueExA 362->364 365 407755-407764 call 40ee2a 363->365 366 40772c-407740 call 40ef00 363->366 364->363 372 407536-40753c 364->372 377 4076df-4076e2 365->377 374 407742-407745 RegCloseKey 366->374 375 40774b-40774e 366->375 376 40753f-407544 372->376 374->375 379 4077ec-4077f7 RegCloseKey 375->379 376->376 378 407546-40754b 376->378 377->359 380 4076e4-4076e7 RegCloseKey 377->380 378->365 381 407551-40756b call 40ee95 378->381 379->353 380->359 381->365 384 407571-407593 call 402544 call 40ee95 381->384 389 407753 384->389 390 407599-4075a0 384->390 389->365 391 4075a2-4075c6 call 40ef00 call 40ed03 390->391 392 4075c8-4075d7 call 40ed03 390->392 398 4075d8-4075da 391->398 392->398 400 4075dc 398->400 401 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 398->401 400->401 410 407626-40762b 401->410 410->410 411 40762d-407634 410->411 412 407637-40763c 411->412 412->412 413 40763e-407642 412->413 414 407644-407656 call 40ed77 413->414 415 40765c-407673 call 40ed23 413->415 414->415 420 407769-40777c call 40ef00 414->420 421 407680 415->421 422 407675-40767e 415->422 427 4077e3-4077e6 RegCloseKey 420->427 424 407683-40768e call 406cad 421->424 422->424 429 407722-407725 424->429 430 407694-4076bf call 40f1a5 call 406c96 424->430 427->379 432 4076dd 429->432 436 4076c1-4076c7 430->436 437 4076d8 430->437 432->377 436->437 438 4076c9-4076d2 436->438 437->432 438->437 439 40777e-407797 GetFileAttributesExA 438->439 440 407799 439->440 441 40779a-40779f 439->441 440->441 442 4077a1 441->442 443 4077a3-4077a8 441->443 442->443 444 4077c4-4077c8 443->444 445 4077aa-4077c0 call 40ee08 443->445 447 4077d7-4077dc 444->447 448 4077ca-4077d6 call 40ef00 444->448 445->444 451 4077e0-4077e2 447->451 452 4077de 447->452 448->447 451->427 452->451
                                                                                    APIs
                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                                    • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                                    • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                                      • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                    • String ID: "$PromptOnSecureDesktop
                                                                                    • API String ID: 3433985886-3108538426
                                                                                    • Opcode ID: 92594f354633bb88517f7acf4746756fc69952fce073fe57c9bbb1d804d07feb
                                                                                    • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                    • Opcode Fuzzy Hash: 92594f354633bb88517f7acf4746756fc69952fce073fe57c9bbb1d804d07feb
                                                                                    • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 454 40704c-407071 455 407073 454->455 456 407075-40707a 454->456 455->456 457 40707c 456->457 458 40707e-407083 456->458 457->458 459 407085 458->459 460 407087-40708c 458->460 459->460 461 407090-4070ca call 402544 RegOpenKeyExA 460->461 462 40708e 460->462 465 4070d0-4070f6 call 406dc2 461->465 466 4071b8-4071c8 call 40ee2a 461->466 462->461 471 40719b-4071a9 RegEnumValueA 465->471 472 4071cb-4071cf 466->472 473 4070fb-4070fd 471->473 474 4071af-4071b2 RegCloseKey 471->474 475 40716e-407194 473->475 476 4070ff-407102 473->476 474->466 475->471 476->475 477 407104-407107 476->477 477->475 478 407109-40710d 477->478 478->475 479 40710f-407133 call 402544 call 40eed1 478->479 484 4071d0-407203 call 402544 call 40ee95 call 40ee2a 479->484 485 407139-407145 call 406cad 479->485 500 407205-407212 RegCloseKey 484->500 501 407227-40722e 484->501 491 407147-40715c call 40f1a5 485->491 492 40715e-40716b call 40ee2a 485->492 491->484 491->492 492->475 502 407222-407225 500->502 503 407214-407221 call 40ef00 500->503 504 407230-407256 call 40ef00 call 40ed23 501->504 505 40725b-40728c call 402544 call 40ee95 call 40ee2a 501->505 502->472 503->502 504->505 517 407258 504->517 519 4072b8-4072cb call 40ed77 505->519 520 40728e-40729a RegCloseKey 505->520 517->505 527 4072dd-4072f4 call 40ed23 519->527 528 4072cd-4072d8 RegCloseKey 519->528 521 4072aa-4072b3 520->521 522 40729c-4072a9 call 40ef00 520->522 521->472 522->521 531 407301 527->531 532 4072f6-4072ff 527->532 528->472 533 407304-40730f call 406cad 531->533 532->533 536 407311-40731d RegCloseKey 533->536 537 407335-40735d call 406c96 533->537 538 40732d-407330 536->538 539 40731f-40732c call 40ef00 536->539 544 4073d5-4073e2 RegCloseKey 537->544 545 40735f-407365 537->545 538->521 539->538 546 4073f2-4073f7 544->546 547 4073e4-4073f1 call 40ef00 544->547 545->544 548 407367-407370 545->548 547->546 548->544 549 407372-40737c 548->549 551 40739d-4073a2 549->551 552 40737e-407395 GetFileAttributesExA 549->552 555 4073a4 551->555 556 4073a6-4073a9 551->556 552->551 554 407397 552->554 554->551 555->556 557 4073b9-4073bc 556->557 558 4073ab-4073b8 call 40ef00 556->558 560 4073cb-4073cd 557->560 561 4073be-4073ca call 40ef00 557->561 558->557 560->544 561->560
                                                                                    APIs
                                                                                    • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                                    • RegEnumValueA.KERNELBASE(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                                    • RegCloseKey.KERNELBASE(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                                    • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                                      • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                    • String ID: $"$PromptOnSecureDesktop
                                                                                    • API String ID: 4293430545-98143240
                                                                                    • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                    • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                    • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                    • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 644 40675c-406778 645 406784-4067a2 CreateFileA 644->645 646 40677a-40677e SetFileAttributesA 644->646 647 4067a4-4067b2 CreateFileA 645->647 648 4067b5-4067b8 645->648 646->645 647->648 649 4067c5-4067c9 648->649 650 4067ba-4067bf SetFileAttributesA 648->650 651 406977-406986 649->651 652 4067cf-4067df GetFileSize 649->652 650->649 653 4067e5-4067e7 652->653 654 40696b 652->654 653->654 656 4067ed-40680b ReadFile 653->656 655 40696e-406971 FindCloseChangeNotification 654->655 655->651 656->654 657 406811-406824 SetFilePointer 656->657 657->654 658 40682a-406842 ReadFile 657->658 658->654 659 406848-406861 SetFilePointer 658->659 659->654 660 406867-406876 659->660 661 4068d5-4068df 660->661 662 406878-40688f ReadFile 660->662 661->655 665 4068e5-4068eb 661->665 663 406891-40689e 662->663 664 4068d2 662->664 666 4068a0-4068b5 663->666 667 4068b7-4068ba 663->667 664->661 668 4068f0-4068fe call 40ebcc 665->668 669 4068ed 665->669 670 4068bd-4068c3 666->670 667->670 668->654 675 406900-40690b SetFilePointer 668->675 669->668 672 4068c5 670->672 673 4068c8-4068ce 670->673 672->673 673->662 676 4068d0 673->676 677 40695a-406969 call 40ec2e 675->677 678 40690d-406920 ReadFile 675->678 676->661 677->655 678->677 679 406922-406958 678->679 679->655
                                                                                    APIs
                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                    • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                    • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                    • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                    • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                    • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                    • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                    • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                                    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                                    • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                                    • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                                      • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                      • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                    • String ID:
                                                                                    • API String ID: 1400801100-0
                                                                                    • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                    • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                    • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                    • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 708 4f003c-4f0047 709 4f004c-4f0263 call 4f0a3f call 4f0e0f call 4f0d90 VirtualAlloc 708->709 710 4f0049 708->710 725 4f028b-4f0292 709->725 726 4f0265-4f0289 call 4f0a69 709->726 710->709 727 4f02a1-4f02b0 725->727 729 4f02ce-4f03c2 VirtualProtect call 4f0cce call 4f0ce7 726->729 727->729 730 4f02b2-4f02cc 727->730 737 4f03d1-4f03e0 729->737 730->727 738 4f0439-4f04b8 VirtualFree 737->738 739 4f03e2-4f0437 call 4f0ce7 737->739 741 4f04be-4f04cd 738->741 742 4f05f4-4f05fe 738->742 739->737 746 4f04d3-4f04dd 741->746 743 4f077f-4f0789 742->743 744 4f0604-4f060d 742->744 750 4f078b-4f07a3 743->750 751 4f07a6-4f07b0 743->751 744->743 748 4f0613-4f0637 744->748 746->742 747 4f04e3-4f0505 LoadLibraryA 746->747 752 4f0517-4f0520 747->752 753 4f0507-4f0515 747->753 756 4f063e-4f0648 748->756 750->751 754 4f086e-4f08be LoadLibraryA 751->754 755 4f07b6-4f07cb 751->755 757 4f0526-4f0547 752->757 753->757 764 4f08c7-4f08f9 754->764 758 4f07d2-4f07d5 755->758 756->743 759 4f064e-4f065a 756->759 762 4f054d-4f0550 757->762 760 4f07d7-4f07e0 758->760 761 4f0824-4f0833 758->761 759->743 763 4f0660-4f066a 759->763 767 4f07e4-4f0822 760->767 768 4f07e2 760->768 772 4f0839-4f083c 761->772 769 4f0556-4f056b 762->769 770 4f05e0-4f05ef 762->770 771 4f067a-4f0689 763->771 765 4f08fb-4f0901 764->765 766 4f0902-4f091d 764->766 765->766 767->758 768->761 773 4f056f-4f057a 769->773 774 4f056d 769->774 770->746 775 4f068f-4f06b2 771->775 776 4f0750-4f077a 771->776 772->754 777 4f083e-4f0847 772->777 779 4f057c-4f0599 773->779 780 4f059b-4f05bb 773->780 774->770 781 4f06ef-4f06fc 775->781 782 4f06b4-4f06ed 775->782 776->756 783 4f084b-4f086c 777->783 784 4f0849 777->784 791 4f05bd-4f05db 779->791 780->791 785 4f06fe-4f0748 781->785 786 4f074b 781->786 782->781 783->772 784->754 785->786 786->771 791->762
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004F024D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID: cess$kernel32.dll
                                                                                    • API String ID: 4275171209-1230238691
                                                                                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                    • Instruction ID: 83880b094ae64c264b2fc075c34aefdff4589c7d83e42e366babc69d92f96334
                                                                                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                    • Instruction Fuzzy Hash: 6E527A74A01229DFDB64CF58C984BA9BBB1BF09304F1480DAE50DAB352DB34AE85DF15

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 792 41a733-41a73a 793 41a740-41a750 792->793 794 41a752 793->794 795 41a757-41a75a 793->795 794->795 795->793 796 41a75c-41a77f LoadLibraryW call 41a150 call 41a3c0 795->796 801 41a780-41a787 796->801 802 41a789-41a799 GlobalSize 801->802 803 41a79d-41a7a3 801->803 802->803 804 41a7a5 call 41a140 803->804 805 41a7aa-41a7b1 803->805 804->805 807 41a7c0-41a7c7 805->807 808 41a7b3-41a7ba InterlockedExchangeAdd 805->808 807->801 810 41a7c9-41a7d9 807->810 808->807 811 41a7e0-41a7e5 810->811 812 41a7e7-41a7ed 811->812 813 41a7ef-41a7f5 811->813 812->813 814 41a7f7-41a80b 812->814 813->811 813->814
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNELBASE(0041CA40), ref: 0041A761
                                                                                    • GlobalSize.KERNEL32(00000000), ref: 0041A78B
                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0041A7BA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747152733.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_415000_Uc84uB877e.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExchangeGlobalInterlockedLibraryLoadSize
                                                                                    • String ID: k`$}$
                                                                                    • API String ID: 1230614907-956986773
                                                                                    • Opcode ID: a3e78ca8972b459e049ba6862a6a0ce0becd30ac4d270826d53a1e919f261356
                                                                                    • Instruction ID: 7b8ff2694f1d602ba7a946f95e1649465b5555d6d8af1b553a934ad92e012e3b
                                                                                    • Opcode Fuzzy Hash: a3e78ca8972b459e049ba6862a6a0ce0becd30ac4d270826d53a1e919f261356
                                                                                    • Instruction Fuzzy Hash: 0E115B306452108AC720AB20DC86BEBB760EB49315F04443FE679C62E1CB7895A187DF

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                    • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                    • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                      • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                      • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                      • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                      • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                      • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 4131120076-2980165447
                                                                                    • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                    • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                    • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                    • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 831 41a150-41a245 GetModuleHandleW GetProcAddress VirtualProtect
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00421ED0), ref: 0041A1EE
                                                                                    • GetProcAddress.KERNEL32(00000000,00420640), ref: 0041A221
                                                                                    • VirtualProtect.KERNELBASE(00421D1C,00421FFC,00000040,?), ref: 0041A240
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747152733.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_415000_Uc84uB877e.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 2099061454-3916222277
                                                                                    • Opcode ID: 43eeca7b3c22ce8a6c466c546c19edbb344e041a21fc20c24d459346d5b8201c
                                                                                    • Instruction ID: 747ab1926375d96777e0e3d3484c6eb7921817781462841d468bdbe11fa8b97b
                                                                                    • Opcode Fuzzy Hash: 43eeca7b3c22ce8a6c466c546c19edbb344e041a21fc20c24d459346d5b8201c
                                                                                    • Instruction Fuzzy Hash: 20113774728244DAD330CF64FD45B063AB5EBA4704F81513CD9488B2B2D7B61526C75E

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 832 404000-404008 833 40400b-40402a CreateFileA 832->833 834 404057 833->834 835 40402c-404035 GetLastError 833->835 838 404059-40405c 834->838 836 404052 835->836 837 404037-40403a 835->837 840 404054-404056 836->840 837->836 839 40403c-40403f 837->839 838->840 839->838 841 404041-404050 Sleep 839->841 841->833 841->836
                                                                                    APIs
                                                                                    • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                    • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                    • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateErrorFileLastSleep
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 408151869-2980165447
                                                                                    • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                    • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                    • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                    • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 842 406987-4069b7 843 4069e0 842->843 844 4069b9-4069be 842->844 846 4069e4-4069fd WriteFile 843->846 844->843 845 4069c0-4069d0 844->845 847 4069d2 845->847 848 4069d5-4069de 845->848 849 406a4d-406a51 846->849 850 4069ff-406a02 846->850 847->848 848->846 851 406a53-406a56 849->851 852 406a59 849->852 850->849 853 406a04-406a08 850->853 851->852 854 406a5b-406a5f 852->854 855 406a0a-406a0d 853->855 856 406a3c-406a3e 853->856 857 406a10-406a2e WriteFile 855->857 856->854 858 406a40-406a4b 857->858 859 406a30-406a33 857->859 858->854 859->858 860 406a35-406a3a 859->860 860->856 860->857
                                                                                    APIs
                                                                                    • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                    • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileWrite
                                                                                    • String ID: ,k@
                                                                                    • API String ID: 3934441357-1053005162
                                                                                    • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                    • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                    • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                    • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 879 4091eb-409208 880 409308 879->880 881 40920e-40921c call 40ed03 879->881 883 40930b-40930f 880->883 885 40921e-40922c call 40ed03 881->885 886 40923f-409249 881->886 885->886 892 40922e-409230 885->892 888 409250-409270 call 40ee08 886->888 889 40924b 886->889 894 409272-40927f 888->894 895 4092dd-4092e1 888->895 889->888 896 409233-409238 892->896 897 409281-409285 894->897 898 40929b-40929e 894->898 899 4092e3-4092e5 895->899 900 4092e7-4092e8 895->900 896->896 901 40923a-40923c 896->901 897->897 902 409287 897->902 904 4092a0 898->904 905 40928e-409293 898->905 899->900 903 4092ea-4092ef 899->903 900->895 901->886 902->898 908 4092f1-4092f6 Sleep 903->908 909 4092fc-409302 903->909 910 4092a8-4092ab 904->910 906 409295-409298 905->906 907 409289-40928c 905->907 906->910 911 40929a 906->911 907->905 907->911 908->909 909->880 909->881 912 4092a2-4092a5 910->912 913 4092ad-4092b0 910->913 911->898 914 4092b2 912->914 915 4092a7 912->915 913->914 916 4092bd 913->916 918 4092b5-4092b9 914->918 915->910 917 4092bf-4092db ShellExecuteA 916->917 917->895 919 409310-409324 917->919 918->918 920 4092bb 918->920 919->883 920->917
                                                                                    APIs
                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                    • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExecuteShellSleep
                                                                                    • String ID:
                                                                                    • API String ID: 4194306370-0
                                                                                    • Opcode ID: f879f8fadec04f6bf6b1199d3439cd872fe94bd0f9ee82a20ab95112746dcfee
                                                                                    • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                    • Opcode Fuzzy Hash: f879f8fadec04f6bf6b1199d3439cd872fe94bd0f9ee82a20ab95112746dcfee
                                                                                    • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                                    APIs
                                                                                    • SetErrorMode.KERNELBASE(00000400,?,?,004F0223,?,?), ref: 004F0E19
                                                                                    • SetErrorMode.KERNELBASE(00000000,?,?,004F0223,?,?), ref: 004F0E1E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorMode
                                                                                    • String ID:
                                                                                    • API String ID: 2340568224-0
                                                                                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                    • Instruction ID: 0f54c85112c70c8300c1c69f5b337ed9408a1e8e4429274e0b8fc5c206ebf4b7
                                                                                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                    • Instruction Fuzzy Hash: 37D0123154512CB7D7002A94DC09BDE7B1CDF05B62F008411FB0DD9181C774994046E9
                                                                                    APIs
                                                                                      • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                      • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                      • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                      • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                    • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                    • String ID:
                                                                                    • API String ID: 1823874839-0
                                                                                    • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                    • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                    • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                    • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                    APIs
                                                                                    • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 004F0929
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ProcessTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 560597551-0
                                                                                    • Opcode ID: cf8f02fdaed65286ce872f3570c8b88d6c4cb2f13aa03d0d20e57ddf82142f08
                                                                                    • Instruction ID: c020644df524c2f76e0858e256880dd47cc8058b9a19a2f123197d7715fd106d
                                                                                    • Opcode Fuzzy Hash: cf8f02fdaed65286ce872f3570c8b88d6c4cb2f13aa03d0d20e57ddf82142f08
                                                                                    • Instruction Fuzzy Hash: DA90026024516011D820259D0C01B5500122747634F3117507270B92D1C44197004115
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0058BD3E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747369440.000000000058B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0058B000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                    • Instruction ID: ab819a64092ba5102f3c2b8fed137a671e565f942f26712b7f70c064ba25c811
                                                                                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                    • Instruction Fuzzy Hash: 79112A79A00208FFDB01DF98C989E99BFF5AB08351F158094F948AB362D371EA50DB90
                                                                                    APIs
                                                                                    • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                    • closesocket.WS2_32(?), ref: 0040CB63
                                                                                    • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                    • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                    • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                    • wsprintfA.USER32 ref: 0040CD21
                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                    • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                    • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                    • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                    • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                    • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                    • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                    • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                    • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                    • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                    • closesocket.WS2_32(?), ref: 0040D56C
                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                    • ExitProcess.KERNEL32 ref: 0040D583
                                                                                    • wsprintfA.USER32 ref: 0040D81F
                                                                                      • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                    • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                    • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                    • API String ID: 562065436-3791576231
                                                                                    • Opcode ID: 44f18751907ac83f0597d90c4008e51201f03a759b9f1f15cdb9985a75ef01ab
                                                                                    • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                    • Opcode Fuzzy Hash: 44f18751907ac83f0597d90c4008e51201f03a759b9f1f15cdb9985a75ef01ab
                                                                                    • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                    • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                    • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                    • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                    • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                    • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                    • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                    • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                    • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                    • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                    • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                    • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                    • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                    • API String ID: 2238633743-3228201535
                                                                                    • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                    • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                    • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                    • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                    APIs
                                                                                    • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                    • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                    • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                    • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                    • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                    • wsprintfA.USER32 ref: 0040B3B7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                    • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                    • API String ID: 766114626-2976066047
                                                                                    • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                    • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                    • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                    • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                    APIs
                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                    • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                    • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                    • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                    • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                    • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                    • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                    • String ID: D
                                                                                    • API String ID: 3722657555-2746444292
                                                                                    • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                    • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                    • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                    • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                    APIs
                                                                                    • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                    • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExecuteShelllstrlen
                                                                                    • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                    • API String ID: 1628651668-179334549
                                                                                    • Opcode ID: a61a7175f41a72e4ed55554bcbe8f28090feb92d632b3ceef371416ca030a5a9
                                                                                    • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                    • Opcode Fuzzy Hash: a61a7175f41a72e4ed55554bcbe8f28090feb92d632b3ceef371416ca030a5a9
                                                                                    • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                    APIs
                                                                                    • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                    • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                      • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                    • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                    • API String ID: 4207808166-1381319158
                                                                                    • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                    • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                    • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                    • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                                    • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                    • htons.WS2_32(00000000), ref: 00402ADB
                                                                                    • select.WS2_32 ref: 00402B28
                                                                                    • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                    • htons.WS2_32(?), ref: 00402B71
                                                                                    • htons.WS2_32(?), ref: 00402B8C
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                    • String ID:
                                                                                    • API String ID: 1639031587-0
                                                                                    • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                    • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                    • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                    • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                    APIs
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                    • ExitProcess.KERNEL32 ref: 00404121
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateEventExitProcess
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 2404124870-2980165447
                                                                                    • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                    • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                    • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                    • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                    APIs
                                                                                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                    • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                    • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                    • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Read$AddressLibraryLoadProc
                                                                                    • String ID:
                                                                                    • API String ID: 2438460464-0
                                                                                    • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                    • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                    • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                    • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                    APIs
                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                    • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                    • String ID: *p@
                                                                                    • API String ID: 3429775523-2474123842
                                                                                    • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                    • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                    • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                    • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                    • String ID:
                                                                                    • API String ID: 1965334864-0
                                                                                    • Opcode ID: dafa446f11e7c98dbfd5716669028cf329551362ce1bec339b6002f1eaca3cb4
                                                                                    • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                    • Opcode Fuzzy Hash: dafa446f11e7c98dbfd5716669028cf329551362ce1bec339b6002f1eaca3cb4
                                                                                    • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 004F65F6
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 004F6610
                                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004F6631
                                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004F6652
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                    • String ID:
                                                                                    • API String ID: 1965334864-0
                                                                                    • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                    • Instruction ID: 3d2a489c04368c9cbaf241e53be49382c160a194b09cb0f6ade92607c0483def
                                                                                    • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                    • Instruction Fuzzy Hash: 9911777160021CBFEB115F65DC46FAB3FA8EF057A5F114025FA04E7251DBB5DD0086A8
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                    • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                      • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                      • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3754425949-0
                                                                                    • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                    • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                    • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                    • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                    • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                    • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                    • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747369440.000000000058B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0058B000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                    • Instruction ID: a476aad9239cd1e72c828bc040b550097c0ff95305667fd120e38813db66922c
                                                                                    • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                    • Instruction Fuzzy Hash: A2115A72740105AFEB44EE55DC81FA677EAFB89360B298065EE08DB316D775E802C760
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                    • Instruction ID: 2b3fd6cf4533f3a8e818fb1884d4457831b369b992358946cb87bab4cba5e53e
                                                                                    • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                    • Instruction Fuzzy Hash: 3701A7766016088FDF21CF64C904BBB33E5FBD6316F4544A6DA0697342E778A9418B94
                                                                                    APIs
                                                                                    • ExitProcess.KERNEL32 ref: 004F9E6D
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 004F9FE1
                                                                                    • lstrcat.KERNEL32(?,?), ref: 004F9FF2
                                                                                    • lstrcat.KERNEL32(?,0041070C), ref: 004FA004
                                                                                    • GetFileAttributesExA.KERNEL32(?,?,?), ref: 004FA054
                                                                                    • DeleteFileA.KERNEL32(?), ref: 004FA09F
                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 004FA0D6
                                                                                    • lstrcpy.KERNEL32 ref: 004FA12F
                                                                                    • lstrlen.KERNEL32(00000022), ref: 004FA13C
                                                                                    • GetTempPathA.KERNEL32(000001F4,?), ref: 004F9F13
                                                                                      • Part of subcall function 004F7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 004F7081
                                                                                      • Part of subcall function 004F6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\rxarouyf,004F7043), ref: 004F6F4E
                                                                                      • Part of subcall function 004F6F30: GetProcAddress.KERNEL32(00000000), ref: 004F6F55
                                                                                      • Part of subcall function 004F6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 004F6F7B
                                                                                      • Part of subcall function 004F6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 004F6F92
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 004FA1A2
                                                                                    • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 004FA1C5
                                                                                    • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 004FA214
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 004FA21B
                                                                                    • GetDriveTypeA.KERNEL32(?), ref: 004FA265
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 004FA29F
                                                                                    • lstrcat.KERNEL32(?,00410A34), ref: 004FA2C5
                                                                                    • lstrcat.KERNEL32(?,00000022), ref: 004FA2D9
                                                                                    • lstrcat.KERNEL32(?,00410A34), ref: 004FA2F4
                                                                                    • wsprintfA.USER32 ref: 004FA31D
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 004FA345
                                                                                    • lstrcat.KERNEL32(?,?), ref: 004FA364
                                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 004FA387
                                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 004FA398
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 004FA1D1
                                                                                      • Part of subcall function 004F9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 004F999D
                                                                                      • Part of subcall function 004F9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 004F99BD
                                                                                      • Part of subcall function 004F9966: RegCloseKey.ADVAPI32(?), ref: 004F99C6
                                                                                    • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 004FA3DB
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 004FA3E2
                                                                                    • GetDriveTypeA.KERNEL32(00000022), ref: 004FA41D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                    • String ID: "$"$"$D$P$\
                                                                                    • API String ID: 1653845638-2605685093
                                                                                    • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                    • Instruction ID: 2ffde47dd54e4c769b2d19119485e3fcddbc16ea6cd932aa3910f51df4df4fc8
                                                                                    • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                    • Instruction Fuzzy Hash: 52F143B1D4025DAFDB11DBA19C49EFF77BCAB08304F0440AAE709E2141E7798A958F69
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                    • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                    • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                    • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                    • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                    • String ID: D$PromptOnSecureDesktop
                                                                                    • API String ID: 2976863881-1403908072
                                                                                    • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                    • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                    • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                    • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 004F7D21
                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 004F7D46
                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 004F7D7D
                                                                                    • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 004F7DA2
                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 004F7DC0
                                                                                    • EqualSid.ADVAPI32(?,?), ref: 004F7DD1
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 004F7DE5
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004F7DF3
                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 004F7E03
                                                                                    • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 004F7E12
                                                                                    • LocalFree.KERNEL32(00000000), ref: 004F7E19
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004F7E35
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                    • String ID: D$PromptOnSecureDesktop
                                                                                    • API String ID: 2976863881-1403908072
                                                                                    • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                    • Instruction ID: ea1d42171a28daf055a40cde6cb00c9ff3dc6cf8f1263e0251a775b1504ff7f1
                                                                                    • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                    • Instruction Fuzzy Hash: 76A13F7190021DAFDB118FA5DD44FFFBBB9FB08344F14806AE605E6250DB798A85CB68
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                    • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                    • API String ID: 2400214276-165278494
                                                                                    • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                    • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                    • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                    • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 0040A7FB
                                                                                    • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                    • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                    • wsprintfA.USER32 ref: 0040A8AF
                                                                                    • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                    • wsprintfA.USER32 ref: 0040A8E2
                                                                                    • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                    • wsprintfA.USER32 ref: 0040A9B9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$send$lstrlenrecv
                                                                                    • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                    • API String ID: 3650048968-2394369944
                                                                                    • Opcode ID: e28565558cb0d863a75f1a8c28663d7dfa8bdf35cbf6dace20ad3122ce5fd1be
                                                                                    • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                    • Opcode Fuzzy Hash: e28565558cb0d863a75f1a8c28663d7dfa8bdf35cbf6dace20ad3122ce5fd1be
                                                                                    • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                    APIs
                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 004F7A96
                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 004F7ACD
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 004F7ADF
                                                                                    • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 004F7B01
                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 004F7B1F
                                                                                    • EqualSid.ADVAPI32(?,?), ref: 004F7B39
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 004F7B4A
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004F7B58
                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 004F7B68
                                                                                    • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 004F7B77
                                                                                    • LocalFree.KERNEL32(00000000), ref: 004F7B7E
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004F7B9A
                                                                                    • GetAce.ADVAPI32(?,?,?), ref: 004F7BCA
                                                                                    • EqualSid.ADVAPI32(?,?), ref: 004F7BF1
                                                                                    • DeleteAce.ADVAPI32(?,?), ref: 004F7C0A
                                                                                    • EqualSid.ADVAPI32(?,?), ref: 004F7C2C
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 004F7CB1
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004F7CBF
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 004F7CD0
                                                                                    • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 004F7CE0
                                                                                    • LocalFree.KERNEL32(00000000), ref: 004F7CEE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                    • String ID: D
                                                                                    • API String ID: 3722657555-2746444292
                                                                                    • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                    • Instruction ID: 3a77c08836b2857502a4331bd1c43677ec5dba8743c4b6fa9e450600431a176b
                                                                                    • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                    • Instruction Fuzzy Hash: 22814C7190425DAFDB11CFA5DD84FEFBBB8AF08304F04816AE605E6250D77D9A41CB68
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                    • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                    • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                    • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Value$CloseOpenQuery
                                                                                    • String ID: PromptOnSecureDesktop$localcfg
                                                                                    • API String ID: 237177642-1678164370
                                                                                    • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                    • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                    • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                    • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                    APIs
                                                                                    • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                    • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                    • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                    • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                    • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                    • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                    • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                    • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                    • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                    • API String ID: 835516345-270533642
                                                                                    • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                    • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                    • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                    • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 004F865A
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 004F867B
                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 004F86A8
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 004F86B1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Value$CloseOpenQuery
                                                                                    • String ID: "$PromptOnSecureDesktop
                                                                                    • API String ID: 237177642-3108538426
                                                                                    • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                    • Instruction ID: 13b6a96038e49e2e0561472811a8f5809e967612b16a72ff371618e4fa206fc4
                                                                                    • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                    • Instruction Fuzzy Hash: EAC193B190014DBEEB11ABA5DD85EFF7BBCEB04304F14406BF704E6151EBB84A948B69
                                                                                    APIs
                                                                                    • ShellExecuteExW.SHELL32(?), ref: 004F1601
                                                                                    • lstrlenW.KERNEL32(-00000003), ref: 004F17D8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExecuteShelllstrlen
                                                                                    • String ID: $<$@$D
                                                                                    • API String ID: 1628651668-1974347203
                                                                                    • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                    • Instruction ID: 4f38943b211d619e45123ff6ecd7bcfd579e589b8859e339c5c43777515776ed
                                                                                    • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                    • Instruction Fuzzy Hash: ECF17EB1508345DFD720DF64C888BABB7E4FB88305F10892EF695973A0D7B89944CB5A
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 004F76D9
                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 004F7757
                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 004F778F
                                                                                    • ___ascii_stricmp.LIBCMT ref: 004F78B4
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004F794E
                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 004F796D
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004F797E
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004F79AC
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004F7A56
                                                                                      • Part of subcall function 004FF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,004F772A,?), ref: 004FF414
                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 004F79F6
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004F7A4D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                    • String ID: "$PromptOnSecureDesktop
                                                                                    • API String ID: 3433985886-3108538426
                                                                                    • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                    • Instruction ID: b7d7fbb2bcfe76e1160e64506605014bfb8a98073b1c3a8017e003ac4af67037
                                                                                    • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                    • Instruction Fuzzy Hash: 58C1907190410DAFEB119BA5DC45FFF7BB9EF44310F1040A6F604E6291EB7D9A848B68
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 004F2CED
                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 004F2D07
                                                                                    • htons.WS2_32(00000000), ref: 004F2D42
                                                                                    • select.WS2_32 ref: 004F2D8F
                                                                                    • recv.WS2_32(?,00000000,00001000,00000000), ref: 004F2DB1
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 004F2E62
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                    • String ID:
                                                                                    • API String ID: 127016686-0
                                                                                    • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                    • Instruction ID: fe4fb87d7601f2fd91a0b706c162eb07f145459fea63cb9560095bed5cc1e38f
                                                                                    • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                    • Instruction Fuzzy Hash: AB61E071904309ABC3209F61DD08B7BBBF8FB48345F14481AFA8497251D7F9DC819BAA
                                                                                    APIs
                                                                                    • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                      • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                      • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                      • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                      • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                      • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                      • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                    • wsprintfA.USER32 ref: 0040AEA5
                                                                                      • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                    • wsprintfA.USER32 ref: 0040AE4F
                                                                                    • wsprintfA.USER32 ref: 0040AE5E
                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                    • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                    • API String ID: 3631595830-1816598006
                                                                                    • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                    • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                    • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                    • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                    • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                    • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                    • htons.WS2_32(00000035), ref: 00402E88
                                                                                    • inet_addr.WS2_32(?), ref: 00402E93
                                                                                    • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                    • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                    • String ID: GetNetworkParams$iphlpapi.dll
                                                                                    • API String ID: 929413710-2099955842
                                                                                    • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                    • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                    • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                    • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                    APIs
                                                                                    • GetVersionExA.KERNEL32(?), ref: 004F95A7
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 004F95D5
                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 004F95DC
                                                                                    • wsprintfA.USER32 ref: 004F9635
                                                                                    • wsprintfA.USER32 ref: 004F9673
                                                                                    • wsprintfA.USER32 ref: 004F96F4
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004F9758
                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 004F978D
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 004F97D8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 3696105349-2980165447
                                                                                    • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                    • Instruction ID: 98deaf7c5838cbf721e26b5b367791dc2f6e7d541a7b9671d3c0c5c237431ea8
                                                                                    • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                    • Instruction Fuzzy Hash: EFA162B194020CFBEB21EFA1CC45FEB3BACAB05745F10402BFA1596151D7B9D9848BA9
                                                                                    APIs
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcmpi
                                                                                    • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                    • API String ID: 1586166983-142018493
                                                                                    • Opcode ID: 9bc1f6eaf859e488329790364f54f8d8fb956d111e5ea2dcff1f0b71cefcbf58
                                                                                    • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                    • Opcode Fuzzy Hash: 9bc1f6eaf859e488329790364f54f8d8fb956d111e5ea2dcff1f0b71cefcbf58
                                                                                    • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 0040B467
                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$wsprintf
                                                                                    • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                    • API String ID: 1220175532-2340906255
                                                                                    • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                    • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                    • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                    • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 00402078
                                                                                    • GetTickCount.KERNEL32 ref: 004020D4
                                                                                    • GetTickCount.KERNEL32 ref: 004020DB
                                                                                    • GetTickCount.KERNEL32 ref: 0040212B
                                                                                    • GetTickCount.KERNEL32 ref: 00402132
                                                                                    • GetTickCount.KERNEL32 ref: 00402142
                                                                                      • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                      • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                      • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                      • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                      • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                    • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                    • API String ID: 3976553417-1522128867
                                                                                    • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                    • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                    • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                    • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                    APIs
                                                                                    • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                    • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: closesockethtonssocket
                                                                                    • String ID: time_cfg
                                                                                    • API String ID: 311057483-2401304539
                                                                                    • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                    • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                    • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                    • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                    APIs
                                                                                      • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                      • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                    • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                    • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                    • GetTickCount.KERNEL32 ref: 0040C363
                                                                                    • GetTickCount.KERNEL32 ref: 0040C378
                                                                                    • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                    • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                    • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                    • String ID: localcfg
                                                                                    • API String ID: 1553760989-1857712256
                                                                                    • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                    • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                    • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                    • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 004F3068
                                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 004F3078
                                                                                    • GetProcAddress.KERNEL32(00000000,00410408), ref: 004F3095
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 004F30B6
                                                                                    • htons.WS2_32(00000035), ref: 004F30EF
                                                                                    • inet_addr.WS2_32(?), ref: 004F30FA
                                                                                    • gethostbyname.WS2_32(?), ref: 004F310D
                                                                                    • HeapFree.KERNEL32(00000000), ref: 004F314D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                    • String ID: iphlpapi.dll
                                                                                    • API String ID: 2869546040-3565520932
                                                                                    • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                    • Instruction ID: 1b80e58119854fd95caef1ad574c322ffafcfe858b6fabc86d724f1e94225403
                                                                                    • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                    • Instruction Fuzzy Hash: 7C317531A0060EABDB119FB49D48ABF7778AF05762F144126E618E7390DB78DA41CB5C
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                    • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                    • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                    • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                    • String ID: DnsQuery_A$dnsapi.dll
                                                                                    • API String ID: 3560063639-3847274415
                                                                                    • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                    • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                    • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                    • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                    • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                    • API String ID: 1082366364-2834986871
                                                                                    • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                    • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                    • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                    • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                    APIs
                                                                                    • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                    • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                    • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                    • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                    • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                    • String ID: D$PromptOnSecureDesktop
                                                                                    • API String ID: 2981417381-1403908072
                                                                                    • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                    • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                    • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                    • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                    APIs
                                                                                    • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 004F67C3
                                                                                    • htonl.WS2_32(?), ref: 004F67DF
                                                                                    • htonl.WS2_32(?), ref: 004F67EE
                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 004F68F1
                                                                                    • ExitProcess.KERNEL32 ref: 004F69BC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Processhtonl$CurrentExitHugeRead
                                                                                    • String ID: except_info$localcfg
                                                                                    • API String ID: 1150517154-3605449297
                                                                                    • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                    • Instruction ID: 000b64f7a03637e269b0d8c612a2001354bdc82a721d6b8b29d726a0ec5003c4
                                                                                    • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                    • Instruction Fuzzy Hash: 46615071940208AFDB609FB4DC45FEA77E9FF08300F14806AFA6DD2161DAB59994CF54
                                                                                    APIs
                                                                                    • htons.WS2_32(004FCC84), ref: 004FF5B4
                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 004FF5CE
                                                                                    • closesocket.WS2_32(00000000), ref: 004FF5DC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: closesockethtonssocket
                                                                                    • String ID: time_cfg
                                                                                    • API String ID: 311057483-2401304539
                                                                                    • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                    • Instruction ID: 1cb1a44a7499f170dc734182cf7d32bda00229a38ead1bb4a8ebfe62165e5797
                                                                                    • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                    • Instruction Fuzzy Hash: 1C315E7190011CABDB10DFA5DC85DEF7BBCEF48310F10456AFA15D3150E7749A868BA9
                                                                                    APIs
                                                                                    • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                    • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                    • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                    • wsprintfA.USER32 ref: 00407036
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                    • String ID: /%d$|
                                                                                    • API String ID: 676856371-4124749705
                                                                                    • Opcode ID: 0d12a7b496ace9c0c99c0276ab90a72f2bda41479394b1ea55399d50714db434
                                                                                    • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                    • Opcode Fuzzy Hash: 0d12a7b496ace9c0c99c0276ab90a72f2bda41479394b1ea55399d50714db434
                                                                                    • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(?), ref: 004F2FA1
                                                                                    • LoadLibraryA.KERNEL32(?), ref: 004F2FB1
                                                                                    • GetProcAddress.KERNEL32(00000000,004103F0), ref: 004F2FC8
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 004F3000
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 004F3007
                                                                                    • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 004F3032
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                    • String ID: dnsapi.dll
                                                                                    • API String ID: 1242400761-3175542204
                                                                                    • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                    • Instruction ID: 752f38ae74552d3b36b59895a24eed5170453ee010ae7f445c185af8568c9611
                                                                                    • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                    • Instruction Fuzzy Hash: 8521627194162ABBCB219F55DC449BFBBB8EF08B51F104422FA05E7240D7B89E8197E8
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Code
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 3609698214-2980165447
                                                                                    • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                    • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                    • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                    • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\rxarouyf,004F7043), ref: 004F6F4E
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004F6F55
                                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 004F6F7B
                                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 004F6F92
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                    • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\rxarouyf
                                                                                    • API String ID: 1082366364-2318927261
                                                                                    • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                    • Instruction ID: fbc83f6f683bc6f5d8e0667ec7e99a7ad985f1f877650edb813cd02fa6329aff
                                                                                    • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                    • Instruction Fuzzy Hash: B52104217443487EF7225731AD89FFB2E4C8F52714F1840AAF704D5292DADD88DA827D
                                                                                    APIs
                                                                                    • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                    • wsprintfA.USER32 ref: 004090E9
                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                    • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 2439722600-2980165447
                                                                                    • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                    • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                    • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                    • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                    APIs
                                                                                    • GetTempPathA.KERNEL32(00000400,?), ref: 004F92E2
                                                                                    • wsprintfA.USER32 ref: 004F9350
                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004F9375
                                                                                    • lstrlen.KERNEL32(?,?,00000000), ref: 004F9389
                                                                                    • WriteFile.KERNEL32(00000000,?,00000000), ref: 004F9394
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004F939B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 2439722600-2980165447
                                                                                    • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                    • Instruction ID: e57c8f7dead29f136ba56e90991f335a8b74234e30bce7290562de04d4912349
                                                                                    • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                    • Instruction Fuzzy Hash: F51175B56401187BE7206732DC0EFFF3A6DDFC8B15F00806ABB05A5091EAB84A458669
                                                                                    APIs
                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 004F9A18
                                                                                    • GetThreadContext.KERNEL32(?,?), ref: 004F9A52
                                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 004F9A60
                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 004F9A98
                                                                                    • SetThreadContext.KERNEL32(?,00010002), ref: 004F9AB5
                                                                                    • ResumeThread.KERNEL32(?), ref: 004F9AC2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                    • String ID: D
                                                                                    • API String ID: 2981417381-2746444292
                                                                                    • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                    • Instruction ID: 5061966d04c3ade6eac9b78a4c1e3723a6885e93e111f1cfbbf2169db5174c06
                                                                                    • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                    • Instruction Fuzzy Hash: 19212C71E0111DBBDB119BA1DC09FEF7BBCEF04750F404062BA19E1150EB758A44CAA8
                                                                                    APIs
                                                                                    • inet_addr.WS2_32(004102D8), ref: 004F1C18
                                                                                    • LoadLibraryA.KERNEL32(004102C8), ref: 004F1C26
                                                                                    • GetProcessHeap.KERNEL32 ref: 004F1C84
                                                                                    • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 004F1C9D
                                                                                    • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 004F1CC1
                                                                                    • HeapFree.KERNEL32(?,00000000,00000000), ref: 004F1D02
                                                                                    • FreeLibrary.KERNEL32(?), ref: 004F1D0B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                    • String ID:
                                                                                    • API String ID: 2324436984-0
                                                                                    • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                    • Instruction ID: 5e5a31f444ac4164fad746dd10f82749229f408dbe41f399d5a468b32378a64e
                                                                                    • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                    • Instruction Fuzzy Hash: 4F313E31D0025DFFDB119FA4DC888BFBAB9EB45711B24447BE601A2220D7B95E80DB98
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                    • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: QueryValue$CloseOpen
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 1586453840-2980165447
                                                                                    • Opcode ID: 1d5f752cf5e4d4e7205d8b51b4cea38d33843a7f37b29257b789d56d7c64f5a9
                                                                                    • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                    • Opcode Fuzzy Hash: 1d5f752cf5e4d4e7205d8b51b4cea38d33843a7f37b29257b789d56d7c64f5a9
                                                                                    • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                    APIs
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                    • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                    • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$CreateEvent
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 1371578007-2980165447
                                                                                    • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                    • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                    • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                    • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 004F6CE4
                                                                                    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 004F6D22
                                                                                    • GetLastError.KERNEL32 ref: 004F6DA7
                                                                                    • CloseHandle.KERNEL32(?), ref: 004F6DB5
                                                                                    • GetLastError.KERNEL32 ref: 004F6DD6
                                                                                    • DeleteFileA.KERNEL32(?), ref: 004F6DE7
                                                                                    • GetLastError.KERNEL32 ref: 004F6DFD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                    • String ID:
                                                                                    • API String ID: 3873183294-0
                                                                                    • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                    • Instruction ID: 5818ecba3b80d87adcd53d380b3a1b22c3901d8e57b31c1c1088cb5ae76473a8
                                                                                    • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                    • Instruction Fuzzy Hash: 8D31F076A0024DBFCB01DFA49D48AEF7F79EF48300F15816AE311E3221D7748A858B69
                                                                                    APIs
                                                                                    • RegCreateKeyExA.ADVAPI32(80000001,004FE50A,00000000,00000000,00000000,00020106,00000000,004FE50A,00000000,000000E4), ref: 004FE319
                                                                                    • RegSetValueExA.ADVAPI32(004FE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 004FE38E
                                                                                    • RegDeleteValueA.ADVAPI32(004FE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,DO), ref: 004FE3BF
                                                                                    • RegCloseKey.ADVAPI32(004FE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,DO,004FE50A), ref: 004FE3C8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Value$CloseCreateDelete
                                                                                    • String ID: PromptOnSecureDesktop$DO
                                                                                    • API String ID: 2667537340-4234893205
                                                                                    • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                    • Instruction ID: 033a8570c2f0a12c211eac4fc2b39da4a029b890c7bf759ab30f60348c26398e
                                                                                    • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                    • Instruction Fuzzy Hash: 29217F31A0021DABDF209FA5EC89EEF7F78EF08750F048022FA04E6161E2718A54D795
                                                                                    APIs
                                                                                    • BuildCommDCBW.KERNEL32(00000000,?), ref: 0041A30D
                                                                                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041A325
                                                                                    • UnhandledExceptionFilter.KERNEL32(00000000), ref: 0041A32D
                                                                                    • GetComputerNameW.KERNEL32(?,?), ref: 0041A377
                                                                                    • GetShortPathNameA.KERNEL32(00000000,?,00000000), ref: 0041A388
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747152733.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_415000_Uc84uB877e.jbxd
                                                                                    Similarity
                                                                                    • API ID: Name$BuildCommComputerExceptionFilterPathPrivateProfileShortStringUnhandledWrite
                                                                                    • String ID: -
                                                                                    • API String ID: 2733835202-2547889144
                                                                                    • Opcode ID: 972dee78267316b5dbc7bbd4915cf806889cba8b0a6c244f953a6d876a44d7a2
                                                                                    • Instruction ID: 650986be5dc8b55ca1c5e983756b84529eb98bd1a87a0d55f1c42adaeb56040e
                                                                                    • Opcode Fuzzy Hash: 972dee78267316b5dbc7bbd4915cf806889cba8b0a6c244f953a6d876a44d7a2
                                                                                    • Instruction Fuzzy Hash: 8321B7715452189BE720DF64DC85FEE77B4EB0C310F5041A9EA199A1C0CF785A858B5A
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                    • CharToOemA.USER32(?,?), ref: 00409174
                                                                                    • wsprintfA.USER32 ref: 004091A9
                                                                                      • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                      • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                      • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                      • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                      • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                      • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 3857584221-2980165447
                                                                                    • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                    • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                    • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                    • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 004F93C6
                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 004F93CD
                                                                                    • CharToOemA.USER32(?,?), ref: 004F93DB
                                                                                    • wsprintfA.USER32 ref: 004F9410
                                                                                      • Part of subcall function 004F92CB: GetTempPathA.KERNEL32(00000400,?), ref: 004F92E2
                                                                                      • Part of subcall function 004F92CB: wsprintfA.USER32 ref: 004F9350
                                                                                      • Part of subcall function 004F92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004F9375
                                                                                      • Part of subcall function 004F92CB: lstrlen.KERNEL32(?,?,00000000), ref: 004F9389
                                                                                      • Part of subcall function 004F92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 004F9394
                                                                                      • Part of subcall function 004F92CB: CloseHandle.KERNEL32(00000000), ref: 004F939B
                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004F9448
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 3857584221-2980165447
                                                                                    • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                    • Instruction ID: dc98a73525188daaa68b68e0e676f8eb6908c8a93ecfbefd388ad01e7e2decb4
                                                                                    • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                    • Instruction Fuzzy Hash: 830152F69001187BD721A7619D49FEF377CDB95705F0040A6BB49E2080DAB89AC58F75
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen
                                                                                    • String ID: $localcfg
                                                                                    • API String ID: 1659193697-2018645984
                                                                                    • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                    • Instruction ID: abe62a84cd552543387306661d6b7713cf87420bb1596c48ace48a0de67840f1
                                                                                    • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                    • Instruction Fuzzy Hash: EF71F9F190034CAADF219A54DC85BFF376A9B00349F244027FB0CA6191DB6D5DA8875F
                                                                                    APIs
                                                                                      • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                      • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                      • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                    • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                    • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                    • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                    • String ID: flags_upd$localcfg
                                                                                    • API String ID: 204374128-3505511081
                                                                                    • Opcode ID: 2e8906757388b0cc02cf4226a1faca2848dce0e0b6cc783beaf2f73dd01b3536
                                                                                    • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                    • Opcode Fuzzy Hash: 2e8906757388b0cc02cf4226a1faca2848dce0e0b6cc783beaf2f73dd01b3536
                                                                                    • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                    APIs
                                                                                      • Part of subcall function 004FDF6C: GetCurrentThreadId.KERNEL32 ref: 004FDFBA
                                                                                    • lstrcmp.KERNEL32(00410178,00000000), ref: 004FE8FA
                                                                                    • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,004F6128), ref: 004FE950
                                                                                    • lstrcmp.KERNEL32(?,00000008), ref: 004FE989
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                    • String ID: A$ A$ A
                                                                                    • API String ID: 2920362961-1846390581
                                                                                    • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                    • Instruction ID: 2312fd1faa4fb61235753830451277c640a72c4adca758d620778e074cbb9dc7
                                                                                    • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                    • Instruction Fuzzy Hash: 6F31A371600709DBCB718F26C884F777BE4EB05712F10852BE75587661D3B8E880C76A
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Code
                                                                                    • String ID:
                                                                                    • API String ID: 3609698214-0
                                                                                    • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                    • Instruction ID: 7118eb35368bf444dc22d30405b066ddb8f8be7a6666ea8fdfc1b5fdcb8963d8
                                                                                    • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                    • Instruction Fuzzy Hash: 7A218E7720411DBFDB109B71FC49EEF3FADDB49365B218426F602D1091EB799A009678
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                    • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                    • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                    • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                    • String ID:
                                                                                    • API String ID: 3819781495-0
                                                                                    • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                    • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                    • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                    • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 004FC6B4
                                                                                    • InterlockedIncrement.KERNEL32(004FC74B), ref: 004FC715
                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,004FC747), ref: 004FC728
                                                                                    • CloseHandle.KERNEL32(00000000,?,004FC747,00413588,004F8A77), ref: 004FC733
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                    • String ID: localcfg
                                                                                    • API String ID: 1026198776-1857712256
                                                                                    • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                    • Instruction ID: 1baa1e8a33070bf9f4f1f1e3df23bead3bfd7e010cf1ccaa7439cd7379f67a11
                                                                                    • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                    • Instruction Fuzzy Hash: 86515CB1A04B499FD7249F29C6C452ABBE9FB48304B50593FE28BC7A90D778F844CB54
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                                      • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                      • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                      • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                      • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                      • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                      • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                      • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                      • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                      • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                      • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                      • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 124786226-2980165447
                                                                                    • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                    • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                    • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                    • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                    APIs
                                                                                    • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                    • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                    • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                    • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Value$CloseCreateDelete
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 2667537340-2980165447
                                                                                    • Opcode ID: a7fe28dd04f73a45cf24fffff85a70117338552789dad14eeac3c005c8f16141
                                                                                    • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                    • Opcode Fuzzy Hash: a7fe28dd04f73a45cf24fffff85a70117338552789dad14eeac3c005c8f16141
                                                                                    • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                    APIs
                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 004F71E1
                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 004F7228
                                                                                    • LocalFree.KERNEL32(?,?,?), ref: 004F7286
                                                                                    • wsprintfA.USER32 ref: 004F729D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                    • String ID: |
                                                                                    • API String ID: 2539190677-2343686810
                                                                                    • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                    • Instruction ID: bda2ee3966f3e839f10813a0e4ea6b2234f65371954c34e7729082207cf8e4f2
                                                                                    • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                    • Instruction Fuzzy Hash: 93312D7290410CBFDB01DFA9DD45AEB7BACEF04314F14C066F959DB201EA79DA488B98
                                                                                    APIs
                                                                                    • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                    • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$gethostnamelstrcpy
                                                                                    • String ID: LocalHost
                                                                                    • API String ID: 3695455745-3154191806
                                                                                    • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                    • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                    • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                    • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                    APIs
                                                                                    • GetLocalTime.KERNEL32(?), ref: 004FB51A
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004FB529
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 004FB548
                                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 004FB590
                                                                                    • wsprintfA.USER32 ref: 004FB61E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 4026320513-0
                                                                                    • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                    • Instruction ID: 2fe3ef36c844b5928c07eb47ceb0f482e766f23d7b6ba70341d9ca0295f94f8d
                                                                                    • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                    • Instruction Fuzzy Hash: 40510DB1D0021DAACF14DFD5D8895FEBBB9EF49304F10816BE605A6150E7B84AC9CF98
                                                                                    APIs
                                                                                    • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 004F6303
                                                                                    • LoadLibraryA.KERNEL32(?), ref: 004F632A
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004F63B1
                                                                                    • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 004F6405
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: HugeRead$AddressLibraryLoadProc
                                                                                    • String ID:
                                                                                    • API String ID: 3498078134-0
                                                                                    • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                    • Instruction ID: 79e5c7c47ad47ffcd8d22154af752f8fb427822527447ecedae1f5c54b7c3a9a
                                                                                    • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                    • Instruction Fuzzy Hash: 5A416B71A00219ABDB14CF58C884ABAB7B8EF04318F26816AEE15D7390D779ED41CB58
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 981fb48902faec8b3b60e951c7ac5498972a27d8d4857947259acf027c15d2af
                                                                                    • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                    • Opcode Fuzzy Hash: 981fb48902faec8b3b60e951c7ac5498972a27d8d4857947259acf027c15d2af
                                                                                    • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                    APIs
                                                                                      • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                      • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                      • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                    • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                    • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                    • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                    • String ID: A$ A
                                                                                    • API String ID: 3343386518-686259309
                                                                                    • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                    • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                    • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                    • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 0040272E
                                                                                    • htons.WS2_32(00000001), ref: 00402752
                                                                                    • htons.WS2_32(0000000F), ref: 004027D5
                                                                                    • htons.WS2_32(00000001), ref: 004027E3
                                                                                    • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                      • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                      • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                    • String ID:
                                                                                    • API String ID: 1128258776-0
                                                                                    • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                    • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                    • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                    • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                    APIs
                                                                                    • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                    • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                    • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: setsockopt
                                                                                    • String ID:
                                                                                    • API String ID: 3981526788-0
                                                                                    • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                    • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                    • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                    • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                    APIs
                                                                                    • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                    • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                    • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$lstrcmpi
                                                                                    • String ID: localcfg
                                                                                    • API String ID: 1808961391-1857712256
                                                                                    • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                    • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                    • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                    • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                    APIs
                                                                                    • WriteFile.KERNEL32(00000001,DO,00000000,00000000,00000000), ref: 004FE470
                                                                                    • CloseHandle.KERNEL32(00000001,00000003), ref: 004FE484
                                                                                      • Part of subcall function 004FE2FC: RegCreateKeyExA.ADVAPI32(80000001,004FE50A,00000000,00000000,00000000,00020106,00000000,004FE50A,00000000,000000E4), ref: 004FE319
                                                                                      • Part of subcall function 004FE2FC: RegSetValueExA.ADVAPI32(004FE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 004FE38E
                                                                                      • Part of subcall function 004FE2FC: RegDeleteValueA.ADVAPI32(004FE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,DO), ref: 004FE3BF
                                                                                      • Part of subcall function 004FE2FC: RegCloseKey.ADVAPI32(004FE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,DO,004FE50A), ref: 004FE3C8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                    • String ID: PromptOnSecureDesktop$DO
                                                                                    • API String ID: 4151426672-4234893205
                                                                                    • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                    • Instruction ID: 2243ee16565b54a06db42869e932ccad39558382e0132938269ee55100bc7ad1
                                                                                    • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                    • Instruction Fuzzy Hash: 7341AD7590021CBADB206A578C46FFB3B5CDB04719F14806BFB09541A2E7B98650DA79
                                                                                    APIs
                                                                                      • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                      • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                      • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                    • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 3683885500-2980165447
                                                                                    • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                    • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                    • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                    • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                    APIs
                                                                                      • Part of subcall function 004FDF6C: GetCurrentThreadId.KERNEL32 ref: 004FDFBA
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,004FA6AC), ref: 004FE7BF
                                                                                    • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,004FA6AC), ref: 004FE7EA
                                                                                    • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,004FA6AC), ref: 004FE819
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 1396056608-2980165447
                                                                                    • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                    • Instruction ID: 4cd32e913f89254808d1cb34a8a23a615734358c5e8914441b5a680cab90b221
                                                                                    • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                    • Instruction Fuzzy Hash: 0521D8B1A403087AF22077239C07FBB3D5CDB65765F10002ABB09A52E3EA9D945085BD
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                    • API String ID: 2574300362-1087626847
                                                                                    • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                    • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                    • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                    • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 004F76D9
                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 004F796D
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004F797E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseEnumOpen
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 1332880857-2980165447
                                                                                    • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                    • Instruction ID: 1b3ecd276ef450457476236e676d40991131170286f1dfa589fcebe27b7aac02
                                                                                    • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                    • Instruction Fuzzy Hash: 3A11DF70A04109AFEB119FA9DC45EBFBFB8EF41314F140166F610E6291E6BC8D508B65
                                                                                    APIs
                                                                                      • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                      • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                    • String ID: hi_id$localcfg
                                                                                    • API String ID: 2777991786-2393279970
                                                                                    • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                    • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                    • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                    • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                    • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                    • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseDeleteOpenValue
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 849931509-2980165447
                                                                                    • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                    • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                    • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                    • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 004F999D
                                                                                    • RegDeleteValueA.ADVAPI32(?,00000000), ref: 004F99BD
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004F99C6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseDeleteOpenValue
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 849931509-2980165447
                                                                                    • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                    • Instruction ID: d2ae8455c005ecac14211c1267ad6c222b3d8847037c700753b84e348c758501
                                                                                    • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                    • Instruction Fuzzy Hash: ACF0C2B2680208BBF7106B51AC07FEB3A2CDB94B14F100065FB05B5192F6E99E9086BD
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: gethostbynameinet_addr
                                                                                    • String ID: time_cfg$u6A
                                                                                    • API String ID: 1594361348-1940331995
                                                                                    • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                    • Instruction ID: 3f57ddd7ce856b20265f54b178e08ab626aedde501f9a6e087a4f6c66af60312
                                                                                    • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                    • Instruction Fuzzy Hash: C3E0C2306041118FCB009B2CF848AE637E4EF0A330F008282F140D32A0C7B8DCC09748
                                                                                    APIs
                                                                                    • SetFileAttributesA.KERNEL32(?,00000080), ref: 004F69E5
                                                                                    • SetFileAttributesA.KERNEL32(?,00000002), ref: 004F6A26
                                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 004F6A3A
                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 004F6BD8
                                                                                      • Part of subcall function 004FEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,004F1DCF,?), ref: 004FEEA8
                                                                                      • Part of subcall function 004FEE95: HeapFree.KERNEL32(00000000), ref: 004FEEAF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                    • String ID:
                                                                                    • API String ID: 3384756699-0
                                                                                    • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                    • Instruction ID: bfc0b5a9e99b8631c7c48ae63d80bb6bf89e887ef043a9cc0751ce2fbad2a6da
                                                                                    • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                    • Instruction Fuzzy Hash: 8F71267190022DEFDB109FA4CD80AFEBBB9FB04314F11456AE615E6290D7349E92DB64
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf
                                                                                    • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                    • API String ID: 2111968516-120809033
                                                                                    • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                    • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                    • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                    • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                    APIs
                                                                                    • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                    • GetLastError.KERNEL32 ref: 00403F4E
                                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3373104450-0
                                                                                    • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                    • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                    • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                    • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                    APIs
                                                                                    • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                    • GetLastError.KERNEL32 ref: 00403FC2
                                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 888215731-0
                                                                                    • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                    • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                    • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                    • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                    APIs
                                                                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004F41AB
                                                                                    • GetLastError.KERNEL32 ref: 004F41B5
                                                                                    • WaitForSingleObject.KERNEL32(?,?), ref: 004F41C6
                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 004F41D9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3373104450-0
                                                                                    • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                    • Instruction ID: c1ad0319f58c736313c7f55dcaf748ef48109260b895808148768c3e3d246e2f
                                                                                    • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                    • Instruction Fuzzy Hash: E301ED7651110EABDF01DF90DE48BEF7B6CEB14355F104062FA01E2150DB749B948BB5
                                                                                    APIs
                                                                                    • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004F421F
                                                                                    • GetLastError.KERNEL32 ref: 004F4229
                                                                                    • WaitForSingleObject.KERNEL32(?,?), ref: 004F423A
                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 004F424D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 888215731-0
                                                                                    • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                    • Instruction ID: 20ab6485db327f38d1afdba8647025253439fb405e5ea3bd3ee04bab6cdd1b69
                                                                                    • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                    • Instruction Fuzzy Hash: DF01E57251110DABDF01DF90ED84BEF7BACEB48395F1180A2FA01E2150DB749A548BBA
                                                                                    APIs
                                                                                    • lstrcmp.KERNEL32(?,80000009), ref: 004FE066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcmp
                                                                                    • String ID: A$ A$ A
                                                                                    • API String ID: 1534048567-1846390581
                                                                                    • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                    • Instruction ID: e7b54b269bd975ecf6c268b9c78e465f45b0432d8365167a536d7bc95e054224
                                                                                    • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                    • Instruction Fuzzy Hash: 8DF068312007159FCB20CF16D884993B7E9FB05322B54872BE254C3170D7B8A895CB59
                                                                                    APIs
                                                                                    • QueryDosDeviceW.KERNEL32(00000000,00000000,00000000,00000000,0041B040,0041A771), ref: 0041A3DC
                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000,00000000,0041B040,0041A771), ref: 0041A3F7
                                                                                    • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0041A41A
                                                                                    • GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 0041A422
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747152733.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_415000_Uc84uB877e.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
                                                                                    • String ID:
                                                                                    • API String ID: 975556166-0
                                                                                    • Opcode ID: eec10fcb4f27fd94e23dcfb2cf3dc23bbf0afae29d43b3dbad47bac24437a48c
                                                                                    • Instruction ID: 46f49e01c127cc7cb7310ded353fe3839b5fe7fa6ebed8c87f50d6fc3c9a9a8a
                                                                                    • Opcode Fuzzy Hash: eec10fcb4f27fd94e23dcfb2cf3dc23bbf0afae29d43b3dbad47bac24437a48c
                                                                                    • Instruction Fuzzy Hash: B4F08235785214ABEA306764EC4AF8A3764E718716F518032F7259A2E0C7F418918B6F
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                    • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                    • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                    • String ID:
                                                                                    • API String ID: 2207858713-0
                                                                                    • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                    • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                    • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                    • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                    • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                    • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                    • String ID:
                                                                                    • API String ID: 2207858713-0
                                                                                    • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                    • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                    • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                    • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                    • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                    • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                    • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                    • String ID:
                                                                                    • API String ID: 2207858713-0
                                                                                    • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                    • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                    • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                    • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 00403103
                                                                                    • GetTickCount.KERNEL32 ref: 0040310F
                                                                                    • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                    • String ID:
                                                                                    • API String ID: 2207858713-0
                                                                                    • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                    • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                    • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                    • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                    APIs
                                                                                    • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                    • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                      • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                      • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                      • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                      • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 4151426672-2980165447
                                                                                    • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                    • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                    • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                    • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 004F83C6
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 004F8477
                                                                                      • Part of subcall function 004F69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 004F69E5
                                                                                      • Part of subcall function 004F69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 004F6A26
                                                                                      • Part of subcall function 004F69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 004F6A3A
                                                                                      • Part of subcall function 004FEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,004F1DCF,?), ref: 004FEEA8
                                                                                      • Part of subcall function 004FEE95: HeapFree.KERNEL32(00000000), ref: 004FEEAF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 359188348-2980165447
                                                                                    • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                    • Instruction ID: 15eabb04d9a0f338da5f9a3b6ed7734192b326edac87b599bb9fee0eff06daab
                                                                                    • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                    • Instruction Fuzzy Hash: 88414FB290010DBFEB10EBA59E81DFF776CEB04344F1444AFE704DA151FAB85A948B69
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,004FE859,00000000,00020119,004FE859,PromptOnSecureDesktop), ref: 004FE64D
                                                                                    • RegCloseKey.ADVAPI32(004FE859,?,?,?,?,000000C8,000000E4), ref: 004FE787
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: PromptOnSecureDesktop
                                                                                    • API String ID: 47109696-2980165447
                                                                                    • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                    • Instruction ID: 7bf0b80484dc1f10577ef00e1aefcc40991aee74db86b677bd639604d91b513e
                                                                                    • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                    • Instruction Fuzzy Hash: 544136B2D0021DBFDF11EF95DC81DFEBBB9EB18305F144466FA00A6260E3759A158B64
                                                                                    APIs
                                                                                    • GetLocalTime.KERNEL32(?), ref: 004FAFFF
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 004FB00D
                                                                                      • Part of subcall function 004FAF6F: gethostname.WS2_32(?,00000080), ref: 004FAF83
                                                                                      • Part of subcall function 004FAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 004FAFE6
                                                                                      • Part of subcall function 004F331C: gethostname.WS2_32(?,00000080), ref: 004F333F
                                                                                      • Part of subcall function 004F331C: gethostbyname.WS2_32(?), ref: 004F3349
                                                                                      • Part of subcall function 004FAA0A: inet_ntoa.WS2_32(00000000), ref: 004FAA10
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                    • String ID: %OUTLOOK_BND_
                                                                                    • API String ID: 1981676241-3684217054
                                                                                    • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                    • Instruction ID: ce171d7b1d8faf3d4ffefc8ec69d7f5db91540ec8096925f34a2fdcfb3692a52
                                                                                    • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                    • Instruction Fuzzy Hash: C441F27290024CAFDB25EFA1DC45EEF376CFF04304F14442BBA1592152EA79DA548B59
                                                                                    APIs
                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 004F9536
                                                                                    • Sleep.KERNEL32(000001F4), ref: 004F955D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExecuteShellSleep
                                                                                    • String ID:
                                                                                    • API String ID: 4194306370-3916222277
                                                                                    • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                    • Instruction ID: 93ddff0d47361538ec320533c38acb0d7229fd527ce85b28950f0aa9866c0a34
                                                                                    • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                    • Instruction Fuzzy Hash: 0B410972C0839D7FEB378B68D89C7B73FA49B12314F1411A7D682572A2D67C4D82871A
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 004FB9D9
                                                                                    • InterlockedIncrement.KERNEL32(00413648), ref: 004FBA3A
                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 004FBA94
                                                                                    • GetTickCount.KERNEL32 ref: 004FBB79
                                                                                    • GetTickCount.KERNEL32 ref: 004FBB99
                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 004FBE15
                                                                                    • closesocket.WS2_32(00000000), ref: 004FBEB4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountIncrementInterlockedTick$closesocket
                                                                                    • String ID: %FROM_EMAIL
                                                                                    • API String ID: 1869671989-2903620461
                                                                                    • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                    • Instruction ID: a9380e48b204f9793c8e0569ebe854eecdd0ec2e3877409a8ee24c83d275f561
                                                                                    • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                    • Instruction Fuzzy Hash: D0316B7150024CDFDF25DFA5DC84AFA77A8EB49700F20405BFB2482161DB38DA85CB99
                                                                                    APIs
                                                                                    Strings
                                                                                    • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTickwsprintf
                                                                                    • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                    • API String ID: 2424974917-1012700906
                                                                                    • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                    • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                    • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                    • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                    APIs
                                                                                      • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                      • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                    • String ID: %FROM_EMAIL
                                                                                    • API String ID: 3716169038-2903620461
                                                                                    • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                    • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                    • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                    • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                    APIs
                                                                                    • GetUserNameW.ADVAPI32(?,?), ref: 004F70BC
                                                                                    • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 004F70F4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Name$AccountLookupUser
                                                                                    • String ID: |
                                                                                    • API String ID: 2370142434-2343686810
                                                                                    • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                    • Instruction ID: 3325a2a6d500b6316e92254cb11cee5939a818b4a82ea789fafef7d08fd46b3a
                                                                                    • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                    • Instruction Fuzzy Hash: 0C11E87290411CEBDF11CFD4DD84AEFB7BDEB04711F1441A6E601E6290D6789B88DBA4
                                                                                    APIs
                                                                                      • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                      • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                    • String ID: localcfg
                                                                                    • API String ID: 2777991786-1857712256
                                                                                    • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                    • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                    • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                    • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                    APIs
                                                                                    • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                    • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: IncrementInterlockedlstrcpyn
                                                                                    • String ID: %FROM_EMAIL
                                                                                    • API String ID: 224340156-2903620461
                                                                                    • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                    • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                    • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                    • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                    APIs
                                                                                    • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                    • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: gethostbyaddrinet_ntoa
                                                                                    • String ID: localcfg
                                                                                    • API String ID: 2112563974-1857712256
                                                                                    • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                    • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                    • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                    • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: gethostbynameinet_addr
                                                                                    • String ID: time_cfg
                                                                                    • API String ID: 1594361348-2401304539
                                                                                    • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                    • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                    • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                    • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: ntdll.dll
                                                                                    • API String ID: 2574300362-2227199552
                                                                                    • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                    • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                    • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                    • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                    APIs
                                                                                      • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                      • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                    • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747122476.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1747122476.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1017166417-0
                                                                                    • Opcode ID: ddc1366e71bb2e66961e885791bb3d9f2ae4384e5350e4f1bce6563879376d33
                                                                                    • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                    • Opcode Fuzzy Hash: ddc1366e71bb2e66961e885791bb3d9f2ae4384e5350e4f1bce6563879376d33
                                                                                    • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                    APIs
                                                                                      • Part of subcall function 004F2F88: GetModuleHandleA.KERNEL32(?), ref: 004F2FA1
                                                                                      • Part of subcall function 004F2F88: LoadLibraryA.KERNEL32(?), ref: 004F2FB1
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004F31DA
                                                                                    • HeapFree.KERNEL32(00000000), ref: 004F31E1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1747290993.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4f0000_Uc84uB877e.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1017166417-0
                                                                                    • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                    • Instruction ID: 8f056bec72f794e08633c106ef10aa4cfa7ac2e701ea5e72f38a866c3bc4f77a
                                                                                    • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                    • Instruction Fuzzy Hash: 8F51DC3190020AAFCF01DF64D8889FAB775FF05305F1440AAED96C7211EB36DA19CB98

                                                                                    Execution Graph

                                                                                    Execution Coverage:3.2%
                                                                                    Dynamic/Decrypted Code Coverage:2%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:1611
                                                                                    Total number of Limit Nodes:15
                                                                                    execution_graph 14874 409961 RegisterServiceCtrlHandlerA 14875 40997d 14874->14875 14876 4099cb 14874->14876 14884 409892 14875->14884 14878 40999a 14879 4099ba 14878->14879 14880 409892 SetServiceStatus 14878->14880 14879->14876 14882 409892 SetServiceStatus 14879->14882 14881 4099aa 14880->14881 14881->14879 14887 4098f2 14881->14887 14882->14876 14885 4098c2 SetServiceStatus 14884->14885 14885->14878 14888 4098f6 14887->14888 14890 409904 Sleep 14888->14890 14892 409917 14888->14892 14895 404280 CreateEventA 14888->14895 14890->14888 14891 409915 14890->14891 14891->14892 14894 409947 14892->14894 14922 40977c 14892->14922 14894->14879 14896 4042a5 14895->14896 14897 40429d 14895->14897 14936 403ecd 14896->14936 14897->14888 14899 4042b0 14940 404000 14899->14940 14902 4043c1 CloseHandle 14902->14897 14903 4042ce 14946 403f18 WriteFile 14903->14946 14908 4043ba CloseHandle 14908->14902 14909 404318 14910 403f18 4 API calls 14909->14910 14911 404331 14910->14911 14912 403f18 4 API calls 14911->14912 14913 40434a 14912->14913 14954 40ebcc GetProcessHeap HeapAlloc 14913->14954 14916 403f18 4 API calls 14917 404389 14916->14917 14957 40ec2e 14917->14957 14920 403f8c 4 API calls 14921 40439f CloseHandle CloseHandle 14920->14921 14921->14897 14986 40ee2a 14922->14986 14925 4097c2 14927 4097d4 Wow64GetThreadContext 14925->14927 14926 4097bb 14926->14894 14928 409801 14927->14928 14929 4097f5 14927->14929 14988 40637c 14928->14988 14930 4097f6 TerminateProcess 14929->14930 14930->14926 14932 409816 14932->14930 14933 40981e WriteProcessMemory 14932->14933 14933->14929 14934 40983b Wow64SetThreadContext 14933->14934 14934->14929 14935 409858 ResumeThread 14934->14935 14935->14926 14937 403edc 14936->14937 14939 403ee2 14936->14939 14962 406dc2 14937->14962 14939->14899 14941 40400b CreateFileA 14940->14941 14942 40402c GetLastError 14941->14942 14943 404052 14941->14943 14942->14943 14944 404037 14942->14944 14943->14897 14943->14902 14943->14903 14944->14943 14945 404041 Sleep 14944->14945 14945->14941 14945->14943 14947 403f7c 14946->14947 14948 403f4e GetLastError 14946->14948 14950 403f8c ReadFile 14947->14950 14948->14947 14949 403f5b WaitForSingleObject GetOverlappedResult 14948->14949 14949->14947 14951 403ff0 14950->14951 14952 403fc2 GetLastError 14950->14952 14951->14908 14951->14909 14952->14951 14953 403fcf WaitForSingleObject GetOverlappedResult 14952->14953 14953->14951 14980 40eb74 14954->14980 14958 40ec37 14957->14958 14959 40438f 14957->14959 14983 40eba0 14958->14983 14959->14920 14963 406dd7 14962->14963 14967 406e24 14962->14967 14968 406cc9 14963->14968 14965 406ddc 14965->14965 14966 406e02 GetVolumeInformationA 14965->14966 14965->14967 14966->14967 14967->14939 14969 406cdc GetModuleHandleA GetProcAddress 14968->14969 14970 406dbe 14968->14970 14971 406d12 GetSystemDirectoryA 14969->14971 14972 406cfd 14969->14972 14970->14965 14973 406d27 GetWindowsDirectoryA 14971->14973 14974 406d1e 14971->14974 14972->14971 14976 406d8b 14972->14976 14975 406d42 14973->14975 14974->14973 14974->14976 14978 40ef1e lstrlenA 14975->14978 14976->14970 14979 40ef32 14978->14979 14979->14976 14981 40eb7b GetProcessHeap HeapSize 14980->14981 14982 404350 14980->14982 14981->14982 14982->14916 14984 40eba7 GetProcessHeap HeapSize 14983->14984 14985 40ebbf GetProcessHeap HeapFree 14983->14985 14984->14985 14985->14959 14987 409794 CreateProcessA 14986->14987 14987->14925 14987->14926 14989 406386 14988->14989 14990 40638a GetModuleHandleA VirtualAlloc 14988->14990 14989->14932 14991 4063f5 14990->14991 14992 4063b6 14990->14992 14991->14932 14993 4063be VirtualAllocEx 14992->14993 14993->14991 14994 4063d6 14993->14994 14995 4063df WriteProcessMemory 14994->14995 14995->14991 15025 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15142 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15025->15142 15027 409a95 15028 409aa3 GetModuleHandleA GetModuleFileNameA 15027->15028 15033 40a3c7 15027->15033 15042 409ac4 15028->15042 15029 40a41c CreateThread WSAStartup 15253 40e52e 15029->15253 16080 40405e CreateEventA 15029->16080 15031 409afd GetCommandLineA 15040 409b22 15031->15040 15032 40a406 DeleteFileA 15032->15033 15034 40a40d 15032->15034 15033->15029 15033->15032 15033->15034 15037 40a3ed GetLastError 15033->15037 15034->15029 15035 40a445 15272 40eaaf 15035->15272 15037->15034 15039 40a3f8 Sleep 15037->15039 15038 40a44d 15276 401d96 15038->15276 15039->15032 15045 409c0c 15040->15045 15051 409b47 15040->15051 15042->15031 15043 40a457 15324 4080c9 15043->15324 15143 4096aa 15045->15143 15056 409b96 lstrlenA 15051->15056 15062 409b58 15051->15062 15052 40a1d2 15063 40a1e3 GetCommandLineA 15052->15063 15053 409c39 15057 40a167 GetModuleHandleA GetModuleFileNameA 15053->15057 15061 409c4b 15053->15061 15056->15062 15059 409c05 ExitProcess 15057->15059 15060 40a189 15057->15060 15060->15059 15071 40a1b2 GetDriveTypeA 15060->15071 15061->15057 15065 404280 30 API calls 15061->15065 15062->15059 15066 409bd2 15062->15066 15089 40a205 15063->15089 15068 409c5b 15065->15068 15155 40675c 15066->15155 15068->15057 15074 40675c 21 API calls 15068->15074 15071->15059 15073 40a1c5 15071->15073 15245 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15073->15245 15076 409c79 15074->15076 15076->15057 15083 409ca0 GetTempPathA 15076->15083 15084 409e3e 15076->15084 15077 409bff 15077->15059 15079 40a491 15080 40a49f GetTickCount 15079->15080 15081 40a4be Sleep 15079->15081 15088 40a4b7 GetTickCount 15079->15088 15370 40c913 15079->15370 15080->15079 15080->15081 15081->15079 15083->15084 15085 409cba 15083->15085 15092 409e6b GetEnvironmentVariableA 15084->15092 15094 409e04 15084->15094 15193 4099d2 lstrcpyA 15085->15193 15086 40ec2e codecvt 4 API calls 15090 40a15d 15086->15090 15088->15081 15093 40a285 lstrlenA 15089->15093 15101 40a239 15089->15101 15090->15057 15090->15059 15092->15094 15095 409e7d 15092->15095 15093->15101 15094->15086 15096 4099d2 16 API calls 15095->15096 15098 409e9d 15096->15098 15097 406dc2 6 API calls 15099 409d5f 15097->15099 15098->15094 15103 409eb0 lstrcpyA lstrlenA 15098->15103 15105 406cc9 5 API calls 15099->15105 15151 406ec3 15101->15151 15102 40a3c2 15106 4098f2 41 API calls 15102->15106 15104 409ef4 15103->15104 15107 406dc2 6 API calls 15104->15107 15110 409f03 15104->15110 15109 409d72 lstrcpyA lstrcatA lstrcatA 15105->15109 15106->15033 15107->15110 15108 40a39d StartServiceCtrlDispatcherA 15108->15102 15111 409cf6 15109->15111 15112 409f32 RegOpenKeyExA 15110->15112 15200 409326 15111->15200 15114 409f48 RegSetValueExA RegCloseKey 15112->15114 15117 409f70 15112->15117 15113 40a35f 15113->15102 15113->15108 15114->15117 15122 409f9d GetModuleHandleA GetModuleFileNameA 15117->15122 15118 409e0c DeleteFileA 15118->15084 15119 409dde GetFileAttributesExA 15119->15118 15121 409df7 15119->15121 15121->15094 15237 4096ff 15121->15237 15124 409fc2 15122->15124 15125 40a093 15122->15125 15124->15125 15131 409ff1 GetDriveTypeA 15124->15131 15126 40a103 CreateProcessA 15125->15126 15127 40a0a4 wsprintfA 15125->15127 15128 40a13a 15126->15128 15129 40a12a DeleteFileA 15126->15129 15243 402544 15127->15243 15128->15094 15135 4096ff 3 API calls 15128->15135 15129->15128 15131->15125 15133 40a00d 15131->15133 15137 40a02d lstrcatA 15133->15137 15134 40ee2a 15136 40a0ec lstrcatA 15134->15136 15135->15094 15136->15126 15138 40a046 15137->15138 15139 40a052 lstrcatA 15138->15139 15140 40a064 lstrcatA 15138->15140 15139->15140 15140->15125 15141 40a081 lstrcatA 15140->15141 15141->15125 15142->15027 15144 4096b9 15143->15144 15473 4073ff 15144->15473 15146 4096e2 15147 4096e9 15146->15147 15148 4096fa 15146->15148 15493 40704c 15147->15493 15148->15052 15148->15053 15150 4096f7 15150->15148 15152 406ed5 15151->15152 15153 406ecc 15151->15153 15152->15113 15518 406e36 GetUserNameW 15153->15518 15156 406784 CreateFileA 15155->15156 15157 40677a SetFileAttributesA 15155->15157 15158 4067a4 CreateFileA 15156->15158 15159 4067b5 15156->15159 15157->15156 15158->15159 15160 4067c5 15159->15160 15161 4067ba SetFileAttributesA 15159->15161 15162 406977 15160->15162 15163 4067cf GetFileSize 15160->15163 15161->15160 15162->15059 15180 406a60 CreateFileA 15162->15180 15164 4067e5 15163->15164 15178 406922 15163->15178 15166 4067ed ReadFile 15164->15166 15164->15178 15165 40696e CloseHandle 15165->15162 15167 406811 SetFilePointer 15166->15167 15166->15178 15168 40682a ReadFile 15167->15168 15167->15178 15169 406848 SetFilePointer 15168->15169 15168->15178 15172 406867 15169->15172 15169->15178 15170 4068d0 15170->15165 15173 40ebcc 4 API calls 15170->15173 15171 406878 ReadFile 15171->15170 15171->15172 15172->15170 15172->15171 15174 4068f8 15173->15174 15175 406900 SetFilePointer 15174->15175 15174->15178 15176 40695a 15175->15176 15177 40690d ReadFile 15175->15177 15179 40ec2e codecvt 4 API calls 15176->15179 15177->15176 15177->15178 15178->15165 15179->15178 15181 406b8c GetLastError 15180->15181 15182 406a8f GetDiskFreeSpaceA 15180->15182 15183 406b86 15181->15183 15184 406ac5 15182->15184 15192 406ad7 15182->15192 15183->15077 15521 40eb0e 15184->15521 15188 406b56 CloseHandle 15188->15183 15191 406b65 GetLastError CloseHandle 15188->15191 15189 406b36 GetLastError CloseHandle 15190 406b7f DeleteFileA 15189->15190 15190->15183 15191->15190 15525 406987 15192->15525 15194 4099eb 15193->15194 15195 409a2f lstrcatA 15194->15195 15196 40ee2a 15195->15196 15197 409a4b lstrcatA 15196->15197 15198 406a60 13 API calls 15197->15198 15199 409a60 15198->15199 15199->15084 15199->15097 15199->15111 15535 401910 15200->15535 15203 40934a GetModuleHandleA GetModuleFileNameA 15205 40937f 15203->15205 15206 4093a4 15205->15206 15207 4093d9 15205->15207 15208 4093c3 wsprintfA 15206->15208 15209 409401 wsprintfA 15207->15209 15210 409415 15208->15210 15209->15210 15213 406cc9 5 API calls 15210->15213 15235 4094a0 15210->15235 15212 4094ac 15214 40962f 15212->15214 15215 4094e8 RegOpenKeyExA 15212->15215 15219 409439 15213->15219 15220 409646 15214->15220 15558 401820 15214->15558 15217 409502 15215->15217 15218 4094fb 15215->15218 15224 40951f RegQueryValueExA 15217->15224 15218->15214 15222 40958a 15218->15222 15225 40ef1e lstrlenA 15219->15225 15223 4095d6 15220->15223 15564 4091eb 15220->15564 15222->15220 15226 409593 15222->15226 15223->15118 15223->15119 15227 409530 15224->15227 15228 409539 15224->15228 15229 409462 15225->15229 15226->15223 15545 40f0e4 15226->15545 15230 40956e RegCloseKey 15227->15230 15231 409556 RegQueryValueExA 15228->15231 15232 40947e wsprintfA 15229->15232 15230->15218 15231->15227 15231->15230 15232->15235 15234 4095bb 15234->15223 15552 4018e0 15234->15552 15537 406edd 15235->15537 15238 402544 15237->15238 15239 40972d RegOpenKeyExA 15238->15239 15240 409740 15239->15240 15241 409765 15239->15241 15242 40974f RegDeleteValueA RegCloseKey 15240->15242 15241->15094 15242->15241 15244 402554 lstrcatA 15243->15244 15244->15134 15246 402544 15245->15246 15247 40919e wsprintfA 15246->15247 15248 4091bb 15247->15248 15602 409064 GetTempPathA 15248->15602 15251 4091d5 ShellExecuteA 15252 4091e7 15251->15252 15252->15077 15609 40dd05 GetTickCount 15253->15609 15255 40e538 15616 40dbcf 15255->15616 15257 40e544 15258 40e555 GetFileSize 15257->15258 15262 40e5b8 15257->15262 15259 40e5b1 CloseHandle 15258->15259 15260 40e566 15258->15260 15259->15262 15626 40db2e 15260->15626 15635 40e3ca RegOpenKeyExA 15262->15635 15264 40e576 ReadFile 15264->15259 15266 40e58d 15264->15266 15630 40e332 15266->15630 15267 40e5f2 15270 40e629 15267->15270 15271 40e3ca 19 API calls 15267->15271 15270->15035 15271->15270 15273 40eabe 15272->15273 15275 40eaba 15272->15275 15274 40dd05 6 API calls 15273->15274 15273->15275 15274->15275 15275->15038 15277 40ee2a 15276->15277 15278 401db4 GetVersionExA 15277->15278 15279 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15278->15279 15281 401e24 15279->15281 15282 401e16 GetCurrentProcess 15279->15282 15688 40e819 15281->15688 15282->15281 15284 401e3d 15285 40e819 11 API calls 15284->15285 15286 401e4e 15285->15286 15287 401e77 15286->15287 15695 40df70 15286->15695 15704 40ea84 15287->15704 15290 401e6c 15292 40df70 12 API calls 15290->15292 15292->15287 15293 40e819 11 API calls 15294 401e93 15293->15294 15708 40199c inet_addr LoadLibraryA 15294->15708 15297 40e819 11 API calls 15298 401eb9 15297->15298 15299 40f04e 4 API calls 15298->15299 15304 401ed8 15298->15304 15301 401ec9 15299->15301 15300 40e819 11 API calls 15303 401eee 15300->15303 15302 40ea84 30 API calls 15301->15302 15302->15304 15313 401f0a 15303->15313 15721 401b71 15303->15721 15304->15300 15306 40e819 11 API calls 15308 401f23 15306->15308 15307 401efd 15310 40ea84 30 API calls 15307->15310 15309 401f3f 15308->15309 15725 401bdf 15308->15725 15312 40e819 11 API calls 15309->15312 15310->15313 15315 401f5e 15312->15315 15313->15306 15317 401f77 15315->15317 15318 40ea84 30 API calls 15315->15318 15316 40ea84 30 API calls 15316->15309 15732 4030b5 15317->15732 15318->15317 15321 406ec3 2 API calls 15323 401f8e GetTickCount 15321->15323 15323->15043 15325 406ec3 2 API calls 15324->15325 15326 4080eb 15325->15326 15327 4080f9 15326->15327 15328 4080ef 15326->15328 15330 40704c 16 API calls 15327->15330 15780 407ee6 15328->15780 15332 408110 15330->15332 15331 408269 CreateThread 15349 405e6c 15331->15349 16109 40877e 15331->16109 15334 408156 RegOpenKeyExA 15332->15334 15335 4080f4 15332->15335 15333 40675c 21 API calls 15339 408244 15333->15339 15334->15335 15336 40816d RegQueryValueExA 15334->15336 15335->15331 15335->15333 15337 4081f7 15336->15337 15338 40818d 15336->15338 15340 40820d RegCloseKey 15337->15340 15342 40ec2e codecvt 4 API calls 15337->15342 15338->15337 15343 40ebcc 4 API calls 15338->15343 15339->15331 15341 40ec2e codecvt 4 API calls 15339->15341 15340->15335 15341->15331 15348 4081dd 15342->15348 15344 4081a0 15343->15344 15344->15340 15345 4081aa RegQueryValueExA 15344->15345 15345->15337 15346 4081c4 15345->15346 15347 40ebcc 4 API calls 15346->15347 15347->15348 15348->15340 15848 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15349->15848 15351 405e71 15849 40e654 15351->15849 15353 405ec1 15354 403132 15353->15354 15355 40df70 12 API calls 15354->15355 15356 40313b 15355->15356 15357 40c125 15356->15357 15860 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15357->15860 15359 40c12d 15360 40e654 13 API calls 15359->15360 15361 40c2bd 15360->15361 15362 40e654 13 API calls 15361->15362 15363 40c2c9 15362->15363 15364 40e654 13 API calls 15363->15364 15365 40a47a 15364->15365 15366 408db1 15365->15366 15367 408dbc 15366->15367 15368 40e654 13 API calls 15367->15368 15369 408dec Sleep 15368->15369 15369->15079 15371 40c92f 15370->15371 15372 40c93c 15371->15372 15861 40c517 15371->15861 15374 40e819 11 API calls 15372->15374 15406 40ca2b 15372->15406 15375 40c96a 15374->15375 15376 40e819 11 API calls 15375->15376 15377 40c97d 15376->15377 15378 40e819 11 API calls 15377->15378 15379 40c990 15378->15379 15380 40c9aa 15379->15380 15381 40ebcc 4 API calls 15379->15381 15380->15406 15878 402684 15380->15878 15381->15380 15386 40ca26 15885 40c8aa 15386->15885 15389 40ca44 15390 40ca4b closesocket 15389->15390 15391 40ca83 15389->15391 15390->15386 15392 40ea84 30 API calls 15391->15392 15393 40caac 15392->15393 15394 40f04e 4 API calls 15393->15394 15395 40cab2 15394->15395 15396 40ea84 30 API calls 15395->15396 15397 40caca 15396->15397 15398 40ea84 30 API calls 15397->15398 15399 40cad9 15398->15399 15893 40c65c 15399->15893 15402 40cb60 closesocket 15402->15406 15404 40dad2 closesocket 15405 40e318 23 API calls 15404->15405 15405->15406 15406->15079 15407 40df4c 20 API calls 15466 40cb70 15407->15466 15412 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15412->15466 15413 40e654 13 API calls 15413->15466 15419 40d569 closesocket Sleep 15940 40e318 15419->15940 15420 40d815 wsprintfA 15420->15466 15421 40cc1c GetTempPathA 15421->15466 15422 40ea84 30 API calls 15422->15466 15424 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15424->15466 15425 407ead 6 API calls 15425->15466 15426 40c517 23 API calls 15426->15466 15427 40d582 ExitProcess 15428 40e8a1 30 API calls 15428->15466 15429 40cfe3 GetSystemDirectoryA 15429->15466 15430 40675c 21 API calls 15430->15466 15431 40d027 GetSystemDirectoryA 15431->15466 15432 40cfad GetEnvironmentVariableA 15432->15466 15433 40d105 lstrcatA 15433->15466 15434 40ef1e lstrlenA 15434->15466 15435 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15435->15466 15436 40cc9f CreateFileA 15437 40ccc6 WriteFile 15436->15437 15436->15466 15440 40cdcc CloseHandle 15437->15440 15441 40cced CloseHandle 15437->15441 15438 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15438->15466 15439 40d15b CreateFileA 15442 40d182 WriteFile CloseHandle 15439->15442 15439->15466 15440->15466 15447 40cd2f 15441->15447 15442->15466 15443 40cd16 wsprintfA 15443->15447 15444 40d149 SetFileAttributesA 15444->15439 15445 40d36e GetEnvironmentVariableA 15445->15466 15446 40d1bf SetFileAttributesA 15446->15466 15447->15443 15922 407fcf 15447->15922 15448 40d22d GetEnvironmentVariableA 15448->15466 15450 40d3af lstrcatA 15453 40d3f2 CreateFileA 15450->15453 15450->15466 15452 407fcf 64 API calls 15452->15466 15454 40d415 WriteFile CloseHandle 15453->15454 15453->15466 15454->15466 15455 40cd81 WaitForSingleObject CloseHandle CloseHandle 15457 40f04e 4 API calls 15455->15457 15456 40cda5 15458 407ee6 64 API calls 15456->15458 15457->15456 15461 40cdbd DeleteFileA 15458->15461 15459 40d3e0 SetFileAttributesA 15459->15453 15460 40d26e lstrcatA 15463 40d2b1 CreateFileA 15460->15463 15460->15466 15461->15466 15462 40d4b1 CreateProcessA 15464 40d4e8 CloseHandle CloseHandle 15462->15464 15462->15466 15463->15466 15467 40d2d8 WriteFile CloseHandle 15463->15467 15464->15466 15465 40d452 SetFileAttributesA 15465->15466 15466->15404 15466->15407 15466->15412 15466->15413 15466->15419 15466->15420 15466->15421 15466->15422 15466->15424 15466->15425 15466->15426 15466->15428 15466->15429 15466->15430 15466->15431 15466->15432 15466->15433 15466->15434 15466->15435 15466->15436 15466->15438 15466->15439 15466->15444 15466->15445 15466->15446 15466->15448 15466->15450 15466->15452 15466->15453 15466->15459 15466->15460 15466->15462 15466->15463 15466->15465 15468 407ee6 64 API calls 15466->15468 15469 40d29f SetFileAttributesA 15466->15469 15472 40d31d SetFileAttributesA 15466->15472 15901 40c75d 15466->15901 15913 407e2f 15466->15913 15935 407ead 15466->15935 15945 4031d0 15466->15945 15962 403c09 15466->15962 15972 403a00 15466->15972 15976 40e7b4 15466->15976 15979 40c06c 15466->15979 15985 406f5f GetUserNameA 15466->15985 15996 40e854 15466->15996 16006 407dd6 15466->16006 15467->15466 15468->15466 15469->15463 15472->15466 15474 40741b 15473->15474 15475 406dc2 6 API calls 15474->15475 15476 40743f 15475->15476 15477 407469 RegOpenKeyExA 15476->15477 15478 4077f9 15477->15478 15489 407487 ___ascii_stricmp 15477->15489 15478->15146 15479 407703 RegEnumKeyA 15480 407714 RegCloseKey 15479->15480 15479->15489 15480->15478 15481 40f1a5 lstrlenA 15481->15489 15482 4074d2 RegOpenKeyExA 15482->15489 15483 40772c 15485 407742 RegCloseKey 15483->15485 15486 40774b 15483->15486 15484 407521 RegQueryValueExA 15484->15489 15485->15486 15487 4077ec RegCloseKey 15486->15487 15487->15478 15488 4076e4 RegCloseKey 15488->15489 15489->15479 15489->15481 15489->15482 15489->15483 15489->15484 15489->15488 15491 40777e GetFileAttributesExA 15489->15491 15492 407769 15489->15492 15490 4077e3 RegCloseKey 15490->15487 15491->15492 15492->15490 15494 407073 15493->15494 15495 4070b9 RegOpenKeyExA 15494->15495 15496 4070d0 15495->15496 15510 4071b8 15495->15510 15497 406dc2 6 API calls 15496->15497 15500 4070d5 15497->15500 15498 40719b RegEnumValueA 15499 4071af RegCloseKey 15498->15499 15498->15500 15499->15510 15500->15498 15502 4071d0 15500->15502 15516 40f1a5 lstrlenA 15500->15516 15503 407205 RegCloseKey 15502->15503 15504 407227 15502->15504 15503->15510 15505 4072b8 ___ascii_stricmp 15504->15505 15506 40728e RegCloseKey 15504->15506 15507 4072cd RegCloseKey 15505->15507 15508 4072dd 15505->15508 15506->15510 15507->15510 15509 407311 RegCloseKey 15508->15509 15512 407335 15508->15512 15509->15510 15510->15150 15511 4073d5 RegCloseKey 15513 4073e4 15511->15513 15512->15511 15514 40737e GetFileAttributesExA 15512->15514 15515 407397 15512->15515 15514->15515 15515->15511 15517 40f1c3 15516->15517 15517->15500 15519 406e97 15518->15519 15520 406e5f LookupAccountNameW 15518->15520 15519->15152 15520->15519 15522 40eb17 15521->15522 15523 40eb21 15521->15523 15531 40eae4 15522->15531 15523->15192 15527 4069b9 WriteFile 15525->15527 15528 406a3c 15527->15528 15529 4069ff 15527->15529 15528->15188 15528->15189 15529->15528 15530 406a10 WriteFile 15529->15530 15530->15528 15530->15529 15532 40eb02 GetProcAddress 15531->15532 15533 40eaed LoadLibraryA 15531->15533 15532->15523 15533->15532 15534 40eb01 15533->15534 15534->15523 15536 401924 GetVersionExA 15535->15536 15536->15203 15538 406eef AllocateAndInitializeSid 15537->15538 15544 406f55 15537->15544 15539 406f44 15538->15539 15540 406f1c CheckTokenMembership 15538->15540 15543 406e36 2 API calls 15539->15543 15539->15544 15541 406f3b FreeSid 15540->15541 15542 406f2e 15540->15542 15541->15539 15542->15541 15543->15544 15544->15212 15546 40f0f1 15545->15546 15547 40f0ed 15545->15547 15548 40f119 15546->15548 15549 40f0fa lstrlenA SysAllocStringByteLen 15546->15549 15547->15234 15551 40f11c MultiByteToWideChar 15548->15551 15550 40f117 15549->15550 15549->15551 15550->15234 15551->15550 15553 401820 17 API calls 15552->15553 15554 4018f2 15553->15554 15555 4018f9 15554->15555 15569 401280 15554->15569 15555->15223 15557 401908 15557->15223 15581 401000 15558->15581 15560 401839 15561 401851 GetCurrentProcess 15560->15561 15562 40183d 15560->15562 15563 401864 15561->15563 15562->15220 15563->15220 15565 40920e 15564->15565 15568 409308 15564->15568 15566 4092f1 Sleep 15565->15566 15567 4092bf ShellExecuteA 15565->15567 15565->15568 15566->15565 15567->15565 15567->15568 15568->15223 15570 4012e1 15569->15570 15571 4016f9 GetLastError 15570->15571 15575 4013a8 15570->15575 15572 401699 15571->15572 15572->15557 15573 401570 lstrlenW 15573->15575 15574 4015be GetStartupInfoW 15574->15575 15575->15572 15575->15573 15575->15574 15575->15575 15576 4015ff CreateProcessWithLogonW 15575->15576 15580 401668 CloseHandle 15575->15580 15577 4016bf GetLastError 15576->15577 15578 40163f WaitForSingleObject 15576->15578 15577->15572 15578->15575 15579 401659 CloseHandle 15578->15579 15579->15575 15580->15575 15582 40100d LoadLibraryA 15581->15582 15590 401023 15581->15590 15583 401021 15582->15583 15582->15590 15583->15560 15584 4010b5 GetProcAddress 15585 4010d1 GetProcAddress 15584->15585 15586 40127b 15584->15586 15585->15586 15587 4010f0 GetProcAddress 15585->15587 15586->15560 15587->15586 15588 401110 GetProcAddress 15587->15588 15588->15586 15589 401130 GetProcAddress 15588->15589 15589->15586 15591 40114f GetProcAddress 15589->15591 15590->15584 15601 4010ae 15590->15601 15591->15586 15592 40116f GetProcAddress 15591->15592 15592->15586 15593 40118f GetProcAddress 15592->15593 15593->15586 15594 4011ae GetProcAddress 15593->15594 15594->15586 15595 4011ce GetProcAddress 15594->15595 15595->15586 15596 4011ee GetProcAddress 15595->15596 15596->15586 15597 401209 GetProcAddress 15596->15597 15597->15586 15598 401225 GetProcAddress 15597->15598 15598->15586 15599 401241 GetProcAddress 15598->15599 15599->15586 15600 40125c GetProcAddress 15599->15600 15600->15586 15601->15560 15603 40908d 15602->15603 15604 4090e2 wsprintfA 15603->15604 15605 40ee2a 15604->15605 15606 4090fd CreateFileA 15605->15606 15607 40911a lstrlenA WriteFile CloseHandle 15606->15607 15608 40913f 15606->15608 15607->15608 15608->15251 15608->15252 15610 40dd41 InterlockedExchange 15609->15610 15611 40dd20 GetCurrentThreadId 15610->15611 15612 40dd4a 15610->15612 15613 40dd53 GetCurrentThreadId 15611->15613 15614 40dd2e GetTickCount 15611->15614 15612->15613 15613->15255 15614->15612 15615 40dd39 Sleep 15614->15615 15615->15610 15617 40dbf0 15616->15617 15649 40db67 GetEnvironmentVariableA 15617->15649 15619 40dc19 15620 40dcda 15619->15620 15621 40db67 3 API calls 15619->15621 15620->15257 15622 40dc5c 15621->15622 15622->15620 15623 40db67 3 API calls 15622->15623 15624 40dc9b 15623->15624 15624->15620 15625 40db67 3 API calls 15624->15625 15625->15620 15627 40db55 15626->15627 15628 40db3a 15626->15628 15627->15259 15627->15264 15653 40ebed 15628->15653 15662 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15630->15662 15632 40e3be 15632->15259 15633 40e342 15633->15632 15665 40de24 15633->15665 15636 40e528 15635->15636 15637 40e3f4 15635->15637 15636->15267 15638 40e434 RegQueryValueExA 15637->15638 15639 40e458 15638->15639 15640 40e51d RegCloseKey 15638->15640 15641 40e46e RegQueryValueExA 15639->15641 15640->15636 15641->15639 15642 40e488 15641->15642 15642->15640 15643 40db2e 8 API calls 15642->15643 15644 40e499 15643->15644 15644->15640 15645 40e4b9 RegQueryValueExA 15644->15645 15646 40e4e8 15644->15646 15645->15644 15645->15646 15646->15640 15647 40e332 14 API calls 15646->15647 15648 40e513 15647->15648 15648->15640 15650 40db89 lstrcpyA CreateFileA 15649->15650 15651 40dbca 15649->15651 15650->15619 15651->15619 15654 40ec01 15653->15654 15655 40ebf6 15653->15655 15657 40eba0 codecvt 2 API calls 15654->15657 15656 40ebcc 4 API calls 15655->15656 15658 40ebfe 15656->15658 15659 40ec0a GetProcessHeap HeapReAlloc 15657->15659 15658->15627 15660 40eb74 2 API calls 15659->15660 15661 40ec28 15660->15661 15661->15627 15676 40eb41 15662->15676 15666 40de3a 15665->15666 15673 40de4e 15666->15673 15680 40dd84 15666->15680 15669 40de9e 15670 40ebed 8 API calls 15669->15670 15669->15673 15674 40def6 15670->15674 15671 40de76 15684 40ddcf 15671->15684 15673->15633 15674->15673 15675 40ddcf lstrcmpA 15674->15675 15675->15673 15677 40eb4a 15676->15677 15679 40eb54 15676->15679 15678 40eae4 2 API calls 15677->15678 15678->15679 15679->15633 15681 40ddc5 15680->15681 15682 40dd96 15680->15682 15681->15669 15681->15671 15682->15681 15683 40ddad lstrcmpiA 15682->15683 15683->15681 15683->15682 15685 40dddd 15684->15685 15687 40de20 15684->15687 15686 40ddfa lstrcmpA 15685->15686 15685->15687 15686->15685 15687->15673 15689 40dd05 6 API calls 15688->15689 15690 40e821 15689->15690 15691 40dd84 lstrcmpiA 15690->15691 15692 40e82c 15691->15692 15694 40e844 15692->15694 15736 402480 15692->15736 15694->15284 15696 40dd05 6 API calls 15695->15696 15697 40df7c 15696->15697 15698 40dd84 lstrcmpiA 15697->15698 15702 40df89 15698->15702 15699 40dfc4 15699->15290 15700 40ddcf lstrcmpA 15700->15702 15701 40ec2e codecvt 4 API calls 15701->15702 15702->15699 15702->15700 15702->15701 15703 40dd84 lstrcmpiA 15702->15703 15703->15702 15705 40ea98 15704->15705 15745 40e8a1 15705->15745 15707 401e84 15707->15293 15709 4019d5 GetProcAddress GetProcAddress GetProcAddress 15708->15709 15713 4019ce 15708->15713 15710 401ab3 FreeLibrary 15709->15710 15711 401a04 15709->15711 15710->15713 15711->15710 15712 401a14 GetProcessHeap 15711->15712 15712->15713 15715 401a2e HeapAlloc 15712->15715 15713->15297 15715->15713 15716 401a42 15715->15716 15717 401a52 HeapReAlloc 15716->15717 15719 401a62 15716->15719 15717->15719 15718 401aa1 FreeLibrary 15718->15713 15719->15718 15720 401a96 HeapFree 15719->15720 15720->15718 15773 401ac3 LoadLibraryA 15721->15773 15724 401bcf 15724->15307 15726 401ac3 12 API calls 15725->15726 15727 401c09 15726->15727 15728 401c41 15727->15728 15729 401c0d GetComputerNameA 15727->15729 15728->15316 15730 401c45 GetVolumeInformationA 15729->15730 15731 401c1f 15729->15731 15730->15728 15731->15728 15731->15730 15733 40ee2a 15732->15733 15734 4030d0 gethostname gethostbyname 15733->15734 15735 401f82 15734->15735 15735->15321 15735->15323 15739 402419 lstrlenA 15736->15739 15738 402491 15738->15694 15740 40243d lstrlenA 15739->15740 15744 402474 15739->15744 15741 402464 lstrlenA 15740->15741 15742 40244e lstrcmpiA 15740->15742 15741->15740 15741->15744 15742->15741 15743 40245c 15742->15743 15743->15741 15743->15744 15744->15738 15746 40dd05 6 API calls 15745->15746 15747 40e8b4 15746->15747 15748 40dd84 lstrcmpiA 15747->15748 15749 40e8c0 15748->15749 15750 40e90a 15749->15750 15751 40e8c8 lstrcpynA 15749->15751 15753 402419 4 API calls 15750->15753 15760 40ea27 15750->15760 15752 40e8f5 15751->15752 15766 40df4c 15752->15766 15754 40e926 lstrlenA lstrlenA 15753->15754 15756 40e96a 15754->15756 15757 40e94c lstrlenA 15754->15757 15756->15760 15761 40ebcc 4 API calls 15756->15761 15757->15756 15758 40e901 15759 40dd84 lstrcmpiA 15758->15759 15759->15750 15760->15707 15762 40e98f 15761->15762 15762->15760 15763 40df4c 20 API calls 15762->15763 15764 40ea1e 15763->15764 15765 40ec2e codecvt 4 API calls 15764->15765 15765->15760 15767 40dd05 6 API calls 15766->15767 15768 40df51 15767->15768 15769 40f04e 4 API calls 15768->15769 15770 40df58 15769->15770 15771 40de24 10 API calls 15770->15771 15772 40df63 15771->15772 15772->15758 15774 401ae2 GetProcAddress 15773->15774 15775 401b68 GetComputerNameA GetVolumeInformationA 15773->15775 15774->15775 15776 401af5 15774->15776 15775->15724 15777 40ebed 8 API calls 15776->15777 15778 401b29 15776->15778 15777->15776 15778->15775 15779 40ec2e codecvt 4 API calls 15778->15779 15779->15775 15781 406ec3 2 API calls 15780->15781 15782 407ef4 15781->15782 15783 4073ff 17 API calls 15782->15783 15784 407fc9 15782->15784 15785 407f16 15783->15785 15784->15335 15785->15784 15785->15785 15793 407809 GetUserNameA 15785->15793 15787 407f63 15787->15784 15788 40ef1e lstrlenA 15787->15788 15789 407fa6 15788->15789 15790 40ef1e lstrlenA 15789->15790 15791 407fb7 15790->15791 15817 407a95 RegOpenKeyExA 15791->15817 15794 40783d LookupAccountNameA 15793->15794 15795 407a8d 15793->15795 15794->15795 15796 407874 GetLengthSid GetFileSecurityA 15794->15796 15795->15787 15796->15795 15797 4078a8 GetSecurityDescriptorOwner 15796->15797 15798 4078c5 EqualSid 15797->15798 15799 40791d GetSecurityDescriptorDacl 15797->15799 15798->15799 15800 4078dc LocalAlloc 15798->15800 15799->15795 15807 407941 15799->15807 15800->15799 15801 4078ef InitializeSecurityDescriptor 15800->15801 15802 407916 LocalFree 15801->15802 15803 4078fb SetSecurityDescriptorOwner 15801->15803 15802->15799 15803->15802 15805 40790b SetFileSecurityA 15803->15805 15804 40795b GetAce 15804->15807 15805->15802 15806 407980 EqualSid 15806->15807 15807->15795 15807->15804 15807->15806 15808 407a3d 15807->15808 15809 4079be EqualSid 15807->15809 15810 40799d DeleteAce 15807->15810 15808->15795 15811 407a43 LocalAlloc 15808->15811 15809->15807 15810->15807 15811->15795 15812 407a56 InitializeSecurityDescriptor 15811->15812 15813 407a62 SetSecurityDescriptorDacl 15812->15813 15814 407a86 LocalFree 15812->15814 15813->15814 15815 407a73 SetFileSecurityA 15813->15815 15814->15795 15815->15814 15816 407a83 15815->15816 15816->15814 15818 407ac4 15817->15818 15819 407acb GetUserNameA 15817->15819 15818->15784 15820 407da7 RegCloseKey 15819->15820 15821 407aed LookupAccountNameA 15819->15821 15820->15818 15821->15820 15822 407b24 RegGetKeySecurity 15821->15822 15822->15820 15823 407b49 GetSecurityDescriptorOwner 15822->15823 15824 407b63 EqualSid 15823->15824 15825 407bb8 GetSecurityDescriptorDacl 15823->15825 15824->15825 15827 407b74 LocalAlloc 15824->15827 15826 407da6 15825->15826 15834 407bdc 15825->15834 15826->15820 15827->15825 15828 407b8a InitializeSecurityDescriptor 15827->15828 15830 407bb1 LocalFree 15828->15830 15831 407b96 SetSecurityDescriptorOwner 15828->15831 15829 407bf8 GetAce 15829->15834 15830->15825 15831->15830 15832 407ba6 RegSetKeySecurity 15831->15832 15832->15830 15833 407c1d EqualSid 15833->15834 15834->15826 15834->15829 15834->15833 15835 407cd9 15834->15835 15836 407c5f EqualSid 15834->15836 15837 407c3a DeleteAce 15834->15837 15835->15826 15838 407d5a LocalAlloc 15835->15838 15840 407cf2 RegOpenKeyExA 15835->15840 15836->15834 15837->15834 15838->15826 15839 407d70 InitializeSecurityDescriptor 15838->15839 15841 407d7c SetSecurityDescriptorDacl 15839->15841 15842 407d9f LocalFree 15839->15842 15840->15838 15845 407d0f 15840->15845 15841->15842 15843 407d8c RegSetKeySecurity 15841->15843 15842->15826 15843->15842 15844 407d9c 15843->15844 15844->15842 15846 407d43 RegSetValueExA 15845->15846 15846->15838 15847 407d54 15846->15847 15847->15838 15848->15351 15850 40dd05 6 API calls 15849->15850 15851 40e65f 15850->15851 15852 40e6a5 15851->15852 15854 40e68c lstrcmpA 15851->15854 15853 40ebcc 4 API calls 15852->15853 15857 40e6f5 15852->15857 15856 40e6b0 15853->15856 15854->15851 15855 40e6b7 15855->15353 15856->15855 15856->15857 15859 40e6e0 lstrcpynA 15856->15859 15857->15855 15858 40e71d lstrcmpA 15857->15858 15858->15857 15859->15857 15860->15359 15862 40c525 15861->15862 15863 40c532 15861->15863 15862->15863 15866 40ec2e codecvt 4 API calls 15862->15866 15864 40c548 15863->15864 16013 40e7ff 15863->16013 15867 40e7ff lstrcmpiA 15864->15867 15875 40c54f 15864->15875 15866->15863 15868 40c615 15867->15868 15869 40ebcc 4 API calls 15868->15869 15868->15875 15869->15875 15870 40c5d1 15873 40ebcc 4 API calls 15870->15873 15872 40e819 11 API calls 15874 40c5b7 15872->15874 15873->15875 15876 40f04e 4 API calls 15874->15876 15875->15372 15877 40c5bf 15876->15877 15877->15864 15877->15870 15879 402692 inet_addr 15878->15879 15880 40268e 15878->15880 15879->15880 15881 40269e gethostbyname 15879->15881 15882 40f428 15880->15882 15881->15880 16016 40f315 15882->16016 15886 40c8d2 15885->15886 15887 40c907 15886->15887 15888 40c517 23 API calls 15886->15888 15887->15406 15888->15887 15889 40f43e 15890 40f473 recv 15889->15890 15891 40f458 15890->15891 15892 40f47c 15890->15892 15891->15890 15891->15892 15892->15389 15894 40c670 15893->15894 15895 40c67d 15893->15895 15896 40ebcc 4 API calls 15894->15896 15897 40ebcc 4 API calls 15895->15897 15899 40c699 15895->15899 15896->15895 15897->15899 15898 40c6f3 15898->15402 15898->15466 15899->15898 15900 40c73c send 15899->15900 15900->15898 15902 40c770 15901->15902 15903 40c77d 15901->15903 15904 40ebcc 4 API calls 15902->15904 15905 40c799 15903->15905 15906 40ebcc 4 API calls 15903->15906 15904->15903 15907 40c7b5 15905->15907 15909 40ebcc 4 API calls 15905->15909 15906->15905 15908 40f43e recv 15907->15908 15910 40c7cb 15908->15910 15909->15907 15911 40f43e recv 15910->15911 15912 40c7d3 15910->15912 15911->15912 15912->15466 16029 407db7 15913->16029 15916 407e70 15918 407e96 15916->15918 15920 40f04e 4 API calls 15916->15920 15917 40f04e 4 API calls 15919 407e4c 15917->15919 15918->15466 15919->15916 15921 40f04e 4 API calls 15919->15921 15920->15918 15921->15916 15923 406ec3 2 API calls 15922->15923 15924 407fdd 15923->15924 15925 4073ff 17 API calls 15924->15925 15934 4080c2 CreateProcessA 15924->15934 15926 407fff 15925->15926 15927 407809 21 API calls 15926->15927 15926->15934 15928 40804d 15927->15928 15929 40ef1e lstrlenA 15928->15929 15928->15934 15930 40809e 15929->15930 15931 40ef1e lstrlenA 15930->15931 15932 4080af 15931->15932 15933 407a95 24 API calls 15932->15933 15933->15934 15934->15455 15934->15456 15936 407db7 2 API calls 15935->15936 15937 407eb8 15936->15937 15938 40f04e 4 API calls 15937->15938 15939 407ece DeleteFileA 15938->15939 15939->15466 15941 40dd05 6 API calls 15940->15941 15942 40e31d 15941->15942 16033 40e177 15942->16033 15944 40e326 15944->15427 15946 4031f3 15945->15946 15956 4031ec 15945->15956 15947 40ebcc 4 API calls 15946->15947 15954 4031fc 15947->15954 15948 403459 15950 40f04e 4 API calls 15948->15950 15949 40349d 15951 40ec2e codecvt 4 API calls 15949->15951 15952 40345f 15950->15952 15951->15956 15953 4030fa 4 API calls 15952->15953 15953->15956 15955 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15954->15955 15954->15956 15957 40344d 15954->15957 15960 403141 lstrcmpiA 15954->15960 15961 40344b 15954->15961 16059 4030fa GetTickCount 15954->16059 15955->15954 15956->15466 15958 40ec2e codecvt 4 API calls 15957->15958 15958->15961 15960->15954 15961->15948 15961->15949 15963 4030fa 4 API calls 15962->15963 15964 403c1a 15963->15964 15965 403ce6 15964->15965 16064 403a72 15964->16064 15965->15466 15968 403a72 9 API calls 15969 403c5e 15968->15969 15969->15965 15970 403a72 9 API calls 15969->15970 15971 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15969->15971 15970->15969 15971->15969 15973 403a10 15972->15973 15974 4030fa 4 API calls 15973->15974 15975 403a1a 15974->15975 15975->15466 15977 40dd05 6 API calls 15976->15977 15978 40e7be 15977->15978 15978->15466 15980 40c07e wsprintfA 15979->15980 15984 40c105 15979->15984 16073 40bfce GetTickCount wsprintfA 15980->16073 15982 40c0ef 16074 40bfce GetTickCount wsprintfA 15982->16074 15984->15466 15986 407047 15985->15986 15987 406f88 LookupAccountNameA 15985->15987 15986->15466 15989 407025 15987->15989 15990 406fcb 15987->15990 15991 406edd 5 API calls 15989->15991 15992 406fdb ConvertSidToStringSidA 15990->15992 15993 40702a wsprintfA 15991->15993 15992->15989 15994 406ff1 15992->15994 15993->15986 15995 407013 LocalFree 15994->15995 15995->15989 15997 40dd05 6 API calls 15996->15997 15998 40e85c 15997->15998 15999 40dd84 lstrcmpiA 15998->15999 16000 40e867 15999->16000 16001 40e885 lstrcpyA 16000->16001 16075 4024a5 16000->16075 16078 40dd69 16001->16078 16007 407db7 2 API calls 16006->16007 16008 407de1 16007->16008 16009 40f04e 4 API calls 16008->16009 16012 407e16 16008->16012 16010 407df2 16009->16010 16011 40f04e 4 API calls 16010->16011 16010->16012 16011->16012 16012->15466 16014 40dd84 lstrcmpiA 16013->16014 16015 40c58e 16014->16015 16015->15864 16015->15870 16015->15872 16017 40f33b 16016->16017 16026 40ca1d 16016->16026 16018 40f347 htons socket 16017->16018 16019 40f382 ioctlsocket 16018->16019 16020 40f374 closesocket 16018->16020 16021 40f3aa connect select 16019->16021 16022 40f39d 16019->16022 16020->16026 16023 40f3f2 __WSAFDIsSet 16021->16023 16021->16026 16024 40f39f closesocket 16022->16024 16023->16024 16025 40f403 ioctlsocket 16023->16025 16024->16026 16028 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16025->16028 16026->15386 16026->15889 16028->16026 16030 407dc8 InterlockedExchange 16029->16030 16031 407dc0 Sleep 16030->16031 16032 407dd4 16030->16032 16031->16030 16032->15916 16032->15917 16034 40e184 16033->16034 16035 40e2e4 16034->16035 16036 40e223 16034->16036 16049 40dfe2 16034->16049 16035->15944 16036->16035 16038 40dfe2 8 API calls 16036->16038 16042 40e23c 16038->16042 16039 40e1be 16039->16036 16040 40dbcf 3 API calls 16039->16040 16041 40e1d6 16040->16041 16041->16036 16043 40e21a CloseHandle 16041->16043 16044 40e1f9 WriteFile 16041->16044 16042->16035 16053 40e095 RegCreateKeyExA 16042->16053 16043->16036 16044->16043 16046 40e213 16044->16046 16046->16043 16047 40e2a3 16047->16035 16048 40e095 4 API calls 16047->16048 16048->16035 16050 40dffc 16049->16050 16052 40e024 16049->16052 16051 40db2e 8 API calls 16050->16051 16050->16052 16051->16052 16052->16039 16054 40e172 16053->16054 16055 40e0c0 16053->16055 16054->16047 16056 40e13d 16055->16056 16058 40e115 RegSetValueExA 16055->16058 16057 40e14e RegDeleteValueA RegCloseKey 16056->16057 16057->16054 16058->16055 16058->16056 16060 403122 InterlockedExchange 16059->16060 16061 40312e 16060->16061 16062 40310f GetTickCount 16060->16062 16061->15954 16062->16061 16063 40311a Sleep 16062->16063 16063->16060 16065 40f04e 4 API calls 16064->16065 16066 403a83 16065->16066 16068 403bc0 16066->16068 16069 403ac1 16066->16069 16072 403b66 lstrlenA 16066->16072 16067 403be6 16070 40ec2e codecvt 4 API calls 16067->16070 16068->16067 16071 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16068->16071 16069->15965 16069->15968 16070->16069 16071->16068 16072->16066 16072->16069 16073->15982 16074->15984 16076 402419 4 API calls 16075->16076 16077 4024b6 16076->16077 16077->16001 16079 40dd79 lstrlenA 16078->16079 16079->15466 16081 404084 16080->16081 16082 40407d 16080->16082 16083 403ecd 6 API calls 16081->16083 16084 40408f 16083->16084 16085 404000 3 API calls 16084->16085 16087 404095 16085->16087 16086 404130 16088 403ecd 6 API calls 16086->16088 16087->16086 16090 403f18 4 API calls 16087->16090 16089 404159 CreateNamedPipeA 16088->16089 16091 404167 Sleep 16089->16091 16092 404188 ConnectNamedPipe 16089->16092 16094 4040da 16090->16094 16091->16086 16093 404176 CloseHandle 16091->16093 16095 404195 GetLastError 16092->16095 16103 4041ab 16092->16103 16093->16092 16096 403f8c 4 API calls 16094->16096 16097 40425e DisconnectNamedPipe 16095->16097 16095->16103 16098 4040ec 16096->16098 16097->16092 16099 404127 CloseHandle 16098->16099 16100 404101 16098->16100 16099->16086 16101 403f18 4 API calls 16100->16101 16102 40411c ExitProcess 16101->16102 16103->16092 16103->16097 16104 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16103->16104 16105 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16103->16105 16106 40426a CloseHandle CloseHandle 16103->16106 16104->16103 16105->16103 16107 40e318 23 API calls 16106->16107 16108 40427b 16107->16108 16108->16108 16110 408791 16109->16110 16111 40879f 16109->16111 16112 40f04e 4 API calls 16110->16112 16113 4087bc 16111->16113 16114 40f04e 4 API calls 16111->16114 16112->16111 16115 40e819 11 API calls 16113->16115 16114->16113 16116 4087d7 16115->16116 16128 408803 16116->16128 16130 4026b2 gethostbyaddr 16116->16130 16118 4087eb 16120 40e8a1 30 API calls 16118->16120 16118->16128 16120->16128 16123 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16123->16128 16124 40e819 11 API calls 16124->16128 16125 4088a0 Sleep 16125->16128 16127 4026b2 2 API calls 16127->16128 16128->16123 16128->16124 16128->16125 16128->16127 16129 40e8a1 30 API calls 16128->16129 16135 40c4d6 16128->16135 16138 40c4e2 16128->16138 16141 402011 16128->16141 16176 408328 16128->16176 16129->16128 16131 4026fb 16130->16131 16132 4026cd 16130->16132 16131->16118 16133 4026e1 inet_ntoa 16132->16133 16134 4026de 16132->16134 16133->16134 16134->16118 16228 40c2dc 16135->16228 16139 40c2dc 141 API calls 16138->16139 16140 40c4ec 16139->16140 16140->16128 16142 402020 16141->16142 16143 40202e 16141->16143 16144 40f04e 4 API calls 16142->16144 16145 40204b 16143->16145 16146 40f04e 4 API calls 16143->16146 16144->16143 16147 40206e GetTickCount 16145->16147 16148 40f04e 4 API calls 16145->16148 16146->16145 16149 4020db GetTickCount 16147->16149 16159 402090 16147->16159 16151 402068 16148->16151 16150 402132 GetTickCount GetTickCount 16149->16150 16166 4020e7 16149->16166 16153 40f04e 4 API calls 16150->16153 16151->16147 16152 4020d4 GetTickCount 16152->16149 16155 402159 16153->16155 16154 40212b GetTickCount 16154->16150 16157 4021b4 16155->16157 16161 40e854 13 API calls 16155->16161 16156 402684 2 API calls 16156->16159 16160 40f04e 4 API calls 16157->16160 16159->16152 16159->16156 16164 4020ce 16159->16164 16563 401978 16159->16563 16163 4021d1 16160->16163 16165 40218e 16161->16165 16168 4021f2 16163->16168 16171 40ea84 30 API calls 16163->16171 16164->16152 16169 40e819 11 API calls 16165->16169 16166->16154 16167 402125 16166->16167 16170 401978 15 API calls 16166->16170 16568 402ef8 16166->16568 16167->16154 16168->16128 16172 40219c 16169->16172 16170->16166 16173 4021ec 16171->16173 16172->16157 16576 401c5f 16172->16576 16174 40f04e 4 API calls 16173->16174 16174->16168 16177 407dd6 6 API calls 16176->16177 16178 40833c 16177->16178 16179 406ec3 2 API calls 16178->16179 16206 408340 16178->16206 16180 40834f 16179->16180 16181 40835c 16180->16181 16184 40846b 16180->16184 16182 4073ff 17 API calls 16181->16182 16203 408373 16182->16203 16183 4085df 16185 408626 GetTempPathA 16183->16185 16194 408762 16183->16194 16202 408638 16183->16202 16187 4084a7 RegOpenKeyExA 16184->16187 16198 408450 16184->16198 16185->16202 16186 40675c 21 API calls 16186->16183 16189 4084c0 RegQueryValueExA 16187->16189 16190 40852f 16187->16190 16192 408521 RegCloseKey 16189->16192 16193 4084dd 16189->16193 16195 408564 RegOpenKeyExA 16190->16195 16209 4085a5 16190->16209 16191 4086ad 16191->16194 16196 407e2f 6 API calls 16191->16196 16192->16190 16193->16192 16199 40ebcc 4 API calls 16193->16199 16201 40ec2e codecvt 4 API calls 16194->16201 16194->16206 16197 408573 RegSetValueExA RegCloseKey 16195->16197 16195->16209 16210 4086bb 16196->16210 16197->16209 16198->16183 16198->16186 16205 4084f0 16199->16205 16200 40875b DeleteFileA 16200->16194 16201->16206 16648 406ba7 IsBadCodePtr 16202->16648 16203->16198 16203->16206 16207 4083ea RegOpenKeyExA 16203->16207 16205->16192 16208 4084f8 RegQueryValueExA 16205->16208 16206->16128 16207->16198 16211 4083fd RegQueryValueExA 16207->16211 16208->16192 16212 408515 16208->16212 16209->16198 16213 40ec2e codecvt 4 API calls 16209->16213 16210->16200 16214 4086e0 lstrcpyA lstrlenA 16210->16214 16215 40842d RegSetValueExA 16211->16215 16216 40841e 16211->16216 16217 40ec2e codecvt 4 API calls 16212->16217 16213->16198 16218 407fcf 64 API calls 16214->16218 16219 408447 RegCloseKey 16215->16219 16216->16215 16216->16219 16220 40851d 16217->16220 16221 408719 CreateProcessA 16218->16221 16219->16198 16220->16192 16222 40873d CloseHandle CloseHandle 16221->16222 16223 40874f 16221->16223 16222->16194 16224 407ee6 64 API calls 16223->16224 16225 408754 16224->16225 16226 407ead 6 API calls 16225->16226 16227 40875a 16226->16227 16227->16200 16244 40a4c7 GetTickCount 16228->16244 16231 40c300 GetTickCount 16233 40c337 16231->16233 16232 40c326 16232->16233 16234 40c32b GetTickCount 16232->16234 16238 40c363 GetTickCount 16233->16238 16243 40c45e 16233->16243 16234->16233 16235 40c4d2 16235->16128 16236 40c4ab InterlockedIncrement CreateThread 16236->16235 16237 40c4cb CloseHandle 16236->16237 16249 40b535 16236->16249 16237->16235 16239 40c373 16238->16239 16238->16243 16240 40c378 GetTickCount 16239->16240 16241 40c37f 16239->16241 16240->16241 16242 40c43b GetTickCount 16241->16242 16242->16243 16243->16235 16243->16236 16245 40a4f7 InterlockedExchange 16244->16245 16246 40a500 16245->16246 16247 40a4e4 GetTickCount 16245->16247 16246->16231 16246->16232 16246->16243 16247->16246 16248 40a4ef Sleep 16247->16248 16248->16245 16250 40b566 16249->16250 16251 40ebcc 4 API calls 16250->16251 16252 40b587 16251->16252 16253 40ebcc 4 API calls 16252->16253 16303 40b590 16253->16303 16254 40bdcd InterlockedDecrement 16255 40bde2 16254->16255 16257 40ec2e codecvt 4 API calls 16255->16257 16258 40bdea 16257->16258 16259 40ec2e codecvt 4 API calls 16258->16259 16262 40bdf2 16259->16262 16260 40bdb7 Sleep 16260->16303 16261 40be05 16262->16261 16264 40ec2e codecvt 4 API calls 16262->16264 16263 40bdcc 16263->16254 16264->16261 16265 40ebed 8 API calls 16265->16303 16268 40b6b6 lstrlenA 16268->16303 16269 4030b5 2 API calls 16269->16303 16270 40b6ed lstrcpyA 16324 405ce1 16270->16324 16271 40e819 11 API calls 16271->16303 16274 40b731 lstrlenA 16274->16303 16275 40b71f lstrcmpA 16275->16274 16275->16303 16276 40b772 GetTickCount 16276->16303 16277 40bd49 InterlockedIncrement 16421 40a628 16277->16421 16278 40ab81 lstrcpynA InterlockedIncrement 16278->16303 16281 40bc5b InterlockedIncrement 16281->16303 16282 40b7ce InterlockedIncrement 16334 40acd7 16282->16334 16285 40b912 GetTickCount 16285->16303 16286 40b826 InterlockedIncrement 16286->16276 16287 40b932 GetTickCount 16289 40bc6d InterlockedIncrement 16287->16289 16287->16303 16288 40bcdc closesocket 16288->16303 16289->16303 16290 405ce1 22 API calls 16290->16303 16291 4038f0 6 API calls 16291->16303 16294 40a7c1 22 API calls 16294->16303 16296 40bba6 InterlockedIncrement 16296->16303 16298 40bc4c closesocket 16298->16303 16300 40ba71 wsprintfA 16355 40a7c1 16300->16355 16302 40ef1e lstrlenA 16302->16303 16303->16254 16303->16260 16303->16263 16303->16265 16303->16268 16303->16269 16303->16270 16303->16271 16303->16274 16303->16275 16303->16276 16303->16277 16303->16278 16303->16281 16303->16282 16303->16285 16303->16286 16303->16287 16303->16288 16303->16290 16303->16291 16303->16294 16303->16296 16303->16298 16303->16300 16303->16302 16304 405ded 12 API calls 16303->16304 16306 403e10 16303->16306 16309 403e4f 16303->16309 16312 40384f 16303->16312 16332 40a7a3 inet_ntoa 16303->16332 16339 40abee 16303->16339 16351 401feb GetTickCount 16303->16351 16352 40a688 16303->16352 16375 403cfb 16303->16375 16378 40b3c5 16303->16378 16409 40ab81 16303->16409 16304->16303 16307 4030fa 4 API calls 16306->16307 16308 403e1d 16307->16308 16308->16303 16310 4030fa 4 API calls 16309->16310 16311 403e5c 16310->16311 16311->16303 16313 4030fa 4 API calls 16312->16313 16314 403863 16313->16314 16315 4038b9 16314->16315 16316 403889 16314->16316 16323 4038b2 16314->16323 16430 4035f9 16315->16430 16424 403718 16316->16424 16321 403718 6 API calls 16321->16323 16322 4035f9 6 API calls 16322->16323 16323->16303 16325 405cf4 16324->16325 16326 405cec 16324->16326 16328 404bd1 4 API calls 16325->16328 16436 404bd1 GetTickCount 16326->16436 16329 405d02 16328->16329 16441 405472 16329->16441 16333 40a7b9 16332->16333 16333->16303 16335 40f315 14 API calls 16334->16335 16336 40aceb 16335->16336 16337 40acff 16336->16337 16338 40f315 14 API calls 16336->16338 16337->16303 16338->16337 16340 40abfb 16339->16340 16343 40ac65 16340->16343 16504 402f22 16340->16504 16342 40f315 14 API calls 16342->16343 16343->16342 16344 40ac8a 16343->16344 16345 40ac6f 16343->16345 16344->16303 16347 40ab81 2 API calls 16345->16347 16346 40ac23 16346->16343 16349 402684 2 API calls 16346->16349 16348 40ac81 16347->16348 16512 4038f0 16348->16512 16349->16346 16351->16303 16526 40a63d 16352->16526 16354 40a696 16354->16303 16356 40a87d lstrlenA send 16355->16356 16357 40a7df 16355->16357 16358 40a899 16356->16358 16359 40a8bf 16356->16359 16357->16356 16363 40a7fa wsprintfA 16357->16363 16366 40a80a 16357->16366 16367 40a8f2 16357->16367 16360 40a8a5 wsprintfA 16358->16360 16369 40a89e 16358->16369 16361 40a8c4 send 16359->16361 16359->16367 16360->16369 16364 40a8d8 wsprintfA 16361->16364 16361->16367 16362 40a978 recv 16362->16367 16368 40a982 16362->16368 16363->16366 16364->16369 16365 40a9b0 wsprintfA 16365->16369 16366->16356 16367->16362 16367->16365 16367->16368 16368->16369 16370 4030b5 2 API calls 16368->16370 16369->16303 16371 40ab05 16370->16371 16372 40e819 11 API calls 16371->16372 16373 40ab17 16372->16373 16374 40a7a3 inet_ntoa 16373->16374 16374->16369 16376 4030fa 4 API calls 16375->16376 16377 403d0b 16376->16377 16377->16303 16379 405ce1 22 API calls 16378->16379 16380 40b3e6 16379->16380 16381 405ce1 22 API calls 16380->16381 16382 40b404 16381->16382 16383 40ef7c 3 API calls 16382->16383 16389 40b440 16382->16389 16385 40b42b 16383->16385 16384 40ef7c 3 API calls 16386 40b458 wsprintfA 16384->16386 16387 40ef7c 3 API calls 16385->16387 16388 40ef7c 3 API calls 16386->16388 16387->16389 16390 40b480 16388->16390 16389->16384 16391 40ef7c 3 API calls 16390->16391 16392 40b493 16391->16392 16393 40ef7c 3 API calls 16392->16393 16394 40b4bb 16393->16394 16531 40ad89 GetLocalTime SystemTimeToFileTime 16394->16531 16398 40b4cc 16399 40ef7c 3 API calls 16398->16399 16400 40b4dd 16399->16400 16401 40b211 7 API calls 16400->16401 16402 40b4ec 16401->16402 16403 40ef7c 3 API calls 16402->16403 16404 40b4fd 16403->16404 16405 40b211 7 API calls 16404->16405 16406 40b509 16405->16406 16407 40ef7c 3 API calls 16406->16407 16408 40b51a 16407->16408 16408->16303 16411 40abe9 GetTickCount 16409->16411 16412 40ab8c 16409->16412 16410 40aba8 lstrcpynA 16410->16412 16414 40a51d 16411->16414 16412->16410 16412->16411 16413 40abe1 InterlockedIncrement 16412->16413 16413->16412 16415 40a4c7 4 API calls 16414->16415 16416 40a52c 16415->16416 16417 40a542 GetTickCount 16416->16417 16419 40a539 GetTickCount 16416->16419 16417->16419 16420 40a56c 16419->16420 16420->16303 16422 40a4c7 4 API calls 16421->16422 16423 40a633 16422->16423 16423->16303 16425 40f04e 4 API calls 16424->16425 16427 40372a 16425->16427 16426 403847 16426->16321 16426->16323 16427->16426 16428 4037b3 GetCurrentThreadId 16427->16428 16428->16427 16429 4037c8 GetCurrentThreadId 16428->16429 16429->16427 16431 40f04e 4 API calls 16430->16431 16435 40360c 16431->16435 16432 4036f1 16432->16322 16432->16323 16433 4036da GetCurrentThreadId 16433->16432 16434 4036e5 GetCurrentThreadId 16433->16434 16434->16432 16435->16432 16435->16433 16437 404bff InterlockedExchange 16436->16437 16438 404c08 16437->16438 16439 404bec GetTickCount 16437->16439 16438->16325 16439->16438 16440 404bf7 Sleep 16439->16440 16440->16437 16460 404763 16441->16460 16443 405b58 16470 404699 16443->16470 16446 404763 lstrlenA 16447 405b6e 16446->16447 16491 404f9f 16447->16491 16449 405b79 16449->16303 16451 405549 lstrlenA 16457 40548a 16451->16457 16453 40558d lstrcpynA 16453->16457 16454 405a9f lstrcpyA 16454->16457 16455 405472 13 API calls 16455->16457 16456 405935 lstrcpynA 16456->16457 16457->16443 16457->16453 16457->16454 16457->16455 16457->16456 16458 4058e7 lstrcpyA 16457->16458 16459 404ae6 8 API calls 16457->16459 16464 404ae6 16457->16464 16468 40ef7c lstrlenA lstrlenA lstrlenA 16457->16468 16458->16457 16459->16457 16462 40477a 16460->16462 16461 404859 16461->16457 16462->16461 16463 40480d lstrlenA 16462->16463 16463->16462 16465 404af3 16464->16465 16467 404b03 16464->16467 16466 40ebed 8 API calls 16465->16466 16466->16467 16467->16451 16469 40efb4 16468->16469 16469->16457 16496 4045b3 16470->16496 16473 4045b3 7 API calls 16474 4046c6 16473->16474 16475 4045b3 7 API calls 16474->16475 16476 4046d8 16475->16476 16477 4045b3 7 API calls 16476->16477 16478 4046ea 16477->16478 16479 4045b3 7 API calls 16478->16479 16480 4046ff 16479->16480 16481 4045b3 7 API calls 16480->16481 16482 404711 16481->16482 16483 4045b3 7 API calls 16482->16483 16484 404723 16483->16484 16485 40ef7c 3 API calls 16484->16485 16486 404735 16485->16486 16487 40ef7c 3 API calls 16486->16487 16488 40474a 16487->16488 16489 40ef7c 3 API calls 16488->16489 16490 40475c 16489->16490 16490->16446 16492 404fac 16491->16492 16495 404fb0 16491->16495 16492->16449 16493 404ffd 16493->16449 16494 404fd5 IsBadCodePtr 16494->16495 16495->16493 16495->16494 16497 4045c1 16496->16497 16498 4045c8 16496->16498 16499 40ebcc 4 API calls 16497->16499 16500 40ebcc 4 API calls 16498->16500 16502 4045e1 16498->16502 16499->16498 16500->16502 16501 404691 16501->16473 16502->16501 16503 40ef7c 3 API calls 16502->16503 16503->16502 16519 402d21 GetModuleHandleA 16504->16519 16507 402f85 16508 402fcf GetProcessHeap HeapFree 16507->16508 16511 402f44 16508->16511 16509 402f4f 16510 402f6b GetProcessHeap HeapFree 16509->16510 16510->16511 16511->16346 16513 403900 16512->16513 16514 403980 16512->16514 16515 4030fa 4 API calls 16513->16515 16514->16344 16518 40390a 16515->16518 16516 40391b GetCurrentThreadId 16516->16518 16517 403939 GetCurrentThreadId 16517->16518 16518->16514 16518->16516 16518->16517 16520 402d46 LoadLibraryA 16519->16520 16521 402d5b GetProcAddress 16519->16521 16520->16521 16523 402d54 16520->16523 16521->16523 16525 402d6b 16521->16525 16522 402d97 GetProcessHeap HeapAlloc 16522->16523 16522->16525 16523->16507 16523->16509 16523->16511 16524 402db5 lstrcpynA 16524->16525 16525->16522 16525->16523 16525->16524 16527 40a645 16526->16527 16528 40a64d 16526->16528 16527->16354 16529 40a66e 16528->16529 16530 40a65e GetTickCount 16528->16530 16529->16354 16530->16529 16532 40adbf 16531->16532 16556 40ad08 gethostname 16532->16556 16535 4030b5 2 API calls 16536 40add3 16535->16536 16537 40a7a3 inet_ntoa 16536->16537 16544 40ade4 16536->16544 16537->16544 16538 40ae85 wsprintfA 16539 40ef7c 3 API calls 16538->16539 16541 40aebb 16539->16541 16540 40ae36 wsprintfA wsprintfA 16542 40ef7c 3 API calls 16540->16542 16543 40ef7c 3 API calls 16541->16543 16542->16544 16545 40aed2 16543->16545 16544->16538 16544->16540 16546 40b211 16545->16546 16547 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16546->16547 16548 40b2af GetLocalTime 16546->16548 16549 40b2d2 16547->16549 16548->16549 16550 40b2d9 SystemTimeToFileTime 16549->16550 16551 40b31c GetTimeZoneInformation 16549->16551 16552 40b2ec 16550->16552 16554 40b33a wsprintfA 16551->16554 16553 40b312 FileTimeToSystemTime 16552->16553 16553->16551 16554->16398 16557 40ad71 16556->16557 16562 40ad26 lstrlenA 16556->16562 16559 40ad85 16557->16559 16560 40ad79 lstrcpyA 16557->16560 16559->16535 16560->16559 16561 40ad68 lstrlenA 16561->16557 16562->16557 16562->16561 16564 40f428 14 API calls 16563->16564 16565 40198a 16564->16565 16566 401990 closesocket 16565->16566 16567 401998 16565->16567 16566->16567 16567->16159 16569 402d21 6 API calls 16568->16569 16570 402f01 16569->16570 16571 402f0f 16570->16571 16584 402df2 GetModuleHandleA 16570->16584 16572 402684 2 API calls 16571->16572 16575 402f1f 16571->16575 16574 402f1d 16572->16574 16574->16166 16575->16166 16580 401c80 16576->16580 16577 401d1c 16577->16577 16581 401d47 wsprintfA 16577->16581 16578 401cc2 wsprintfA 16579 402684 2 API calls 16578->16579 16579->16580 16580->16577 16580->16578 16583 401d79 16580->16583 16582 402684 2 API calls 16581->16582 16582->16583 16583->16157 16585 402e10 LoadLibraryA 16584->16585 16586 402e0b 16584->16586 16587 402e17 16585->16587 16586->16585 16586->16587 16588 402ef1 16587->16588 16589 402e28 GetProcAddress 16587->16589 16588->16571 16589->16588 16590 402e3e GetProcessHeap HeapAlloc 16589->16590 16593 402e62 16590->16593 16591 402ede GetProcessHeap HeapFree 16591->16588 16592 402e7f htons inet_addr 16592->16593 16594 402ea5 gethostbyname 16592->16594 16593->16588 16593->16591 16593->16592 16593->16594 16596 402ceb 16593->16596 16594->16593 16597 402cf2 16596->16597 16599 402d1c 16597->16599 16600 402d0e Sleep 16597->16600 16601 402a62 GetProcessHeap HeapAlloc 16597->16601 16599->16593 16600->16597 16600->16599 16602 402a92 16601->16602 16603 402a99 socket 16601->16603 16602->16597 16604 402cd3 GetProcessHeap HeapFree 16603->16604 16605 402ab4 16603->16605 16604->16602 16605->16604 16613 402abd 16605->16613 16606 402adb htons 16621 4026ff 16606->16621 16608 402b04 select 16608->16613 16609 402ca4 16610 402cb3 GetProcessHeap HeapFree closesocket 16609->16610 16610->16602 16611 402b3f recv 16611->16613 16612 402b66 htons 16612->16609 16612->16613 16613->16606 16613->16608 16613->16609 16613->16610 16613->16611 16613->16612 16614 402b87 htons 16613->16614 16617 402bf3 GetProcessHeap HeapAlloc 16613->16617 16618 402c17 htons 16613->16618 16620 402c4d GetProcessHeap HeapFree 16613->16620 16628 402923 16613->16628 16640 402904 16613->16640 16614->16609 16614->16613 16617->16613 16636 402871 16618->16636 16620->16613 16622 40271d 16621->16622 16623 402717 16621->16623 16625 40272b GetTickCount htons 16622->16625 16624 40ebcc 4 API calls 16623->16624 16624->16622 16626 4027cc htons htons sendto 16625->16626 16627 40278a 16625->16627 16626->16613 16627->16626 16629 402944 16628->16629 16631 40293d 16628->16631 16644 402816 htons 16629->16644 16631->16613 16632 402871 htons 16635 402950 16632->16635 16633 4029bd htons htons htons 16633->16631 16634 4029f6 GetProcessHeap HeapAlloc 16633->16634 16634->16631 16634->16635 16635->16631 16635->16632 16635->16633 16637 4028e3 16636->16637 16638 402889 16636->16638 16637->16613 16638->16637 16638->16638 16639 4028c3 htons 16638->16639 16639->16637 16639->16638 16641 402908 16640->16641 16643 402921 16640->16643 16642 402909 GetProcessHeap HeapFree 16641->16642 16642->16642 16642->16643 16643->16613 16645 40286b 16644->16645 16646 402836 16644->16646 16645->16635 16646->16645 16647 40285c htons 16646->16647 16647->16645 16647->16646 16649 406bc0 16648->16649 16650 406bbc 16648->16650 16651 40ebcc 4 API calls 16649->16651 16653 406bd4 16649->16653 16650->16191 16652 406be4 16651->16652 16652->16653 16654 406c07 CreateFileA 16652->16654 16655 406bfc 16652->16655 16653->16191 16657 406c34 WriteFile 16654->16657 16658 406c2a 16654->16658 16656 40ec2e codecvt 4 API calls 16655->16656 16656->16653 16660 406c49 CloseHandle DeleteFileA 16657->16660 16661 406c5a CloseHandle 16657->16661 16659 40ec2e codecvt 4 API calls 16658->16659 16659->16653 16660->16658 16662 40ec2e codecvt 4 API calls 16661->16662 16662->16653 14996 460005 15001 46092b GetPEB 14996->15001 14998 460030 15003 46003c 14998->15003 15002 460972 15001->15002 15002->14998 15004 460049 15003->15004 15018 460e0f SetErrorMode SetErrorMode 15004->15018 15009 460265 15010 4602ce VirtualProtect 15009->15010 15012 46030b 15010->15012 15011 460439 VirtualFree 15015 4605f4 LoadLibraryA 15011->15015 15016 4604be 15011->15016 15012->15011 15013 4604e3 LoadLibraryA 15013->15016 15017 4608c7 15015->15017 15016->15013 15016->15015 15019 460223 15018->15019 15020 460d90 15019->15020 15021 460dad 15020->15021 15022 460dbb GetPEB 15021->15022 15023 460238 VirtualAlloc 15021->15023 15022->15023 15023->15009 14815 41a810 14818 41a430 14815->14818 14817 41a815 14819 41a458 14818->14819 14820 41a4e8 6 API calls 14819->14820 14828 41a5f9 14819->14828 14821 41a551 6 API calls 14820->14821 14822 41a5c6 GetSystemDefaultLCID 14821->14822 14826 41a5e0 14822->14826 14827 41a5d5 RtlLeaveCriticalSection 14822->14827 14823 41a64a GetSystemTimes 14825 41a66e 14823->14825 14823->14828 14824 41a63a GetUserObjectInformationW 14824->14823 14830 41a66c 14825->14830 14831 41a677 FoldStringW 14825->14831 14826->14828 14829 41a5e9 LoadLibraryA 14826->14829 14827->14826 14828->14823 14828->14824 14828->14830 14829->14828 14832 41a691 GetConsoleAliasesLengthA CallNamedPipeA GetComputerNameA GetFileAttributesW GetConsoleAliasExesLengthW 14830->14832 14833 41a709 GlobalAlloc 14830->14833 14831->14830 14844 41a6ce 14832->14844 14835 41a726 14833->14835 14836 41a75c LoadLibraryW 14833->14836 14835->14836 14845 41a150 GetModuleHandleW GetProcAddress VirtualProtect 14836->14845 14838 41a76c 14846 41a3c0 14838->14846 14840 41a789 GlobalSize 14841 41a771 14840->14841 14841->14840 14842 41a7b3 InterlockedExchangeAdd 14841->14842 14843 41a7c9 14841->14843 14842->14841 14843->14817 14844->14833 14845->14838 14847 41a3e2 14846->14847 14848 41a3d6 QueryDosDeviceW 14846->14848 14857 41a2a0 14847->14857 14848->14847 14851 41a3f5 FreeEnvironmentStringsW 14852 41a3fd 14851->14852 14860 41a2e0 14852->14860 14855 41a414 RtlAllocateHeap GetNumaHighestNodeNumber 14856 41a428 14855->14856 14856->14841 14858 41a2b7 GetStartupInfoA LoadLibraryA 14857->14858 14859 41a2c9 14857->14859 14858->14859 14859->14851 14859->14852 14861 41a315 14860->14861 14862 41a304 BuildCommDCBW 14860->14862 14863 41a31d WritePrivateProfileStringA UnhandledExceptionFilter 14861->14863 14866 41a333 14861->14866 14862->14866 14863->14866 14864 41a393 14864->14855 14864->14856 14866->14864 14867 41a369 GetComputerNameW GetShortPathNameA 14866->14867 14868 41a2d0 14866->14868 14867->14866 14871 41a250 14868->14871 14872 41a27b 14871->14872 14873 41a26c VirtualLock 14871->14873 14872->14866 14873->14872 16663 553d0e 16664 553d1d 16663->16664 16667 5544ae 16664->16667 16668 5544c9 16667->16668 16669 5544d2 CreateToolhelp32Snapshot 16668->16669 16670 5544ee Module32First 16668->16670 16669->16668 16669->16670 16671 553d26 16670->16671 16672 5544fd 16670->16672 16674 55416d 16672->16674 16675 554198 16674->16675 16676 5541a9 VirtualAlloc 16675->16676 16677 5541e1 16675->16677 16676->16677 15024 460920 TerminateProcess
                                                                                    APIs
                                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                      • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                      • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                      • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                    • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                    • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                    • ExitProcess.KERNEL32 ref: 00409C06
                                                                                    • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                    • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                    • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                    • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                    • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                    • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                    • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                    • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                    • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                    • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                    • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                    • wsprintfA.USER32 ref: 0040A0B6
                                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                    • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                    • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                    • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                    • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                    • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                      • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                      • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                      • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                    • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                    • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                    • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                    • DeleteFileA.KERNEL32(C:\Users\user\Desktop\Uc84uB877e.exe), ref: 0040A407
                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                    • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                    • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                    • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                    • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                    • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                    • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\Uc84uB877e.exe$C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe$D$P$\$rxarouyf
                                                                                    • API String ID: 2089075347-288646967
                                                                                    • Opcode ID: 210f584047e2a3557edc0ac511e6dc12bb7f949e626bf56cb8d544fe5afb1cee
                                                                                    • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                    • Opcode Fuzzy Hash: 210f584047e2a3557edc0ac511e6dc12bb7f949e626bf56cb8d544fe5afb1cee
                                                                                    • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 264 41a430-41a455 265 41a458-41a45e 264->265 266 41a460-41a46a 265->266 267 41a46f-41a479 265->267 266->267 268 41a47b-41a496 267->268 269 41a49c-41a4a3 267->269 268->269 269->265 270 41a4a5-41a4ad 269->270 272 41a4b0-41a4b6 270->272 273 41a4c4-41a4ce 272->273 274 41a4b8-41a4be 272->274 275 41a4d0 273->275 276 41a4d2-41a4d9 273->276 274->273 275->276 276->272 277 41a4db-41a4e2 276->277 278 41a4e8-41a5d3 InterlockedExchange SetConsoleTitleA GlobalSize FindAtomW SearchPathA SetConsoleMode GetDefaultCommConfigW CopyFileExA GetEnvironmentStringsW WriteConsoleOutputW GetNumaProcessorNode DebugActiveProcessStop GetSystemDefaultLCID 277->278 279 41a61b-41a629 277->279 288 41a5e0-41a5e7 278->288 289 41a5d5-41a5da RtlLeaveCriticalSection 278->289 280 41a630-41a638 279->280 284 41a64a-41a661 GetSystemTimes 280->284 285 41a63a-41a644 GetUserObjectInformationW 280->285 286 41a663-41a66a 284->286 287 41a66e-41a675 284->287 285->284 286->280 292 41a66c 286->292 293 41a687-41a68f 287->293 294 41a677-41a681 FoldStringW 287->294 290 41a5f9-41a618 288->290 291 41a5e9-41a5f3 LoadLibraryA 288->291 289->288 290->279 291->290 292->293 295 41a691-41a703 GetConsoleAliasesLengthA CallNamedPipeA GetComputerNameA GetFileAttributesW GetConsoleAliasExesLengthW 293->295 296 41a709-41a724 GlobalAlloc 293->296 294->293 295->296 299 41a726-41a731 296->299 300 41a75c-41a767 LoadLibraryW call 41a150 296->300 302 41a740-41a750 299->302 307 41a76c-41a77f call 41a3c0 300->307 305 41a752 302->305 306 41a757-41a75a 302->306 305->306 306->300 306->302 312 41a780-41a787 307->312 314 41a789-41a799 GlobalSize 312->314 315 41a79d-41a7a3 312->315 314->315 316 41a7a5 call 41a140 315->316 317 41a7aa-41a7b1 315->317 316->317 321 41a7c0-41a7c7 317->321 322 41a7b3-41a7ba InterlockedExchangeAdd 317->322 321->312 324 41a7c9-41a7d9 321->324 322->321 325 41a7e0-41a7e5 324->325 327 41a7e7-41a7ed 325->327 328 41a7ef-41a7f5 325->328 327->328 329 41a7f7-41a80b 327->329 328->325 328->329
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 0041A4EF
                                                                                    • SetConsoleTitleA.KERNEL32(00000000), ref: 0041A4F7
                                                                                    • GlobalSize.KERNEL32(00000000), ref: 0041A4FF
                                                                                    • FindAtomW.KERNEL32(00000000), ref: 0041A507
                                                                                    • SearchPathA.KERNEL32(0041C9B0,0041C998,0041C978,00000000,?,?), ref: 0041A52B
                                                                                    • SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041A535
                                                                                    • GetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 0041A55D
                                                                                    • CopyFileExA.KERNEL32(0041C9DC,0041C9CC,00000000,00000000,00000000,00000000), ref: 0041A575
                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0041A57B
                                                                                    • WriteConsoleOutputW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0041A59A
                                                                                    • GetNumaProcessorNode.KERNEL32(00000000,00000000), ref: 0041A5A4
                                                                                    • DebugActiveProcessStop.KERNEL32(00000000), ref: 0041A5AC
                                                                                    • GetSystemDefaultLCID.KERNEL32 ref: 0041A5C6
                                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 0041A5DA
                                                                                    • LoadLibraryA.KERNEL32(00000000), ref: 0041A5F3
                                                                                    • GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041A644
                                                                                    • GetSystemTimes.KERNELBASE(?,?,?), ref: 0041A659
                                                                                    • FoldStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041A681
                                                                                    • GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 0041A6A0
                                                                                    • CallNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041A6AD
                                                                                    • GetComputerNameA.KERNEL32(00000000,00000000), ref: 0041A6B5
                                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0041A6BC
                                                                                    • GetConsoleAliasExesLengthW.KERNEL32 ref: 0041A6C2
                                                                                    • GlobalAlloc.KERNELBASE(00000000,00421FFC), ref: 0041A70C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786379043.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_415000_cwworbfr.jbxd
                                                                                    Similarity
                                                                                    • API ID: Console$DefaultFileGlobalLengthSystem$ActiveAliasAliasesAllocAtomAttributesCallCommComputerConfigCopyCriticalDebugEnvironmentExchangeExesFindFoldInformationInterlockedLeaveLibraryLoadModeNameNamedNodeNumaObjectOutputPathPipeProcessProcessorSearchSectionSizeStopStringStringsTimesTitleUserWrite
                                                                                    • String ID: G9@$k`$}$
                                                                                    • API String ID: 341275787-167184026
                                                                                    • Opcode ID: 6435a0b693ee3c0f5add715273c27709e575e720a3cdb1bf64fd6a5124c8f2b1
                                                                                    • Instruction ID: 2b01aa1a40784374f893aeac6b5f14252f8cfe1257af145ca4da5efdbb9e3ae1
                                                                                    • Opcode Fuzzy Hash: 6435a0b693ee3c0f5add715273c27709e575e720a3cdb1bf64fd6a5124c8f2b1
                                                                                    • Instruction Fuzzy Hash: C2A12671641310ABD320AB61DC4AFDB7B64EB4C715F01803AF669A61E0DBB895418BEF

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 579 40637c-406384 580 406386-406389 579->580 581 40638a-4063b4 GetModuleHandleA VirtualAlloc 579->581 582 4063f5-4063f7 581->582 583 4063b6-4063d4 call 40ee08 VirtualAllocEx 581->583 585 40640b-40640f 582->585 583->582 587 4063d6-4063f3 call 4062b7 WriteProcessMemory 583->587 587->582 590 4063f9-40640a 587->590 590->585
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                    • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                    • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                    • String ID:
                                                                                    • API String ID: 1965334864-0
                                                                                    • Opcode ID: dafa446f11e7c98dbfd5716669028cf329551362ce1bec339b6002f1eaca3cb4
                                                                                    • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                    • Opcode Fuzzy Hash: dafa446f11e7c98dbfd5716669028cf329551362ce1bec339b6002f1eaca3cb4
                                                                                    • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 332 4073ff-407419 333 40741b 332->333 334 40741d-407422 332->334 333->334 335 407424 334->335 336 407426-40742b 334->336 335->336 337 407430-407435 336->337 338 40742d 336->338 339 407437 337->339 340 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 337->340 338->337 339->340 345 407487-40749d call 40ee2a 340->345 346 4077f9-4077fe call 40ee2a 340->346 352 407703-40770e RegEnumKeyA 345->352 351 407801 346->351 353 407804-407808 351->353 354 4074a2-4074b1 call 406cad 352->354 355 407714-40771d RegCloseKey 352->355 358 4074b7-4074cc call 40f1a5 354->358 359 4076ed-407700 354->359 355->351 358->359 362 4074d2-4074f8 RegOpenKeyExA 358->362 359->352 363 407727-40772a 362->363 364 4074fe-407530 call 402544 RegQueryValueExA 362->364 365 407755-407764 call 40ee2a 363->365 366 40772c-407740 call 40ef00 363->366 364->363 372 407536-40753c 364->372 377 4076df-4076e2 365->377 374 407742-407745 RegCloseKey 366->374 375 40774b-40774e 366->375 376 40753f-407544 372->376 374->375 379 4077ec-4077f7 RegCloseKey 375->379 376->376 378 407546-40754b 376->378 377->359 380 4076e4-4076e7 RegCloseKey 377->380 378->365 381 407551-40756b call 40ee95 378->381 379->353 380->359 381->365 384 407571-407593 call 402544 call 40ee95 381->384 389 407753 384->389 390 407599-4075a0 384->390 389->365 391 4075a2-4075c6 call 40ef00 call 40ed03 390->391 392 4075c8-4075d7 call 40ed03 390->392 398 4075d8-4075da 391->398 392->398 400 4075dc 398->400 401 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 398->401 400->401 410 407626-40762b 401->410 410->410 411 40762d-407634 410->411 412 407637-40763c 411->412 412->412 413 40763e-407642 412->413 414 407644-407656 call 40ed77 413->414 415 40765c-407673 call 40ed23 413->415 414->415 420 407769-40777c call 40ef00 414->420 421 407680 415->421 422 407675-40767e 415->422 427 4077e3-4077e6 RegCloseKey 420->427 424 407683-40768e call 406cad 421->424 422->424 429 407722-407725 424->429 430 407694-4076bf call 40f1a5 call 406c96 424->430 427->379 432 4076dd 429->432 436 4076c1-4076c7 430->436 437 4076d8 430->437 432->377 436->437 438 4076c9-4076d2 436->438 437->432 438->437 439 40777e-407797 GetFileAttributesExA 438->439 440 407799 439->440 441 40779a-40779f 439->441 440->441 442 4077a1 441->442 443 4077a3-4077a8 441->443 442->443 444 4077c4-4077c8 443->444 445 4077aa-4077c0 call 40ee08 443->445 447 4077d7-4077dc 444->447 448 4077ca-4077d6 call 40ef00 444->448 445->444 451 4077e0-4077e2 447->451 452 4077de 447->452 448->447 451->427 452->451
                                                                                    APIs
                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                                    • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                                    • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                                    • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                                    • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                                      • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                    • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                    • String ID: "
                                                                                    • API String ID: 3433985886-123907689
                                                                                    • Opcode ID: 92594f354633bb88517f7acf4746756fc69952fce073fe57c9bbb1d804d07feb
                                                                                    • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                    • Opcode Fuzzy Hash: 92594f354633bb88517f7acf4746756fc69952fce073fe57c9bbb1d804d07feb
                                                                                    • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 454 46003c-460047 455 46004c-460263 call 460a3f call 460e0f call 460d90 VirtualAlloc 454->455 456 460049 454->456 471 460265-460289 call 460a69 455->471 472 46028b-460292 455->472 456->455 477 4602ce-4603c2 VirtualProtect call 460cce call 460ce7 471->477 474 4602a1-4602b0 472->474 476 4602b2-4602cc 474->476 474->477 476->474 483 4603d1-4603e0 477->483 484 4603e2-460437 call 460ce7 483->484 485 460439-4604b8 VirtualFree 483->485 484->483 487 4605f4-4605fe 485->487 488 4604be-4604cd 485->488 491 460604-46060d 487->491 492 46077f-460789 487->492 490 4604d3-4604dd 488->490 490->487 496 4604e3-460505 LoadLibraryA 490->496 491->492 497 460613-460637 491->497 494 4607a6-4607b0 492->494 495 46078b-4607a3 492->495 498 4607b6-4607cb 494->498 499 46086e-4608be LoadLibraryA 494->499 495->494 500 460517-460520 496->500 501 460507-460515 496->501 502 46063e-460648 497->502 503 4607d2-4607d5 498->503 506 4608c7-4608f9 499->506 504 460526-460547 500->504 501->504 502->492 505 46064e-46065a 502->505 507 4607d7-4607e0 503->507 508 460824-460833 503->508 509 46054d-460550 504->509 505->492 510 460660-46066a 505->510 513 460902-46091d 506->513 514 4608fb-460901 506->514 515 4607e4-460822 507->515 516 4607e2 507->516 512 460839-46083c 508->512 517 460556-46056b 509->517 518 4605e0-4605ef 509->518 511 46067a-460689 510->511 521 460750-46077a 511->521 522 46068f-4606b2 511->522 512->499 523 46083e-460847 512->523 514->513 515->503 516->508 519 46056f-46057a 517->519 520 46056d 517->520 518->490 524 46057c-460599 519->524 525 46059b-4605bb 519->525 520->518 521->502 526 4606b4-4606ed 522->526 527 4606ef-4606fc 522->527 528 46084b-46086c 523->528 529 460849 523->529 537 4605bd-4605db 524->537 525->537 526->527 531 4606fe-460748 527->531 532 46074b 527->532 528->512 529->499 531->532 532->511 537->509
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0046024D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID: cess$kernel32.dll
                                                                                    • API String ID: 4275171209-1230238691
                                                                                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                    • Instruction ID: e8f0e2ff3faa78ac9223ea13d9a3a4911cfacddde85a201cf7b7403c8586d98d
                                                                                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                    • Instruction Fuzzy Hash: 17526974A00229DFDB64CF58C985BA9BBB1BF09304F1480DAE50DAB351EB34AE85DF15

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 538 40977c-4097b9 call 40ee2a CreateProcessA 541 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 538->541 542 4097bb-4097bd 538->542 546 409801-40981c call 40637c 541->546 547 4097f5 541->547 543 409864-409866 542->543 548 4097f6-4097ff TerminateProcess 546->548 551 40981e-409839 WriteProcessMemory 546->551 547->548 548->542 551->547 552 40983b-409856 Wow64SetThreadContext 551->552 552->547 553 409858-409863 ResumeThread 552->553 553->543
                                                                                    APIs
                                                                                    • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                    • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                    • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                    • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                    • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                    • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                    • String ID: D
                                                                                    • API String ID: 2098669666-2746444292
                                                                                    • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                    • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                    • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                    • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 554 41a733-41a73a 555 41a740-41a750 554->555 556 41a752 555->556 557 41a757-41a75a 555->557 556->557 557->555 558 41a75c-41a77f LoadLibraryW call 41a150 call 41a3c0 557->558 563 41a780-41a787 558->563 564 41a789-41a799 GlobalSize 563->564 565 41a79d-41a7a3 563->565 564->565 566 41a7a5 call 41a140 565->566 567 41a7aa-41a7b1 565->567 566->567 570 41a7c0-41a7c7 567->570 571 41a7b3-41a7ba InterlockedExchangeAdd 567->571 570->563 572 41a7c9-41a7d9 570->572 571->570 573 41a7e0-41a7e5 572->573 574 41a7e7-41a7ed 573->574 575 41a7ef-41a7f5 573->575 574->575 576 41a7f7-41a80b 574->576 575->573 575->576
                                                                                    APIs
                                                                                    • LoadLibraryW.KERNELBASE(0041CA40), ref: 0041A761
                                                                                    • GlobalSize.KERNEL32(00000000), ref: 0041A78B
                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0041A7BA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786379043.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_415000_cwworbfr.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExchangeGlobalInterlockedLibraryLoadSize
                                                                                    • String ID: k`$}$
                                                                                    • API String ID: 1230614907-956986773
                                                                                    • Opcode ID: a3e78ca8972b459e049ba6862a6a0ce0becd30ac4d270826d53a1e919f261356
                                                                                    • Instruction ID: 7b8ff2694f1d602ba7a946f95e1649465b5555d6d8af1b553a934ad92e012e3b
                                                                                    • Opcode Fuzzy Hash: a3e78ca8972b459e049ba6862a6a0ce0becd30ac4d270826d53a1e919f261356
                                                                                    • Instruction Fuzzy Hash: 0E115B306452108AC720AB20DC86BEBB760EB49315F04443FE679C62E1CB7895A187DF

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 578 41a150-41a245 GetModuleHandleW GetProcAddress VirtualProtect
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00421ED0), ref: 0041A1EE
                                                                                    • GetProcAddress.KERNEL32(00000000,00420640), ref: 0041A221
                                                                                    • VirtualProtect.KERNELBASE(00421D1C,00421FFC,00000040,?), ref: 0041A240
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786379043.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_415000_cwworbfr.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 2099061454-3916222277
                                                                                    • Opcode ID: 43eeca7b3c22ce8a6c466c546c19edbb344e041a21fc20c24d459346d5b8201c
                                                                                    • Instruction ID: 747ab1926375d96777e0e3d3484c6eb7921817781462841d468bdbe11fa8b97b
                                                                                    • Opcode Fuzzy Hash: 43eeca7b3c22ce8a6c466c546c19edbb344e041a21fc20c24d459346d5b8201c
                                                                                    • Instruction Fuzzy Hash: 20113774728244DAD330CF64FD45B063AB5EBA4704F81513CD9488B2B2D7B61526C75E

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 591 404000-404008 592 40400b-40402a CreateFileA 591->592 593 404057 592->593 594 40402c-404035 GetLastError 592->594 595 404059-40405c 593->595 596 404052 594->596 597 404037-40403a 594->597 599 404054-404056 595->599 596->599 597->596 598 40403c-40403f 597->598 598->595 600 404041-404050 Sleep 598->600 600->592 600->596
                                                                                    APIs
                                                                                    • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                    • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                    • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateErrorFileLastSleep
                                                                                    • String ID:
                                                                                    • API String ID: 408151869-0
                                                                                    • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                    • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                    • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                    • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                    • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                    • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time$CountFileInformationSystemTickVolume
                                                                                    • String ID:
                                                                                    • API String ID: 1209300637-0
                                                                                    • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                    • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                    • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                    • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 619 406e36-406e5d GetUserNameW 620 406ebe-406ec2 619->620 621 406e5f-406e95 LookupAccountNameW 619->621 621->620 622 406e97-406e9b 621->622 623 406ebb-406ebd 622->623 624 406e9d-406ea3 622->624 623->620 624->623 625 406ea5-406eaa 624->625 626 406eb7-406eb9 625->626 627 406eac-406eb0 625->627 626->620 627->623 628 406eb2-406eb5 627->628 628->623 628->626
                                                                                    APIs
                                                                                    • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                    • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Name$AccountLookupUser
                                                                                    • String ID:
                                                                                    • API String ID: 2370142434-0
                                                                                    • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                    • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                    • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                    • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 629 5544ae-5544c7 630 5544c9-5544cb 629->630 631 5544d2-5544de CreateToolhelp32Snapshot 630->631 632 5544cd 630->632 633 5544e0-5544e6 631->633 634 5544ee-5544fb Module32First 631->634 632->631 633->634 640 5544e8-5544ec 633->640 635 554504-55450c 634->635 636 5544fd-5544fe call 55416d 634->636 641 554503 636->641 640->630 640->634 641->635
                                                                                    APIs
                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005544D6
                                                                                    • Module32First.KERNEL32(00000000,00000224), ref: 005544F6
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786560021.0000000000553000.00000040.00000020.00020000.00000000.sdmp, Offset: 00553000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_553000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                    • String ID:
                                                                                    • API String ID: 3833638111-0
                                                                                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                    • Instruction ID: eb3ec1024a77c5c03a4c6f018b717deb22ddea5ba73ced9a7b800376a277b195
                                                                                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                    • Instruction Fuzzy Hash: F2F06835100711ABDB202AB5989DB6E7AE8BF45769F104529EA46D14C0D670EC894E61

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 642 460e0f-460e24 SetErrorMode * 2 643 460e26 642->643 644 460e2b-460e2c 642->644 643->644
                                                                                    APIs
                                                                                    • SetErrorMode.KERNELBASE(00000400,?,?,00460223,?,?), ref: 00460E19
                                                                                    • SetErrorMode.KERNELBASE(00000000,?,?,00460223,?,?), ref: 00460E1E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorMode
                                                                                    • String ID:
                                                                                    • API String ID: 2340568224-0
                                                                                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                    • Instruction ID: 8105889f1ea39235d75ea13fd8274145810b0707c868035e919831dbe2c68e07
                                                                                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                    • Instruction Fuzzy Hash: B9D0123154512877D7002A94DC09BCE7B1CDF05B62F008411FB0DD9180C775994046EA

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 645 406dc2-406dd5 646 406e33-406e35 645->646 647 406dd7-406df1 call 406cc9 call 40ef00 645->647 652 406df4-406df9 647->652 652->652 653 406dfb-406e00 652->653 654 406e02-406e22 GetVolumeInformationA 653->654 655 406e24 653->655 654->655 656 406e2e 654->656 655->656 656->646
                                                                                    APIs
                                                                                      • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                      • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                      • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                      • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                    • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                    • String ID:
                                                                                    • API String ID: 1823874839-0
                                                                                    • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                    • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                    • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                    • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 657 409892-4098c0 658 4098c2-4098c5 657->658 659 4098d9 657->659 658->659 660 4098c7-4098d7 658->660 661 4098e0-4098f1 SetServiceStatus 659->661 660->661
                                                                                    APIs
                                                                                    • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ServiceStatus
                                                                                    • String ID:
                                                                                    • API String ID: 3969395364-0
                                                                                    • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                    • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                    • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                    • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                                    APIs
                                                                                    • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00460929
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ProcessTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 560597551-0
                                                                                    • Opcode ID: cf8f02fdaed65286ce872f3570c8b88d6c4cb2f13aa03d0d20e57ddf82142f08
                                                                                    • Instruction ID: c020644df524c2f76e0858e256880dd47cc8058b9a19a2f123197d7715fd106d
                                                                                    • Opcode Fuzzy Hash: cf8f02fdaed65286ce872f3570c8b88d6c4cb2f13aa03d0d20e57ddf82142f08
                                                                                    • Instruction Fuzzy Hash: DA90026024516011D820259D0C01B5500122747634F3117507270B92D1C44197004115
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005541BE
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786560021.0000000000553000.00000040.00000020.00020000.00000000.sdmp, Offset: 00553000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_553000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                    • Instruction ID: ad35adb6b87ca8ac55c56ace9f5c30dbbca7597485bf13103e609f3d456f2920
                                                                                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                    • Instruction Fuzzy Hash: 9D112B79A00208EFDB01DF98C989E98BFF5AF08355F058095F9489B362D771EA90DF90
                                                                                    APIs
                                                                                      • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                    • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateEventSleep
                                                                                    • String ID:
                                                                                    • API String ID: 3100162736-0
                                                                                    • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                    • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                    • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                    • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 004665F6
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00466610
                                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00466631
                                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00466652
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                    • String ID:
                                                                                    • API String ID: 1965334864-0
                                                                                    • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                    • Instruction ID: 66a07a0fea58eba9b28b406940a91e59f51e83a85aab67af5685934fcdcbadd2
                                                                                    • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                    • Instruction Fuzzy Hash: FA11A3B1600218BFDB219F65EC06F9B3FACEB047A5F114025F909E7251E7B5DD008AA9
                                                                                    APIs
                                                                                    • ExitProcess.KERNEL32 ref: 00469E6D
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00469FE1
                                                                                    • lstrcat.KERNEL32(?,?), ref: 00469FF2
                                                                                    • lstrcat.KERNEL32(?,0041070C), ref: 0046A004
                                                                                    • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0046A054
                                                                                    • DeleteFileA.KERNEL32(?), ref: 0046A09F
                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0046A0D6
                                                                                    • lstrcpy.KERNEL32 ref: 0046A12F
                                                                                    • lstrlen.KERNEL32(00000022), ref: 0046A13C
                                                                                    • GetTempPathA.KERNEL32(000001F4,?), ref: 00469F13
                                                                                      • Part of subcall function 00467029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00467081
                                                                                      • Part of subcall function 00466F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\rxarouyf,00467043), ref: 00466F4E
                                                                                      • Part of subcall function 00466F30: GetProcAddress.KERNEL32(00000000), ref: 00466F55
                                                                                      • Part of subcall function 00466F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00466F7B
                                                                                      • Part of subcall function 00466F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00466F92
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0046A1A2
                                                                                    • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0046A1C5
                                                                                    • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0046A214
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0046A21B
                                                                                    • GetDriveTypeA.KERNEL32(?), ref: 0046A265
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 0046A29F
                                                                                    • lstrcat.KERNEL32(?,00410A34), ref: 0046A2C5
                                                                                    • lstrcat.KERNEL32(?,00000022), ref: 0046A2D9
                                                                                    • lstrcat.KERNEL32(?,00410A34), ref: 0046A2F4
                                                                                    • wsprintfA.USER32 ref: 0046A31D
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 0046A345
                                                                                    • lstrcat.KERNEL32(?,?), ref: 0046A364
                                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0046A387
                                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0046A398
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0046A1D1
                                                                                      • Part of subcall function 00469966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0046999D
                                                                                      • Part of subcall function 00469966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 004699BD
                                                                                      • Part of subcall function 00469966: RegCloseKey.ADVAPI32(?), ref: 004699C6
                                                                                    • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0046A3DB
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0046A3E2
                                                                                    • GetDriveTypeA.KERNEL32(00000022), ref: 0046A41D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                    • String ID: "$"$"$D$P$\
                                                                                    • API String ID: 1653845638-2605685093
                                                                                    • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                    • Instruction ID: 1219d345b56ada3c7473912bfc0a652d9c5cf1bd59f86910a8611584007bef6d
                                                                                    • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                    • Instruction Fuzzy Hash: 76F154B1D40259AFDF11DBA0DC49EEF77BCAB08304F0440AAF605E2141F7799A858F6A
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                    • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                    • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                    • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                    • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                    • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                    • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                    • API String ID: 2238633743-3228201535
                                                                                    • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                    • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                    • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                    • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                    APIs
                                                                                    • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                    • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                    • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                    • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                    • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                    • wsprintfA.USER32 ref: 0040B3B7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                    • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                    • API String ID: 766114626-2976066047
                                                                                    • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                    • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                    • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                    • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00467D21
                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 00467D46
                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00467D7D
                                                                                    • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00467DA2
                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00467DC0
                                                                                    • EqualSid.ADVAPI32(?,?), ref: 00467DD1
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 00467DE5
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00467DF3
                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00467E03
                                                                                    • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00467E12
                                                                                    • LocalFree.KERNEL32(00000000), ref: 00467E19
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00467E35
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                    • String ID: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe$D
                                                                                    • API String ID: 2976863881-616653794
                                                                                    • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                    • Instruction ID: c9b083e266b4c9efa3e04462be38469f1fabf68602300ce422d0316946cd20c7
                                                                                    • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                    • Instruction Fuzzy Hash: 3CA15071900219AFDB11CFA1DD44FEFBFB8FB08344F14856AE505E2250EB798A85CB69
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                    • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                    • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                    • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                    • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                    • String ID: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe$D
                                                                                    • API String ID: 2976863881-616653794
                                                                                    • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                    • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                    • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                    • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                    • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                    • API String ID: 2400214276-165278494
                                                                                    • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                    • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                    • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                    • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 0040A7FB
                                                                                    • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                    • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                    • wsprintfA.USER32 ref: 0040A8AF
                                                                                    • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                    • wsprintfA.USER32 ref: 0040A8E2
                                                                                    • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                    • wsprintfA.USER32 ref: 0040A9B9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$send$lstrlenrecv
                                                                                    • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                    • API String ID: 3650048968-2394369944
                                                                                    • Opcode ID: e28565558cb0d863a75f1a8c28663d7dfa8bdf35cbf6dace20ad3122ce5fd1be
                                                                                    • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                    • Opcode Fuzzy Hash: e28565558cb0d863a75f1a8c28663d7dfa8bdf35cbf6dace20ad3122ce5fd1be
                                                                                    • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                    APIs
                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 00467A96
                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00467ACD
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00467ADF
                                                                                    • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00467B01
                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00467B1F
                                                                                    • EqualSid.ADVAPI32(?,?), ref: 00467B39
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 00467B4A
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00467B58
                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00467B68
                                                                                    • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00467B77
                                                                                    • LocalFree.KERNEL32(00000000), ref: 00467B7E
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00467B9A
                                                                                    • GetAce.ADVAPI32(?,?,?), ref: 00467BCA
                                                                                    • EqualSid.ADVAPI32(?,?), ref: 00467BF1
                                                                                    • DeleteAce.ADVAPI32(?,?), ref: 00467C0A
                                                                                    • EqualSid.ADVAPI32(?,?), ref: 00467C2C
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 00467CB1
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00467CBF
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00467CD0
                                                                                    • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00467CE0
                                                                                    • LocalFree.KERNEL32(00000000), ref: 00467CEE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                    • String ID: D
                                                                                    • API String ID: 3722657555-2746444292
                                                                                    • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                    • Instruction ID: 8d975dcbab33ed6dc9595da1f6576de53934b5e3fd21b5e3249c228d665c0489
                                                                                    • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                    • Instruction Fuzzy Hash: C5816F71904219AFDB11CFA4DD44FEFBBB8FF08708F14806AE505E6250E7799A81CB69
                                                                                    APIs
                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                    • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                    • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                    • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                    • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                    • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                    • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                    • String ID: D
                                                                                    • API String ID: 3722657555-2746444292
                                                                                    • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                    • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                    • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                    • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                    • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                    • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                    • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Value$CloseOpenQuery
                                                                                    • String ID: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe$localcfg
                                                                                    • API String ID: 237177642-3663302472
                                                                                    • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                    • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                    • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                    • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                    APIs
                                                                                    • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                    • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExecuteShelllstrlen
                                                                                    • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                    • API String ID: 1628651668-179334549
                                                                                    • Opcode ID: a61a7175f41a72e4ed55554bcbe8f28090feb92d632b3ceef371416ca030a5a9
                                                                                    • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                    • Opcode Fuzzy Hash: a61a7175f41a72e4ed55554bcbe8f28090feb92d632b3ceef371416ca030a5a9
                                                                                    • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                    APIs
                                                                                    • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                    • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                      • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                    • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                    • API String ID: 4207808166-1381319158
                                                                                    • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                    • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                    • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                    • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                    APIs
                                                                                    • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                    • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                    • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                    • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                    • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                    • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                    • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                    • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                    • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                    • API String ID: 835516345-270533642
                                                                                    • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                    • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                    • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                    • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0046865A
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0046867B
                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 004686A8
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 004686B1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Value$CloseOpenQuery
                                                                                    • String ID: "$C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe
                                                                                    • API String ID: 237177642-2541598318
                                                                                    • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                    • Instruction ID: f5abb0f1ed6e5610c2f9df5134e4534a9acba1ff292cb7fd9223b5931b238962
                                                                                    • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                    • Instruction Fuzzy Hash: A7C1A5B1940109BEEB11ABA4DD85EEF7B7CEB04304F14417FF604E2151FAB84E948B6A
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                                    • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                    • htons.WS2_32(00000000), ref: 00402ADB
                                                                                    • select.WS2_32 ref: 00402B28
                                                                                    • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                    • htons.WS2_32(?), ref: 00402B71
                                                                                    • htons.WS2_32(?), ref: 00402B8C
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                    • String ID:
                                                                                    • API String ID: 1639031587-0
                                                                                    • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                    • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                    • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                    • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                    APIs
                                                                                    • ShellExecuteExW.SHELL32(?), ref: 00461601
                                                                                    • lstrlenW.KERNEL32(-00000003), ref: 004617D8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExecuteShelllstrlen
                                                                                    • String ID: $<$@$D
                                                                                    • API String ID: 1628651668-1974347203
                                                                                    • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                    • Instruction ID: 575ed1a998203c65e85d920c4b2a030616bc0191b89e7d64202a9f0fa2d4dae4
                                                                                    • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                    • Instruction Fuzzy Hash: 36F17EB15083419FD720DF64C888BABB7E4FB88305F14892EF596973A0E7789944CB5B
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 004676D9
                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00467757
                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0046778F
                                                                                    • ___ascii_stricmp.LIBCMT ref: 004678B4
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0046794E
                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0046796D
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0046797E
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004679AC
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00467A56
                                                                                      • Part of subcall function 0046F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,0046772A,?), ref: 0046F414
                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 004679F6
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00467A4D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                    • String ID: "
                                                                                    • API String ID: 3433985886-123907689
                                                                                    • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                    • Instruction ID: dbdbdf13628fa3d0c8b3c772845336025b1981628a0738dc83a8ed7038016f8b
                                                                                    • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                    • Instruction Fuzzy Hash: AEC1E371904209AFEB119BA5DC45FEF7BB9EF04318F1000A7F544E6251FB789E848B6A
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                                    • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                                    • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                                      • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                    • String ID: $"
                                                                                    • API String ID: 4293430545-3817095088
                                                                                    • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                    • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                    • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                    • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00462CED
                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 00462D07
                                                                                    • htons.WS2_32(00000000), ref: 00462D42
                                                                                    • select.WS2_32 ref: 00462D8F
                                                                                    • recv.WS2_32(?,00000000,00001000,00000000), ref: 00462DB1
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00462E62
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                    • String ID:
                                                                                    • API String ID: 127016686-0
                                                                                    • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                    • Instruction ID: fdb665fc0833520014a38bcfb1586ee9c27e219fdcb17a5fad395e7b1f2452b5
                                                                                    • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                    • Instruction Fuzzy Hash: EB61F271504705BBC7209F61DD08B6BBBF8FB48745F14482AF98497291E7F9D8808BAB
                                                                                    APIs
                                                                                    • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                      • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                      • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                      • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                      • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                      • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                      • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                    • wsprintfA.USER32 ref: 0040AEA5
                                                                                      • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                    • wsprintfA.USER32 ref: 0040AE4F
                                                                                    • wsprintfA.USER32 ref: 0040AE5E
                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                    • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                    • API String ID: 3631595830-1816598006
                                                                                    • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                    • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                    • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                    • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                    • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                    • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                    • htons.WS2_32(00000035), ref: 00402E88
                                                                                    • inet_addr.WS2_32(?), ref: 00402E93
                                                                                    • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                    • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                    • String ID: GetNetworkParams$iphlpapi.dll
                                                                                    • API String ID: 929413710-2099955842
                                                                                    • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                    • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                    • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                    • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                    APIs
                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                    • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                    • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                    • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                    • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                    • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                    • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                                    • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                                    • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                                    • CloseHandle.KERNEL32(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                                      • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                      • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                    • String ID:
                                                                                    • API String ID: 2622201749-0
                                                                                    • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                    • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                    • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                    • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                    APIs
                                                                                    • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                    • wsprintfA.USER32 ref: 004093CE
                                                                                    • wsprintfA.USER32 ref: 0040940C
                                                                                    • wsprintfA.USER32 ref: 0040948D
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                    • String ID: runas
                                                                                    • API String ID: 3696105349-4000483414
                                                                                    • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                    • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                    • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                    • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 0040B467
                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$wsprintf
                                                                                    • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                    • API String ID: 1220175532-2340906255
                                                                                    • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                    • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                    • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                    • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 00402078
                                                                                    • GetTickCount.KERNEL32 ref: 004020D4
                                                                                    • GetTickCount.KERNEL32 ref: 004020DB
                                                                                    • GetTickCount.KERNEL32 ref: 0040212B
                                                                                    • GetTickCount.KERNEL32 ref: 00402132
                                                                                    • GetTickCount.KERNEL32 ref: 00402142
                                                                                      • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                      • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                      • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                      • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                      • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                    • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                    • API String ID: 3976553417-1522128867
                                                                                    • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                    • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                    • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                    • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                    APIs
                                                                                    • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                    • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: closesockethtonssocket
                                                                                    • String ID: time_cfg
                                                                                    • API String ID: 311057483-2401304539
                                                                                    • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                    • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                    • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                    • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                    APIs
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                    • ExitProcess.KERNEL32 ref: 00404121
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateEventExitProcess
                                                                                    • String ID:
                                                                                    • API String ID: 2404124870-0
                                                                                    • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                    • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                    • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                    • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                    APIs
                                                                                      • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                      • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                    • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                    • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                    • GetTickCount.KERNEL32 ref: 0040C363
                                                                                    • GetTickCount.KERNEL32 ref: 0040C378
                                                                                    • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                    • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                    • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                    • String ID: localcfg
                                                                                    • API String ID: 1553760989-1857712256
                                                                                    • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                    • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                    • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                    • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00463068
                                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00463078
                                                                                    • GetProcAddress.KERNEL32(00000000,00410408), ref: 00463095
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 004630B6
                                                                                    • htons.WS2_32(00000035), ref: 004630EF
                                                                                    • inet_addr.WS2_32(?), ref: 004630FA
                                                                                    • gethostbyname.WS2_32(?), ref: 0046310D
                                                                                    • HeapFree.KERNEL32(00000000), ref: 0046314D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                    • String ID: iphlpapi.dll
                                                                                    • API String ID: 2869546040-3565520932
                                                                                    • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                    • Instruction ID: 9c2b90f42cc5a7bdbf589f3375498eab9d656a12e388a07d97951708372547e2
                                                                                    • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                    • Instruction Fuzzy Hash: CE31C771A00246ABDB119FB49C48AEF77B8EF05362F144126E518E3390FB78DE418B5E
                                                                                    APIs
                                                                                    • GetVersionExA.KERNEL32(?), ref: 004695A7
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 004695D5
                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 004695DC
                                                                                    • wsprintfA.USER32 ref: 00469635
                                                                                    • wsprintfA.USER32 ref: 00469673
                                                                                    • wsprintfA.USER32 ref: 004696F4
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00469758
                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0046978D
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 004697D8
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                    • String ID:
                                                                                    • API String ID: 3696105349-0
                                                                                    • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                    • Instruction ID: a6fd54eb5938015db179398a9f4afb1b984978b11982de4fe686e850a49e5363
                                                                                    • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                    • Instruction Fuzzy Hash: 13A160B190020CFBEB21DFA1DC45FDB3BACEB05745F10402BF91596251E7B9D9848BAA
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                    • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                    • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                    • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                    • String ID: DnsQuery_A$dnsapi.dll
                                                                                    • API String ID: 3560063639-3847274415
                                                                                    • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                    • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                    • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                    • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                    APIs
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcmpi
                                                                                    • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                    • API String ID: 1586166983-1625972887
                                                                                    • Opcode ID: 9bc1f6eaf859e488329790364f54f8d8fb956d111e5ea2dcff1f0b71cefcbf58
                                                                                    • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                    • Opcode Fuzzy Hash: 9bc1f6eaf859e488329790364f54f8d8fb956d111e5ea2dcff1f0b71cefcbf58
                                                                                    • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                    • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                    • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                    • String ID:
                                                                                    • API String ID: 3188212458-0
                                                                                    • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                    • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                    • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                    • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                    APIs
                                                                                    • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 004667C3
                                                                                    • htonl.WS2_32(?), ref: 004667DF
                                                                                    • htonl.WS2_32(?), ref: 004667EE
                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 004668F1
                                                                                    • ExitProcess.KERNEL32 ref: 004669BC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Processhtonl$CurrentExitHugeRead
                                                                                    • String ID: except_info$localcfg
                                                                                    • API String ID: 1150517154-3605449297
                                                                                    • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                    • Instruction ID: 5d473296e321bcd019cc516c698bedcff2f6ed578adb2a2fa86ffbf6573072d7
                                                                                    • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                    • Instruction Fuzzy Hash: 4E618F71940208AFDF609FB4DC45FEA77E9FF08300F24806AFA6DD2161EA7599948F14
                                                                                    APIs
                                                                                    • htons.WS2_32(0046CC84), ref: 0046F5B4
                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 0046F5CE
                                                                                    • closesocket.WS2_32(00000000), ref: 0046F5DC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: closesockethtonssocket
                                                                                    • String ID: time_cfg
                                                                                    • API String ID: 311057483-2401304539
                                                                                    • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                    • Instruction ID: c3ad93833fd92cd4dbe6ca593c5b7bbe20f10690b34062f987aeca3e6a2c9767
                                                                                    • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                    • Instruction Fuzzy Hash: 31319E71900118ABDB10DFA5EC85DEF7BBCEF48310F10416AF955D3150E7748A868BAA
                                                                                    APIs
                                                                                    • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                    • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                    • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                    • wsprintfA.USER32 ref: 00407036
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                    • String ID: /%d$|
                                                                                    • API String ID: 676856371-4124749705
                                                                                    • Opcode ID: 0d12a7b496ace9c0c99c0276ab90a72f2bda41479394b1ea55399d50714db434
                                                                                    • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                    • Opcode Fuzzy Hash: 0d12a7b496ace9c0c99c0276ab90a72f2bda41479394b1ea55399d50714db434
                                                                                    • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(?), ref: 00462FA1
                                                                                    • LoadLibraryA.KERNEL32(?), ref: 00462FB1
                                                                                    • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00462FC8
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00463000
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00463007
                                                                                    • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00463032
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                    • String ID: dnsapi.dll
                                                                                    • API String ID: 1242400761-3175542204
                                                                                    • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                    • Instruction ID: 6373af9ecfdbcdcc4812ed10d8e942b791db771ae1d9713e782cd993e30dec0a
                                                                                    • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                    • Instruction Fuzzy Hash: 4521A471900625BBCB219F55DD449EFBBBCEF08B11F104422F901E7241E7B89E8597D9
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                    • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                    • API String ID: 1082366364-3395550214
                                                                                    • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                    • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                    • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                    • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                    APIs
                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00469A18
                                                                                    • GetThreadContext.KERNEL32(?,?), ref: 00469A52
                                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00469A60
                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00469A98
                                                                                    • SetThreadContext.KERNEL32(?,00010002), ref: 00469AB5
                                                                                    • ResumeThread.KERNEL32(?), ref: 00469AC2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                    • String ID: D
                                                                                    • API String ID: 2981417381-2746444292
                                                                                    • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                    • Instruction ID: 02048140c237de14cebfc5dc5457e0c6cadeed54341999c546a1d5e42f311d14
                                                                                    • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                    • Instruction Fuzzy Hash: 32213BB1A01219BBDF119BE1DC09EEF7BBCEF05750F404062BA19E1150F7B98A44CBA9
                                                                                    APIs
                                                                                    • inet_addr.WS2_32(004102D8), ref: 00461C18
                                                                                    • LoadLibraryA.KERNEL32(004102C8), ref: 00461C26
                                                                                    • GetProcessHeap.KERNEL32 ref: 00461C84
                                                                                    • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00461C9D
                                                                                    • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00461CC1
                                                                                    • HeapFree.KERNEL32(?,00000000,00000000), ref: 00461D02
                                                                                    • FreeLibrary.KERNEL32(?), ref: 00461D0B
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                    • String ID:
                                                                                    • API String ID: 2324436984-0
                                                                                    • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                    • Instruction ID: 8a0f5a58ef4e3404dfd15392a0680d95cbaafbf80fa71f7c217fb71da8dc693d
                                                                                    • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                    • Instruction Fuzzy Hash: 6E313271D00219BFCB119FA4DC898AFBAB5EB45711B28447AE501A2220E7B95D80DB59
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00466CE4
                                                                                    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00466D22
                                                                                    • GetLastError.KERNEL32 ref: 00466DA7
                                                                                    • CloseHandle.KERNEL32(?), ref: 00466DB5
                                                                                    • GetLastError.KERNEL32 ref: 00466DD6
                                                                                    • DeleteFileA.KERNEL32(?), ref: 00466DE7
                                                                                    • GetLastError.KERNEL32 ref: 00466DFD
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                    • String ID:
                                                                                    • API String ID: 3873183294-0
                                                                                    • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                    • Instruction ID: 3e05043c1ea8d103c27e3688d333857772f4dc729681195ccacdddd3c8869033
                                                                                    • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                    • Instruction Fuzzy Hash: CD310376A00249BFCB01DFA4DD44ADF7FB9EB48300F15806AE211E3211E7748A558B6A
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\rxarouyf,00467043), ref: 00466F4E
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00466F55
                                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00466F7B
                                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00466F92
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                    • String ID: C:\Windows\SysWOW64\$\\.\pipe\rxarouyf
                                                                                    • API String ID: 1082366364-3010572231
                                                                                    • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                    • Instruction ID: c1ec5368cdf60e90402083da09adae1c430d63efba11c0144c70f32be452cfdb
                                                                                    • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                    • Instruction Fuzzy Hash: 2421382174434079F7225731AC89FFB2E4C8B52758F1840ABF544D5281FADD88D6827F
                                                                                    APIs
                                                                                    • BuildCommDCBW.KERNEL32(00000000,?), ref: 0041A30D
                                                                                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041A325
                                                                                    • UnhandledExceptionFilter.KERNEL32(00000000), ref: 0041A32D
                                                                                    • GetComputerNameW.KERNEL32(?,?), ref: 0041A377
                                                                                    • GetShortPathNameA.KERNEL32(00000000,?,00000000), ref: 0041A388
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786379043.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_415000_cwworbfr.jbxd
                                                                                    Similarity
                                                                                    • API ID: Name$BuildCommComputerExceptionFilterPathPrivateProfileShortStringUnhandledWrite
                                                                                    • String ID: -
                                                                                    • API String ID: 2733835202-2547889144
                                                                                    • Opcode ID: 972dee78267316b5dbc7bbd4915cf806889cba8b0a6c244f953a6d876a44d7a2
                                                                                    • Instruction ID: 650986be5dc8b55ca1c5e983756b84529eb98bd1a87a0d55f1c42adaeb56040e
                                                                                    • Opcode Fuzzy Hash: 972dee78267316b5dbc7bbd4915cf806889cba8b0a6c244f953a6d876a44d7a2
                                                                                    • Instruction Fuzzy Hash: 8321B7715452189BE720DF64DC85FEE77B4EB0C310F5041A9EA199A1C0CF785A858B5A
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen
                                                                                    • String ID: $localcfg
                                                                                    • API String ID: 1659193697-2018645984
                                                                                    • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                    • Instruction ID: 4a25f62dcf720caa5e89889249d9cff1c4ea3a7cd55b67a1c9c6691331500524
                                                                                    • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                    • Instruction Fuzzy Hash: C9712B71A00704AADF219B54DC85FEF376AAB00705F24402BFA05B6191FA6D9DA88F5F
                                                                                    APIs
                                                                                      • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                      • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                      • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                    • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                    • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                    • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                    • String ID: flags_upd$localcfg
                                                                                    • API String ID: 204374128-3505511081
                                                                                    • Opcode ID: 2e8906757388b0cc02cf4226a1faca2848dce0e0b6cc783beaf2f73dd01b3536
                                                                                    • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                    • Opcode Fuzzy Hash: 2e8906757388b0cc02cf4226a1faca2848dce0e0b6cc783beaf2f73dd01b3536
                                                                                    • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                    APIs
                                                                                      • Part of subcall function 0046DF6C: GetCurrentThreadId.KERNEL32 ref: 0046DFBA
                                                                                    • lstrcmp.KERNEL32(00410178,00000000), ref: 0046E8FA
                                                                                    • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00466128), ref: 0046E950
                                                                                    • lstrcmp.KERNEL32(?,00000008), ref: 0046E989
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                    • String ID: A$ A$ A
                                                                                    • API String ID: 2920362961-1846390581
                                                                                    • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                    • Instruction ID: 84f7a686ad46791673cf73af93468aa2a4aa8ed4242560fd89cdeffa79db226e
                                                                                    • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                    • Instruction Fuzzy Hash: 0331BC796007059BDB718F26C884BA73BE4EF04320F10852BE5568B651F378E888CB8B
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Code
                                                                                    • String ID:
                                                                                    • API String ID: 3609698214-0
                                                                                    • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                    • Instruction ID: dc05a5651291da17e8fee3e16e48f94456ad55045eae53114799699b4b450369
                                                                                    • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                    • Instruction Fuzzy Hash: 28218E7A204215BFDB109BB1FC49EDF3FADDB48365B218426F502D1091FB7A9A00967A
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Code
                                                                                    • String ID:
                                                                                    • API String ID: 3609698214-0
                                                                                    • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                    • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                    • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                    • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                    APIs
                                                                                    • GetTempPathA.KERNEL32(00000400,?), ref: 004692E2
                                                                                    • wsprintfA.USER32 ref: 00469350
                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00469375
                                                                                    • lstrlen.KERNEL32(?,?,00000000), ref: 00469389
                                                                                    • WriteFile.KERNEL32(00000000,?,00000000), ref: 00469394
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0046939B
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 2439722600-0
                                                                                    • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                    • Instruction ID: 023a06ff9cc77ec5513348e7d54f3dc1b5ac43cfe2957c07884ee1ed1972e962
                                                                                    • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                    • Instruction Fuzzy Hash: 331175B56401147BE7246732EC0EFEF3A6DDBC8B15F00806ABB05A5191FAB84A458669
                                                                                    APIs
                                                                                    • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                    • wsprintfA.USER32 ref: 004090E9
                                                                                    • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                    • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 2439722600-0
                                                                                    • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                    • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                    • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                    • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                    • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                    • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                    • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                    • String ID:
                                                                                    • API String ID: 3819781495-0
                                                                                    • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                    • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                    • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                    • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 0046C6B4
                                                                                    • InterlockedIncrement.KERNEL32(0046C74B), ref: 0046C715
                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0046C747), ref: 0046C728
                                                                                    • CloseHandle.KERNEL32(00000000,?,0046C747,00413588,00468A77), ref: 0046C733
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                    • String ID: localcfg
                                                                                    • API String ID: 1026198776-1857712256
                                                                                    • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                    • Instruction ID: 5c05d032a0a0d1c5be8db67d709a294fed3e08fc537e46b2d6bfcb40599f6fdc
                                                                                    • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                    • Instruction Fuzzy Hash: 50514EB1A01B419FD7249F29C9C552BBBE9FB48304B50593FE18BC7A90E778F8408B59
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                                      • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                      • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                      • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                      • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                      • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                      • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                      • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                      • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                      • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                      • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                      • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                    • String ID: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe
                                                                                    • API String ID: 124786226-3473164681
                                                                                    • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                    • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                    • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                    • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                    APIs
                                                                                    • RegCreateKeyExA.ADVAPI32(80000001,0046E50A,00000000,00000000,00000000,00020106,00000000,0046E50A,00000000,000000E4), ref: 0046E319
                                                                                    • RegSetValueExA.ADVAPI32(0046E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0046E38E
                                                                                    • RegDeleteValueA.ADVAPI32(0046E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,DF), ref: 0046E3BF
                                                                                    • RegCloseKey.ADVAPI32(0046E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,DF,0046E50A), ref: 0046E3C8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Value$CloseCreateDelete
                                                                                    • String ID: DF
                                                                                    • API String ID: 2667537340-4019976760
                                                                                    • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                    • Instruction ID: 8dce55c080b3340bd87fd9c3f85a6ea69853a8937303734a765e2ffe711a55b9
                                                                                    • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                    • Instruction Fuzzy Hash: 07217F31A0021DABDF209FA5EC89EDF7FB8EF08750F008022F904E6251E6718A94D795
                                                                                    APIs
                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 004671E1
                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00467228
                                                                                    • LocalFree.KERNEL32(?,?,?), ref: 00467286
                                                                                    • wsprintfA.USER32 ref: 0046729D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                    • String ID: |
                                                                                    • API String ID: 2539190677-2343686810
                                                                                    • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                    • Instruction ID: 10fa4b4eaed10fb7e976df956e826b9ce975eecbc41d37b3375b8946cb96e948
                                                                                    • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                    • Instruction Fuzzy Hash: 08314D72A04208BFDB01DFA4DC45ADB3BACEF04314F14C166F859DB201EA79DA488B99
                                                                                    APIs
                                                                                    • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                    • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$gethostnamelstrcpy
                                                                                    • String ID: LocalHost
                                                                                    • API String ID: 3695455745-3154191806
                                                                                    • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                    • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                    • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                    • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                    • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: QueryValue$CloseOpen
                                                                                    • String ID:
                                                                                    • API String ID: 1586453840-0
                                                                                    • Opcode ID: 1d5f752cf5e4d4e7205d8b51b4cea38d33843a7f37b29257b789d56d7c64f5a9
                                                                                    • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                    • Opcode Fuzzy Hash: 1d5f752cf5e4d4e7205d8b51b4cea38d33843a7f37b29257b789d56d7c64f5a9
                                                                                    • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                    APIs
                                                                                    • GetLocalTime.KERNEL32(?), ref: 0046B51A
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046B529
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0046B548
                                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 0046B590
                                                                                    • wsprintfA.USER32 ref: 0046B61E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 4026320513-0
                                                                                    • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                    • Instruction ID: c1b097e3abc8b298a27a8298563fe30942364f9fc62d4198ed87529cb8fee9d9
                                                                                    • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                    • Instruction Fuzzy Hash: 95510EB1D0021CAACF18DFD5D8895EEBBB9EF48304F10816BE505A6150E7B84AC9CFD9
                                                                                    APIs
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                    • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                    • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$CreateEvent
                                                                                    • String ID:
                                                                                    • API String ID: 1371578007-0
                                                                                    • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                    • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                    • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                    • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                    APIs
                                                                                    • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00466303
                                                                                    • LoadLibraryA.KERNEL32(?), ref: 0046632A
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004663B1
                                                                                    • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00466405
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: HugeRead$AddressLibraryLoadProc
                                                                                    • String ID:
                                                                                    • API String ID: 3498078134-0
                                                                                    • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                    • Instruction ID: e77b3e846ecb9e2ec7cb3560174872b299853eae1035b95b71a3e4333551dd7c
                                                                                    • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                    • Instruction Fuzzy Hash: C5417E71A00215ABDB14CF58C884AAAB7B4EF04314F25816EEC05D7390EB39ED81CB5A
                                                                                    APIs
                                                                                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                    • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                    • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                    • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Read$AddressLibraryLoadProc
                                                                                    • String ID:
                                                                                    • API String ID: 2438460464-0
                                                                                    • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                    • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                    • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                    • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 981fb48902faec8b3b60e951c7ac5498972a27d8d4857947259acf027c15d2af
                                                                                    • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                    • Opcode Fuzzy Hash: 981fb48902faec8b3b60e951c7ac5498972a27d8d4857947259acf027c15d2af
                                                                                    • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                    APIs
                                                                                      • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                      • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                      • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                    • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                    • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                    • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                    • String ID: A$ A
                                                                                    • API String ID: 3343386518-686259309
                                                                                    • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                    • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                    • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                    • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 0040272E
                                                                                    • htons.WS2_32(00000001), ref: 00402752
                                                                                    • htons.WS2_32(0000000F), ref: 004027D5
                                                                                    • htons.WS2_32(00000001), ref: 004027E3
                                                                                    • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                      • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                      • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                    • String ID:
                                                                                    • API String ID: 1802437671-0
                                                                                    • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                    • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                    • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                    • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                    APIs
                                                                                    • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                    • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                    • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: setsockopt
                                                                                    • String ID:
                                                                                    • API String ID: 3981526788-0
                                                                                    • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                    • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                    • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                    • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 004693C6
                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 004693CD
                                                                                    • CharToOemA.USER32(?,?), ref: 004693DB
                                                                                    • wsprintfA.USER32 ref: 00469410
                                                                                      • Part of subcall function 004692CB: GetTempPathA.KERNEL32(00000400,?), ref: 004692E2
                                                                                      • Part of subcall function 004692CB: wsprintfA.USER32 ref: 00469350
                                                                                      • Part of subcall function 004692CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00469375
                                                                                      • Part of subcall function 004692CB: lstrlen.KERNEL32(?,?,00000000), ref: 00469389
                                                                                      • Part of subcall function 004692CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00469394
                                                                                      • Part of subcall function 004692CB: CloseHandle.KERNEL32(00000000), ref: 0046939B
                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00469448
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 3857584221-0
                                                                                    • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                    • Instruction ID: 7ce033e65bf6baf3116593ee608b163214a6d84670c0ed9f5e126f422799786e
                                                                                    • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                    • Instruction Fuzzy Hash: 470152F69001187BD721A7619D89EDF377CDB95705F0040A6BB49E2080EAF89AC58F75
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                    • CharToOemA.USER32(?,?), ref: 00409174
                                                                                    • wsprintfA.USER32 ref: 004091A9
                                                                                      • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                      • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                      • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                      • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                      • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                      • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 3857584221-0
                                                                                    • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                    • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                    • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                    • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                    APIs
                                                                                    • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                    • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                    • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$lstrcmpi
                                                                                    • String ID: localcfg
                                                                                    • API String ID: 1808961391-1857712256
                                                                                    • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                    • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                    • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                    • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                    • API String ID: 2574300362-1087626847
                                                                                    • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                    • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                    • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                    • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                    APIs
                                                                                      • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                      • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                    • String ID: hi_id$localcfg
                                                                                    • API String ID: 2777991786-2393279970
                                                                                    • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                    • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                    • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                    • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                    APIs
                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                    • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                    • String ID: *p@
                                                                                    • API String ID: 3429775523-2474123842
                                                                                    • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                    • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                    • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                    • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: gethostbynameinet_addr
                                                                                    • String ID: time_cfg$u6A
                                                                                    • API String ID: 1594361348-1940331995
                                                                                    • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                    • Instruction ID: 930cff158c4b1629a8513d50f2c3955b2bf71b576caa1074303b84e0b35d475d
                                                                                    • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                    • Instruction Fuzzy Hash: B1E08C30604A11AFCB009B28F848AC637A4AF4A330F008282F040D72A0D7B89C809649
                                                                                    APIs
                                                                                    • SetFileAttributesA.KERNEL32(?,00000080), ref: 004669E5
                                                                                    • SetFileAttributesA.KERNEL32(?,00000002), ref: 00466A26
                                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 00466A3A
                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 00466BD8
                                                                                      • Part of subcall function 0046EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00461DCF,?), ref: 0046EEA8
                                                                                      • Part of subcall function 0046EE95: HeapFree.KERNEL32(00000000), ref: 0046EEAF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                    • String ID:
                                                                                    • API String ID: 3384756699-0
                                                                                    • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                    • Instruction ID: 15806b5b9fee570e866e7cd9c13a7e6b11daf1d78ca13336408fec047696a960
                                                                                    • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                    • Instruction Fuzzy Hash: 0571367190022DEFDF10DFA4CC80AEEBBB9FB04714F10456AE515E6290E734AE92DB65
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf
                                                                                    • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                    • API String ID: 2111968516-120809033
                                                                                    • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                    • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                    • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                    • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                    APIs
                                                                                    • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                    • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                    • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                    • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Value$CloseCreateDelete
                                                                                    • String ID:
                                                                                    • API String ID: 2667537340-0
                                                                                    • Opcode ID: a7fe28dd04f73a45cf24fffff85a70117338552789dad14eeac3c005c8f16141
                                                                                    • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                    • Opcode Fuzzy Hash: a7fe28dd04f73a45cf24fffff85a70117338552789dad14eeac3c005c8f16141
                                                                                    • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                    APIs
                                                                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004641AB
                                                                                    • GetLastError.KERNEL32 ref: 004641B5
                                                                                    • WaitForSingleObject.KERNEL32(?,?), ref: 004641C6
                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 004641D9
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3373104450-0
                                                                                    • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                    • Instruction ID: 7f8413aa623b1f683ef3e543ab2f961f8058e22e8852255159d2efca2801bf84
                                                                                    • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                    • Instruction Fuzzy Hash: 4301297651110AABDF01DF90ED88BEF3B6CEB18355F004062F901E2150EB749B908BBA
                                                                                    APIs
                                                                                    • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0046421F
                                                                                    • GetLastError.KERNEL32 ref: 00464229
                                                                                    • WaitForSingleObject.KERNEL32(?,?), ref: 0046423A
                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0046424D
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 888215731-0
                                                                                    • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                    • Instruction ID: a93f0dc9b3504264ead9b538886c9072a889d3b7388a5bf25a0c8c641df98e24
                                                                                    • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                    • Instruction Fuzzy Hash: 5901A572511109ABDF01DF90ED84BEF7BACEB48395F1084A2F901E2150E7749A949BBA
                                                                                    APIs
                                                                                    • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                    • GetLastError.KERNEL32 ref: 00403F4E
                                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3373104450-0
                                                                                    • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                    • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                    • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                    • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                    APIs
                                                                                    • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                    • GetLastError.KERNEL32 ref: 00403FC2
                                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 888215731-0
                                                                                    • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                    • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                    • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                    • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                    APIs
                                                                                    • lstrcmp.KERNEL32(?,80000009), ref: 0046E066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcmp
                                                                                    • String ID: A$ A$ A
                                                                                    • API String ID: 1534048567-1846390581
                                                                                    • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                    • Instruction ID: c85df6c5622a1c2ea0c5b6c6e4a6f6daa79ceb82685bb1705b82dbf65b1be800
                                                                                    • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                    • Instruction Fuzzy Hash: 59F06875200711DBCF20CF16D884983B7E9FB05321B54862BE154C3160E3B8A895CB56
                                                                                    APIs
                                                                                    • QueryDosDeviceW.KERNEL32(00000000,00000000,00000000,00000000,0041B040,0041A771), ref: 0041A3DC
                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000,00000000,0041B040,0041A771), ref: 0041A3F7
                                                                                    • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0041A41A
                                                                                    • GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 0041A422
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786379043.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_415000_cwworbfr.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
                                                                                    • String ID:
                                                                                    • API String ID: 975556166-0
                                                                                    • Opcode ID: eec10fcb4f27fd94e23dcfb2cf3dc23bbf0afae29d43b3dbad47bac24437a48c
                                                                                    • Instruction ID: 46f49e01c127cc7cb7310ded353fe3839b5fe7fa6ebed8c87f50d6fc3c9a9a8a
                                                                                    • Opcode Fuzzy Hash: eec10fcb4f27fd94e23dcfb2cf3dc23bbf0afae29d43b3dbad47bac24437a48c
                                                                                    • Instruction Fuzzy Hash: B4F08235785214ABEA306764EC4AF8A3764E718716F518032F7259A2E0C7F418918B6F
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                    • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                    • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                    • String ID:
                                                                                    • API String ID: 2207858713-0
                                                                                    • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                    • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                    • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                    • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                    • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                    • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                    • String ID:
                                                                                    • API String ID: 2207858713-0
                                                                                    • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                    • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                    • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                    • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                    • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                    • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                    • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                    • String ID:
                                                                                    • API String ID: 2207858713-0
                                                                                    • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                    • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                    • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                    • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 00403103
                                                                                    • GetTickCount.KERNEL32 ref: 0040310F
                                                                                    • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                    • String ID:
                                                                                    • API String ID: 2207858713-0
                                                                                    • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                    • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                    • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                    • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                    APIs
                                                                                    • WriteFile.KERNEL32(00000001,DF,00000000,00000000,00000000), ref: 0046E470
                                                                                    • CloseHandle.KERNEL32(00000001,00000003), ref: 0046E484
                                                                                      • Part of subcall function 0046E2FC: RegCreateKeyExA.ADVAPI32(80000001,0046E50A,00000000,00000000,00000000,00020106,00000000,0046E50A,00000000,000000E4), ref: 0046E319
                                                                                      • Part of subcall function 0046E2FC: RegSetValueExA.ADVAPI32(0046E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0046E38E
                                                                                      • Part of subcall function 0046E2FC: RegDeleteValueA.ADVAPI32(0046E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,DF), ref: 0046E3BF
                                                                                      • Part of subcall function 0046E2FC: RegCloseKey.ADVAPI32(0046E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,DF,0046E50A), ref: 0046E3C8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                    • String ID: DF
                                                                                    • API String ID: 4151426672-4019976760
                                                                                    • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                    • Instruction ID: 9a9dfd4a17c0c0597a2abdfbe31175d1c7cab6707d861a625f07469d5941ce53
                                                                                    • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                    • Instruction Fuzzy Hash: 1D41DE75D00208BADB205BA38C46FDB3B9CDF04715F14806BF90994192F7B9DA50D6BE
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 004683C6
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00468477
                                                                                      • Part of subcall function 004669C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 004669E5
                                                                                      • Part of subcall function 004669C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00466A26
                                                                                      • Part of subcall function 004669C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00466A3A
                                                                                      • Part of subcall function 0046EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00461DCF,?), ref: 0046EEA8
                                                                                      • Part of subcall function 0046EE95: HeapFree.KERNEL32(00000000), ref: 0046EEAF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                    • String ID: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe
                                                                                    • API String ID: 359188348-3473164681
                                                                                    • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                    • Instruction ID: d6d76367fa1587e5dc69bf0cb3bd002e644d79fa9206c36ae74fe8e1362831f5
                                                                                    • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                    • Instruction Fuzzy Hash: DB414FB2900109BFEB20ABA19D81DEF776CAB04344F1445AFE504D6111FEB95E948B6A
                                                                                    APIs
                                                                                    • GetLocalTime.KERNEL32(?), ref: 0046AFFF
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0046B00D
                                                                                      • Part of subcall function 0046AF6F: gethostname.WS2_32(?,00000080), ref: 0046AF83
                                                                                      • Part of subcall function 0046AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0046AFE6
                                                                                      • Part of subcall function 0046331C: gethostname.WS2_32(?,00000080), ref: 0046333F
                                                                                      • Part of subcall function 0046331C: gethostbyname.WS2_32(?), ref: 00463349
                                                                                      • Part of subcall function 0046AA0A: inet_ntoa.WS2_32(00000000), ref: 0046AA10
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                    • String ID: %OUTLOOK_BND_
                                                                                    • API String ID: 1981676241-3684217054
                                                                                    • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                    • Instruction ID: 7c0bdbc39a179f04afd945aa781d03ccbd0ddbe7e95f4f0c9dfb8f0b2bdbcb96
                                                                                    • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                    • Instruction Fuzzy Hash: 2B41447290020CABDB25EFA1DC46EEF3B6CFF08304F14442BF92492152EB79DA558B59
                                                                                    APIs
                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00469536
                                                                                    • Sleep.KERNEL32(000001F4), ref: 0046955D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExecuteShellSleep
                                                                                    • String ID:
                                                                                    • API String ID: 4194306370-3916222277
                                                                                    • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                    • Instruction ID: fe1cb5fbe5ad0d45cc45990d67d24983620cf60c64d3d7a4f993b2480df2b8af
                                                                                    • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                    • Instruction Fuzzy Hash: AC41C8729083557EEB378A64D8497A77BEC9B02314F1441A7D48397292FAFC4D82871B
                                                                                    APIs
                                                                                    • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                    • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileWrite
                                                                                    • String ID: ,k@
                                                                                    • API String ID: 3934441357-1053005162
                                                                                    • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                    • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                    • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                    • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 0046B9D9
                                                                                    • InterlockedIncrement.KERNEL32(00413648), ref: 0046BA3A
                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 0046BA94
                                                                                    • GetTickCount.KERNEL32 ref: 0046BB79
                                                                                    • GetTickCount.KERNEL32 ref: 0046BB99
                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 0046BE15
                                                                                    • closesocket.WS2_32(00000000), ref: 0046BEB4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountIncrementInterlockedTick$closesocket
                                                                                    • String ID: %FROM_EMAIL
                                                                                    • API String ID: 1869671989-2903620461
                                                                                    • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                    • Instruction ID: 4393a541e612c9543a68758c94da11452edce1d8510fae8c2550dc796e523f44
                                                                                    • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                    • Instruction Fuzzy Hash: 25318F71500248DFDF25DFA5DC44AEA77B8EB44700F20406BFA14D2161EB39DA85CF9A
                                                                                    APIs
                                                                                    Strings
                                                                                    • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTickwsprintf
                                                                                    • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                    • API String ID: 2424974917-1012700906
                                                                                    • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                    • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                    • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                    • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                    APIs
                                                                                      • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                      • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                    • String ID: %FROM_EMAIL
                                                                                    • API String ID: 3716169038-2903620461
                                                                                    • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                    • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                    • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                    • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                    APIs
                                                                                    • GetUserNameW.ADVAPI32(?,?), ref: 004670BC
                                                                                    • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 004670F4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Name$AccountLookupUser
                                                                                    • String ID: |
                                                                                    • API String ID: 2370142434-2343686810
                                                                                    • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                    • Instruction ID: 4e38d3658593371dd251857ad8370064e5682ec9b88efec960342c59809c35bf
                                                                                    • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                    • Instruction Fuzzy Hash: 2B113C7290411CEBDF11CFD4DC84ADFB7BCAB05305F1441A7E611E6290E6749B88CBA5
                                                                                    APIs
                                                                                      • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                      • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                    • String ID: localcfg
                                                                                    • API String ID: 2777991786-1857712256
                                                                                    • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                    • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                    • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                    • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                    APIs
                                                                                    • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                    • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: IncrementInterlockedlstrcpyn
                                                                                    • String ID: %FROM_EMAIL
                                                                                    • API String ID: 224340156-2903620461
                                                                                    • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                    • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                    • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                    • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                    APIs
                                                                                    • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                    • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: gethostbyaddrinet_ntoa
                                                                                    • String ID: localcfg
                                                                                    • API String ID: 2112563974-1857712256
                                                                                    • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                    • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                    • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                    • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                    APIs
                                                                                    • RegisterServiceCtrlHandlerA.ADVAPI32(rxarouyf,Function_00009867), ref: 0040996C
                                                                                      • Part of subcall function 00409892: SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                      • Part of subcall function 004098F2: Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Service$CtrlHandlerRegisterSleepStatus
                                                                                    • String ID: 8sV$rxarouyf
                                                                                    • API String ID: 1317371667-2134686474
                                                                                    • Opcode ID: ca430b9e4608bea333335a69787ed6bca2f17ce8de0e46e285fa1f472da398df
                                                                                    • Instruction ID: 8090f714d00e8c700c7feefac428721607cdcb0429ac14865b211bf96103553c
                                                                                    • Opcode Fuzzy Hash: ca430b9e4608bea333335a69787ed6bca2f17ce8de0e46e285fa1f472da398df
                                                                                    • Instruction Fuzzy Hash: 55F054F2550308AEE2106F616D87B537548A711349F08C03FB919693D3EBBD4D44822D
                                                                                    APIs
                                                                                    • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                    • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: gethostbynameinet_addr
                                                                                    • String ID: time_cfg
                                                                                    • API String ID: 1594361348-2401304539
                                                                                    • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                    • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                    • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                    • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: ntdll.dll
                                                                                    • API String ID: 2574300362-2227199552
                                                                                    • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                    • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                    • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                    • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                    APIs
                                                                                      • Part of subcall function 00462F88: GetModuleHandleA.KERNEL32(?), ref: 00462FA1
                                                                                      • Part of subcall function 00462F88: LoadLibraryA.KERNEL32(?), ref: 00462FB1
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004631DA
                                                                                    • HeapFree.KERNEL32(00000000), ref: 004631E1
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786454955.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Offset: 00460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_460000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1017166417-0
                                                                                    • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                    • Instruction ID: dc86d8ccbab85141f1e1260874ff3c37ee5b044c3c16da46fec4a53512397cd6
                                                                                    • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                    • Instruction Fuzzy Hash: 9951DE3190024AAFCF019F64D8849FAB779FF06305F1440AAEC96C7211F736DA19CB99
                                                                                    APIs
                                                                                      • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                      • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                    • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1786330932.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_400000_cwworbfr.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1017166417-0
                                                                                    • Opcode ID: ddc1366e71bb2e66961e885791bb3d9f2ae4384e5350e4f1bce6563879376d33
                                                                                    • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                    • Opcode Fuzzy Hash: ddc1366e71bb2e66961e885791bb3d9f2ae4384e5350e4f1bce6563879376d33
                                                                                    • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                    Execution Graph

                                                                                    Execution Coverage:15%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:0.7%
                                                                                    Total number of Nodes:1805
                                                                                    Total number of Limit Nodes:18
                                                                                    execution_graph 7901 32d5029 7906 32d4a02 7901->7906 7907 32d4a18 7906->7907 7908 32d4a12 7906->7908 7910 32dec2e codecvt 4 API calls 7907->7910 7912 32d4a26 7907->7912 7909 32dec2e codecvt 4 API calls 7908->7909 7909->7907 7910->7912 7911 32d4a34 7912->7911 7913 32dec2e codecvt 4 API calls 7912->7913 7913->7911 6129 32d9a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6245 32dec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6129->6245 6131 32d9a95 6132 32d9aa3 GetModuleHandleA GetModuleFileNameA 6131->6132 6138 32da3cc 6131->6138 6140 32d9ac4 6132->6140 6133 32da41c CreateThread WSAStartup 6246 32de52e 6133->6246 7298 32d405e CreateEventA 6133->7298 6134 32d9afd GetCommandLineA 6146 32d9b22 6134->6146 6135 32da406 DeleteFileA 6137 32da40d 6135->6137 6135->6138 6137->6133 6138->6133 6138->6135 6138->6137 6141 32da3ed GetLastError 6138->6141 6139 32da445 6265 32deaaf 6139->6265 6140->6134 6141->6137 6143 32da3f8 Sleep 6141->6143 6143->6135 6144 32da44d 6269 32d1d96 6144->6269 6150 32d9c0c 6146->6150 6156 32d9b47 6146->6156 6147 32da457 6317 32d80c9 6147->6317 6509 32d96aa 6150->6509 6160 32d9b96 lstrlenA 6156->6160 6166 32d9b58 6156->6166 6157 32d9c39 6161 32da167 GetModuleHandleA GetModuleFileNameA 6157->6161 6515 32d4280 CreateEventA 6157->6515 6158 32da1d2 6162 32da1e3 GetCommandLineA 6158->6162 6160->6166 6164 32da189 6161->6164 6165 32d9c05 ExitProcess 6161->6165 6189 32da205 6162->6189 6164->6165 6174 32da1b2 GetDriveTypeA 6164->6174 6166->6165 6468 32d675c 6166->6468 6174->6165 6176 32da1c5 6174->6176 6175 32d675c 21 API calls 6178 32d9c79 6175->6178 6616 32d9145 GetModuleHandleA GetModuleFileNameA CharToOemA 6176->6616 6178->6161 6185 32d9e3e 6178->6185 6186 32d9ca0 GetTempPathA 6178->6186 6179 32d9bff 6179->6165 6181 32da49f GetTickCount 6182 32da491 6181->6182 6183 32da4be Sleep 6181->6183 6182->6181 6182->6183 6188 32da4b7 GetTickCount 6182->6188 6364 32dc913 6182->6364 6183->6182 6192 32d9e6b GetEnvironmentVariableA 6185->6192 6197 32d9e04 6185->6197 6186->6185 6187 32d9cba 6186->6187 6541 32d99d2 lstrcpyA 6187->6541 6188->6183 6193 32da285 lstrlenA 6189->6193 6206 32da239 6189->6206 6196 32d9e7d 6192->6196 6192->6197 6193->6206 6198 32d99d2 16 API calls 6196->6198 6611 32dec2e 6197->6611 6199 32d9e9d 6198->6199 6199->6197 6204 32d9eb0 lstrcpyA lstrlenA 6199->6204 6202 32d9d5f 6555 32d6cc9 6202->6555 6203 32da3c2 6628 32d98f2 6203->6628 6205 32d9ef4 6204->6205 6210 32d6dc2 6 API calls 6205->6210 6213 32d9f03 6205->6213 6206->6206 6624 32d6ec3 6206->6624 6209 32da3c7 6209->6138 6210->6213 6211 32da39d StartServiceCtrlDispatcherA 6211->6203 6212 32d9d72 lstrcpyA lstrcatA lstrcatA 6216 32d9cf6 6212->6216 6214 32d9f32 RegOpenKeyExA 6213->6214 6215 32d9f48 RegSetValueExA RegCloseKey 6214->6215 6220 32d9f70 6214->6220 6215->6220 6564 32d9326 6216->6564 6217 32da35f 6217->6203 6217->6211 6225 32d9f9d GetModuleHandleA GetModuleFileNameA 6220->6225 6221 32d9dde GetFileAttributesExA 6222 32d9e0c DeleteFileA 6221->6222 6223 32d9df7 6221->6223 6222->6185 6223->6197 6601 32d96ff 6223->6601 6227 32da093 6225->6227 6228 32d9fc2 6225->6228 6229 32da103 CreateProcessA 6227->6229 6230 32da0a4 wsprintfA 6227->6230 6228->6227 6234 32d9ff1 GetDriveTypeA 6228->6234 6231 32da13a 6229->6231 6232 32da12a DeleteFileA 6229->6232 6607 32d2544 6230->6607 6231->6197 6237 32d96ff 3 API calls 6231->6237 6232->6231 6234->6227 6236 32da00d 6234->6236 6240 32da02d lstrcatA 6236->6240 6237->6197 6241 32da046 6240->6241 6242 32da064 lstrcatA 6241->6242 6243 32da052 lstrcatA 6241->6243 6242->6227 6244 32da081 lstrcatA 6242->6244 6243->6242 6244->6227 6245->6131 6635 32ddd05 GetTickCount 6246->6635 6248 32de538 6643 32ddbcf 6248->6643 6250 32de544 6251 32de555 GetFileSize 6250->6251 6255 32de5b8 6250->6255 6252 32de566 6251->6252 6253 32de5b1 CloseHandle 6251->6253 6667 32ddb2e 6252->6667 6253->6255 6653 32de3ca RegOpenKeyExA 6255->6653 6257 32de576 ReadFile 6257->6253 6259 32de58d 6257->6259 6671 32de332 6259->6671 6261 32de5f2 6263 32de3ca 19 API calls 6261->6263 6264 32de629 6261->6264 6263->6264 6264->6139 6266 32deabe 6265->6266 6268 32deaba 6265->6268 6267 32ddd05 6 API calls 6266->6267 6266->6268 6267->6268 6268->6144 6270 32dee2a 6269->6270 6271 32d1db4 GetVersionExA 6270->6271 6272 32d1dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6271->6272 6274 32d1e24 6272->6274 6275 32d1e16 GetCurrentProcess 6272->6275 6729 32de819 6274->6729 6275->6274 6277 32d1e3d 6278 32de819 11 API calls 6277->6278 6279 32d1e4e 6278->6279 6280 32d1e77 6279->6280 6770 32ddf70 6279->6770 6736 32dea84 6280->6736 6283 32d1e6c 6285 32ddf70 12 API calls 6283->6285 6285->6280 6286 32de819 11 API calls 6287 32d1e93 6286->6287 6740 32d199c inet_addr LoadLibraryA 6287->6740 6290 32de819 11 API calls 6291 32d1eb9 6290->6291 6292 32d1ed8 6291->6292 6293 32df04e 4 API calls 6291->6293 6294 32de819 11 API calls 6292->6294 6295 32d1ec9 6293->6295 6296 32d1eee 6294->6296 6298 32dea84 30 API calls 6295->6298 6297 32d1f0a 6296->6297 6754 32d1b71 6296->6754 6300 32de819 11 API calls 6297->6300 6298->6292 6302 32d1f23 6300->6302 6301 32d1efd 6303 32dea84 30 API calls 6301->6303 6304 32d1f3f 6302->6304 6758 32d1bdf 6302->6758 6303->6297 6306 32de819 11 API calls 6304->6306 6308 32d1f5e 6306->6308 6309 32d1f77 6308->6309 6311 32dea84 30 API calls 6308->6311 6766 32d30b5 6309->6766 6310 32dea84 30 API calls 6310->6304 6311->6309 6314 32d6ec3 2 API calls 6316 32d1f8e GetTickCount 6314->6316 6316->6147 6318 32d6ec3 2 API calls 6317->6318 6319 32d80eb 6318->6319 6320 32d80ef 6319->6320 6321 32d80f9 6319->6321 6824 32d7ee6 6320->6824 6837 32d704c 6321->6837 6324 32d8269 CreateThread 6343 32d5e6c 6324->6343 7328 32d877e 6324->7328 6325 32d80f4 6325->6324 6327 32d675c 21 API calls 6325->6327 6326 32d8110 6326->6325 6328 32d8156 RegOpenKeyExA 6326->6328 6333 32d8244 6327->6333 6329 32d816d RegQueryValueExA 6328->6329 6330 32d8216 6328->6330 6331 32d818d 6329->6331 6332 32d81f7 6329->6332 6330->6325 6331->6332 6337 32debcc 4 API calls 6331->6337 6334 32d820d RegCloseKey 6332->6334 6336 32dec2e codecvt 4 API calls 6332->6336 6333->6324 6335 32dec2e codecvt 4 API calls 6333->6335 6334->6330 6335->6324 6342 32d81dd 6336->6342 6338 32d81a0 6337->6338 6338->6334 6339 32d81aa RegQueryValueExA 6338->6339 6339->6332 6340 32d81c4 6339->6340 6341 32debcc 4 API calls 6340->6341 6341->6342 6342->6334 6939 32dec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6343->6939 6345 32d5e71 6940 32de654 6345->6940 6347 32d5ec1 6348 32d3132 6347->6348 6349 32ddf70 12 API calls 6348->6349 6350 32d313b 6349->6350 6351 32dc125 6350->6351 6951 32dec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6351->6951 6353 32dc12d 6354 32de654 13 API calls 6353->6354 6355 32dc2bd 6354->6355 6356 32de654 13 API calls 6355->6356 6357 32dc2c9 6356->6357 6358 32de654 13 API calls 6357->6358 6359 32da47a 6358->6359 6360 32d8db1 6359->6360 6361 32d8dbc 6360->6361 6362 32de654 13 API calls 6361->6362 6363 32d8dec Sleep 6362->6363 6363->6182 6365 32dc92f 6364->6365 6366 32dc93c 6365->6366 6963 32dc517 6365->6963 6368 32dca2b 6366->6368 6369 32de819 11 API calls 6366->6369 6368->6182 6370 32dc96a 6369->6370 6371 32de819 11 API calls 6370->6371 6372 32dc97d 6371->6372 6373 32de819 11 API calls 6372->6373 6374 32dc990 6373->6374 6375 32dc9aa 6374->6375 6376 32debcc 4 API calls 6374->6376 6375->6368 6952 32d2684 6375->6952 6376->6375 6381 32dca26 6980 32dc8aa 6381->6980 6384 32dca44 6385 32dca4b closesocket 6384->6385 6386 32dca83 6384->6386 6385->6381 6387 32dea84 30 API calls 6386->6387 6388 32dcaac 6387->6388 6389 32df04e 4 API calls 6388->6389 6390 32dcab2 6389->6390 6391 32dea84 30 API calls 6390->6391 6392 32dcaca 6391->6392 6393 32dea84 30 API calls 6392->6393 6394 32dcad9 6393->6394 6984 32dc65c 6394->6984 6397 32dcb60 closesocket 6397->6368 6399 32ddad2 closesocket 6400 32de318 23 API calls 6399->6400 6401 32ddae0 6400->6401 6401->6368 6402 32ddf4c 20 API calls 6460 32dcb70 6402->6460 6407 32de654 13 API calls 6407->6460 6410 32df04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6410->6460 6414 32dcc1c GetTempPathA 6414->6460 6415 32dea84 30 API calls 6415->6460 6416 32dd569 closesocket Sleep 7031 32de318 6416->7031 6417 32dd815 wsprintfA 6417->6460 6418 32dc517 23 API calls 6418->6460 6420 32de8a1 30 API calls 6420->6460 6421 32dd582 ExitProcess 6422 32dcfe3 GetSystemDirectoryA 6422->6460 6423 32d675c 21 API calls 6423->6460 6424 32dd027 GetSystemDirectoryA 6424->6460 6425 32dc65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6425->6460 6426 32dcfad GetEnvironmentVariableA 6426->6460 6427 32dd105 lstrcatA 6427->6460 6428 32def1e lstrlenA 6428->6460 6429 32dec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6429->6460 6430 32dcc9f CreateFileA 6432 32dccc6 WriteFile 6430->6432 6430->6460 6431 32dd15b CreateFileA 6433 32dd182 WriteFile CloseHandle 6431->6433 6431->6460 6434 32dcced CloseHandle 6432->6434 6435 32dcdcc CloseHandle 6432->6435 6433->6460 6441 32dcd2f 6434->6441 6435->6460 6436 32dd149 SetFileAttributesA 6436->6431 6437 32dcd16 wsprintfA 6437->6441 6438 32dd36e GetEnvironmentVariableA 6438->6460 6439 32dd1bf SetFileAttributesA 6439->6460 6440 32d8e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6440->6460 6441->6437 7013 32d7fcf 6441->7013 6442 32d7ead 6 API calls 6442->6460 6443 32dd22d GetEnvironmentVariableA 6443->6460 6445 32dd3af lstrcatA 6448 32dd3f2 CreateFileA 6445->6448 6445->6460 6447 32d7fcf 64 API calls 6447->6460 6451 32dd415 WriteFile CloseHandle 6448->6451 6448->6460 6449 32dcda5 6453 32d7ee6 64 API calls 6449->6453 6450 32dcd81 WaitForSingleObject CloseHandle CloseHandle 6452 32df04e 4 API calls 6450->6452 6451->6460 6452->6449 6454 32dcdbd DeleteFileA 6453->6454 6454->6460 6455 32dd4b1 CreateProcessA 6459 32dd4e8 CloseHandle CloseHandle 6455->6459 6455->6460 6456 32dd3e0 SetFileAttributesA 6456->6448 6457 32dd26e lstrcatA 6458 32dd2b1 CreateFileA 6457->6458 6457->6460 6458->6460 6461 32dd2d8 WriteFile CloseHandle 6458->6461 6459->6460 6460->6399 6460->6402 6460->6407 6460->6410 6460->6414 6460->6415 6460->6416 6460->6417 6460->6418 6460->6420 6460->6422 6460->6423 6460->6424 6460->6425 6460->6426 6460->6427 6460->6428 6460->6429 6460->6430 6460->6431 6460->6436 6460->6438 6460->6439 6460->6440 6460->6442 6460->6443 6460->6445 6460->6447 6460->6448 6460->6455 6460->6456 6460->6457 6460->6458 6462 32d7ee6 64 API calls 6460->6462 6463 32dd452 SetFileAttributesA 6460->6463 6464 32dd29f SetFileAttributesA 6460->6464 6467 32dd31d SetFileAttributesA 6460->6467 6992 32dc75d 6460->6992 7004 32d7e2f 6460->7004 7026 32d7ead 6460->7026 7036 32d31d0 6460->7036 7053 32d3c09 6460->7053 7063 32d3a00 6460->7063 7067 32de7b4 6460->7067 7070 32dc06c 6460->7070 7076 32d6f5f GetUserNameA 6460->7076 7087 32de854 6460->7087 7097 32d7dd6 6460->7097 6461->6460 6462->6460 6463->6460 6464->6458 6467->6460 6469 32d677a SetFileAttributesA 6468->6469 6470 32d6784 CreateFileA 6468->6470 6469->6470 6471 32d67b5 6470->6471 6472 32d67a4 CreateFileA 6470->6472 6473 32d67ba SetFileAttributesA 6471->6473 6474 32d67c5 6471->6474 6472->6471 6473->6474 6475 32d67cf GetFileSize 6474->6475 6476 32d6977 6474->6476 6477 32d6965 6475->6477 6478 32d67e5 6475->6478 6476->6165 6496 32d6a60 CreateFileA 6476->6496 6479 32d696e FindCloseChangeNotification 6477->6479 6478->6477 6480 32d67ed ReadFile 6478->6480 6479->6476 6480->6477 6481 32d6811 SetFilePointer 6480->6481 6481->6477 6482 32d682a ReadFile 6481->6482 6482->6477 6483 32d6848 SetFilePointer 6482->6483 6483->6477 6484 32d6867 6483->6484 6485 32d6878 ReadFile 6484->6485 6486 32d68d5 6484->6486 6487 32d68d0 6485->6487 6489 32d6891 6485->6489 6486->6479 6488 32debcc 4 API calls 6486->6488 6487->6486 6490 32d68f8 6488->6490 6489->6485 6489->6487 6490->6477 6491 32d6900 SetFilePointer 6490->6491 6492 32d690d ReadFile 6491->6492 6493 32d695a 6491->6493 6492->6493 6494 32d6922 6492->6494 6495 32dec2e codecvt 4 API calls 6493->6495 6494->6479 6495->6477 6497 32d6b8c GetLastError 6496->6497 6498 32d6a8f GetDiskFreeSpaceA 6496->6498 6500 32d6b86 6497->6500 6499 32d6ac5 6498->6499 6506 32d6ad7 6498->6506 7182 32deb0e 6499->7182 6500->6179 6504 32d6b56 CloseHandle 6504->6500 6508 32d6b65 GetLastError CloseHandle 6504->6508 6505 32d6b36 GetLastError CloseHandle 6507 32d6b7f DeleteFileA 6505->6507 7186 32d6987 6506->7186 6507->6500 6508->6507 6510 32d96b9 6509->6510 6511 32d73ff 17 API calls 6510->6511 6512 32d96e2 6511->6512 6513 32d96f7 6512->6513 6514 32d704c 16 API calls 6512->6514 6513->6157 6513->6158 6514->6513 6516 32d429d 6515->6516 6517 32d42a5 6515->6517 6516->6161 6516->6175 7192 32d3ecd 6517->7192 6519 32d42b0 7196 32d4000 6519->7196 6521 32d43c1 CloseHandle 6521->6516 6522 32d42b6 6522->6516 6522->6521 7202 32d3f18 WriteFile 6522->7202 6527 32d43ba CloseHandle 6527->6521 6528 32d4318 6529 32d3f18 4 API calls 6528->6529 6530 32d4331 6529->6530 6531 32d3f18 4 API calls 6530->6531 6532 32d434a 6531->6532 6533 32debcc 4 API calls 6532->6533 6534 32d4350 6533->6534 6535 32d3f18 4 API calls 6534->6535 6536 32d4389 6535->6536 6537 32dec2e codecvt 4 API calls 6536->6537 6538 32d438f 6537->6538 6539 32d3f8c 4 API calls 6538->6539 6540 32d439f CloseHandle CloseHandle 6539->6540 6540->6516 6542 32d99eb 6541->6542 6543 32d9a2f lstrcatA 6542->6543 6544 32dee2a 6543->6544 6545 32d9a4b lstrcatA 6544->6545 6546 32d6a60 13 API calls 6545->6546 6547 32d9a60 6546->6547 6547->6185 6547->6216 6548 32d6dc2 6547->6548 6549 32d6dd7 6548->6549 6550 32d6e33 6548->6550 6551 32d6cc9 5 API calls 6549->6551 6550->6202 6552 32d6ddc 6551->6552 6553 32d6e24 6552->6553 6554 32d6e02 GetVolumeInformationA 6552->6554 6553->6550 6554->6553 6556 32d6cdc GetModuleHandleA GetProcAddress 6555->6556 6563 32d6d8b 6555->6563 6557 32d6cfd 6556->6557 6558 32d6d12 GetSystemDirectoryA 6556->6558 6557->6558 6557->6563 6559 32d6d1e 6558->6559 6560 32d6d27 GetWindowsDirectoryA 6558->6560 6559->6560 6559->6563 6561 32d6d42 6560->6561 6562 32def1e lstrlenA 6561->6562 6562->6563 6563->6212 7210 32d1910 6564->7210 6567 32d934a GetModuleHandleA GetModuleFileNameA 6569 32d937f 6567->6569 6570 32d93d9 6569->6570 6571 32d93a4 6569->6571 6573 32d9401 wsprintfA 6570->6573 6572 32d93c3 wsprintfA 6571->6572 6574 32d9415 6572->6574 6573->6574 6575 32d94a0 6574->6575 6578 32d6cc9 5 API calls 6574->6578 6576 32d6edd 5 API calls 6575->6576 6577 32d94ac 6576->6577 6579 32d962f 6577->6579 6580 32d94e8 RegOpenKeyExA 6577->6580 6584 32d9439 6578->6584 6586 32d9646 6579->6586 7225 32d1820 6579->7225 6582 32d94fb 6580->6582 6583 32d9502 6580->6583 6582->6579 6588 32d958a 6582->6588 6589 32d951f RegQueryValueExA 6583->6589 6590 32def1e lstrlenA 6584->6590 6587 32d95d6 6586->6587 7231 32d91eb 6586->7231 6587->6221 6587->6222 6588->6586 6592 32d9593 6588->6592 6593 32d9539 6589->6593 6594 32d9530 6589->6594 6591 32d9462 6590->6591 6596 32d947e wsprintfA 6591->6596 6592->6587 7212 32df0e4 6592->7212 6597 32d9556 RegQueryValueExA 6593->6597 6595 32d956e RegCloseKey 6594->6595 6595->6582 6596->6575 6597->6594 6597->6595 6599 32d95bb 6599->6587 7219 32d18e0 6599->7219 6602 32d2544 6601->6602 6603 32d972d RegOpenKeyExA 6602->6603 6604 32d9765 6603->6604 6605 32d9740 6603->6605 6604->6197 6606 32d974f RegDeleteValueA RegCloseKey 6605->6606 6606->6604 6608 32d2554 lstrcatA 6607->6608 6609 32dee2a 6608->6609 6610 32da0ec lstrcatA 6609->6610 6610->6229 6612 32da15d 6611->6612 6613 32dec37 6611->6613 6612->6161 6612->6165 6614 32deba0 codecvt 2 API calls 6613->6614 6615 32dec3d GetProcessHeap RtlFreeHeap 6614->6615 6615->6612 6617 32d2544 6616->6617 6618 32d919e wsprintfA 6617->6618 6619 32d91bb 6618->6619 7269 32d9064 GetTempPathA 6619->7269 6622 32d91d5 ShellExecuteA 6623 32d91e7 6622->6623 6623->6179 6625 32d6ecc 6624->6625 6627 32d6ed5 6624->6627 6626 32d6e36 2 API calls 6625->6626 6626->6627 6627->6217 6629 32d98f6 6628->6629 6630 32d4280 30 API calls 6629->6630 6631 32d9904 Sleep 6629->6631 6633 32d9915 6629->6633 6630->6629 6631->6629 6631->6633 6632 32d9947 6632->6209 6633->6632 7276 32d977c 6633->7276 6636 32ddd41 InterlockedExchange 6635->6636 6637 32ddd4a 6636->6637 6638 32ddd20 GetCurrentThreadId 6636->6638 6640 32ddd53 GetCurrentThreadId 6637->6640 6639 32ddd2e GetTickCount 6638->6639 6638->6640 6641 32ddd4c 6639->6641 6642 32ddd39 Sleep 6639->6642 6640->6248 6641->6640 6642->6636 6644 32ddbf0 6643->6644 6676 32ddb67 GetEnvironmentVariableA 6644->6676 6646 32ddc19 6647 32ddcda 6646->6647 6648 32ddb67 3 API calls 6646->6648 6647->6250 6649 32ddc5c 6648->6649 6649->6647 6650 32ddb67 3 API calls 6649->6650 6651 32ddc9b 6650->6651 6651->6647 6652 32ddb67 3 API calls 6651->6652 6652->6647 6654 32de528 6653->6654 6655 32de3f4 6653->6655 6654->6261 6656 32de434 RegQueryValueExA 6655->6656 6657 32de51d RegCloseKey 6656->6657 6658 32de458 6656->6658 6657->6654 6659 32de46e RegQueryValueExA 6658->6659 6659->6658 6660 32de488 6659->6660 6660->6657 6661 32ddb2e 8 API calls 6660->6661 6662 32de499 6661->6662 6662->6657 6663 32de4b9 RegQueryValueExA 6662->6663 6664 32de4e8 6662->6664 6663->6662 6663->6664 6664->6657 6665 32de332 14 API calls 6664->6665 6666 32de513 6665->6666 6666->6657 6668 32ddb3a 6667->6668 6669 32ddb55 6667->6669 6680 32debed 6668->6680 6669->6253 6669->6257 6698 32df04e SystemTimeToFileTime GetSystemTimeAsFileTime 6671->6698 6673 32de3be 6673->6253 6675 32de342 6675->6673 6701 32dde24 6675->6701 6677 32ddb89 lstrcpyA CreateFileA 6676->6677 6678 32ddbca 6676->6678 6677->6646 6678->6646 6681 32debf6 6680->6681 6682 32dec01 6680->6682 6689 32debcc GetProcessHeap RtlAllocateHeap 6681->6689 6692 32deba0 6682->6692 6690 32deb74 2 API calls 6689->6690 6691 32debe8 6690->6691 6691->6669 6693 32debbf GetProcessHeap RtlReAllocateHeap 6692->6693 6694 32deba7 GetProcessHeap HeapSize 6692->6694 6695 32deb74 6693->6695 6694->6693 6696 32deb7b GetProcessHeap HeapSize 6695->6696 6697 32deb93 6695->6697 6696->6697 6697->6669 6712 32deb41 6698->6712 6700 32df0b7 6700->6675 6702 32dde3a 6701->6702 6708 32dde4e 6702->6708 6721 32ddd84 6702->6721 6705 32debed 8 API calls 6710 32ddef6 6705->6710 6706 32dde9e 6706->6705 6706->6708 6707 32dde76 6725 32dddcf 6707->6725 6708->6675 6710->6708 6711 32dddcf lstrcmpA 6710->6711 6711->6708 6713 32deb4a 6712->6713 6714 32deb61 6712->6714 6717 32deae4 6713->6717 6714->6700 6716 32deb54 6716->6700 6716->6714 6718 32deaed LoadLibraryA 6717->6718 6719 32deb02 GetProcAddress 6717->6719 6718->6719 6720 32deb01 6718->6720 6719->6716 6720->6716 6722 32dddc5 6721->6722 6723 32ddd96 6721->6723 6722->6706 6722->6707 6723->6722 6724 32dddad lstrcmpiA 6723->6724 6724->6722 6724->6723 6726 32ddddd 6725->6726 6728 32dde20 6725->6728 6727 32dddfa lstrcmpA 6726->6727 6726->6728 6727->6726 6728->6708 6730 32ddd05 6 API calls 6729->6730 6731 32de821 6730->6731 6732 32ddd84 lstrcmpiA 6731->6732 6733 32de82c 6732->6733 6734 32de844 6733->6734 6779 32d2480 6733->6779 6734->6277 6737 32dea98 6736->6737 6788 32de8a1 6737->6788 6739 32d1e84 6739->6286 6741 32d19ce 6740->6741 6742 32d19d5 GetProcAddress GetProcAddress GetProcAddress 6740->6742 6741->6290 6743 32d1a04 6742->6743 6744 32d1ab3 FreeLibrary 6742->6744 6743->6744 6745 32d1a14 GetBestInterface GetProcessHeap 6743->6745 6744->6741 6745->6741 6746 32d1a2e HeapAlloc 6745->6746 6746->6741 6747 32d1a42 GetAdaptersInfo 6746->6747 6748 32d1a62 6747->6748 6749 32d1a52 HeapReAlloc 6747->6749 6750 32d1a69 GetAdaptersInfo 6748->6750 6751 32d1aa1 FreeLibrary 6748->6751 6749->6748 6750->6751 6752 32d1a75 HeapFree 6750->6752 6751->6741 6752->6751 6816 32d1ac3 LoadLibraryA 6754->6816 6757 32d1bcf 6757->6301 6759 32d1ac3 13 API calls 6758->6759 6760 32d1c09 6759->6760 6761 32d1c0d GetComputerNameA 6760->6761 6762 32d1c5a 6760->6762 6763 32d1c1f 6761->6763 6764 32d1c45 GetVolumeInformationA 6761->6764 6762->6310 6763->6764 6765 32d1c41 6763->6765 6764->6762 6765->6762 6767 32dee2a 6766->6767 6768 32d30d0 gethostname gethostbyname 6767->6768 6769 32d1f82 6768->6769 6769->6314 6769->6316 6771 32ddd05 6 API calls 6770->6771 6772 32ddf7c 6771->6772 6773 32ddd84 lstrcmpiA 6772->6773 6777 32ddf89 6773->6777 6774 32ddfc4 6774->6283 6775 32dddcf lstrcmpA 6775->6777 6776 32dec2e codecvt 4 API calls 6776->6777 6777->6774 6777->6775 6777->6776 6778 32ddd84 lstrcmpiA 6777->6778 6778->6777 6782 32d2419 lstrlenA 6779->6782 6781 32d2491 6781->6734 6783 32d243d lstrlenA 6782->6783 6784 32d2474 6782->6784 6785 32d244e lstrcmpiA 6783->6785 6786 32d2464 lstrlenA 6783->6786 6784->6781 6785->6786 6787 32d245c 6785->6787 6786->6783 6786->6784 6787->6784 6787->6786 6789 32ddd05 6 API calls 6788->6789 6790 32de8b4 6789->6790 6791 32ddd84 lstrcmpiA 6790->6791 6792 32de8c0 6791->6792 6793 32de8c8 lstrcpynA 6792->6793 6794 32de90a 6792->6794 6795 32de8f5 6793->6795 6796 32d2419 4 API calls 6794->6796 6804 32dea27 6794->6804 6809 32ddf4c 6795->6809 6797 32de926 lstrlenA lstrlenA 6796->6797 6799 32de94c lstrlenA 6797->6799 6800 32de96a 6797->6800 6799->6800 6803 32debcc 4 API calls 6800->6803 6800->6804 6801 32de901 6802 32ddd84 lstrcmpiA 6801->6802 6802->6794 6805 32de98f 6803->6805 6804->6739 6805->6804 6806 32ddf4c 20 API calls 6805->6806 6807 32dea1e 6806->6807 6808 32dec2e codecvt 4 API calls 6807->6808 6808->6804 6810 32ddd05 6 API calls 6809->6810 6811 32ddf51 6810->6811 6812 32df04e 4 API calls 6811->6812 6813 32ddf58 6812->6813 6814 32dde24 10 API calls 6813->6814 6815 32ddf63 6814->6815 6815->6801 6817 32d1ae2 GetProcAddress 6816->6817 6823 32d1b68 GetComputerNameA GetVolumeInformationA 6816->6823 6820 32d1af5 6817->6820 6817->6823 6818 32d1b1c GetAdaptersAddresses 6818->6820 6821 32d1b29 6818->6821 6819 32debed 8 API calls 6819->6820 6820->6818 6820->6819 6820->6821 6821->6821 6822 32dec2e codecvt 4 API calls 6821->6822 6821->6823 6822->6823 6823->6757 6825 32d6ec3 2 API calls 6824->6825 6826 32d7ef4 6825->6826 6827 32d7fc9 6826->6827 6860 32d73ff 6826->6860 6827->6325 6829 32d7f16 6829->6827 6880 32d7809 GetUserNameA 6829->6880 6831 32d7f63 6831->6827 6904 32def1e lstrlenA 6831->6904 6834 32def1e lstrlenA 6835 32d7fb7 6834->6835 6906 32d7a95 RegOpenKeyExA 6835->6906 6838 32d7073 6837->6838 6839 32d70b9 RegOpenKeyExA 6838->6839 6840 32d70d0 6839->6840 6854 32d71b8 6839->6854 6841 32d6dc2 6 API calls 6840->6841 6844 32d70d5 6841->6844 6842 32d719b RegEnumValueA 6843 32d71af RegCloseKey 6842->6843 6842->6844 6843->6854 6844->6842 6846 32d71d0 6844->6846 6937 32df1a5 lstrlenA 6844->6937 6847 32d7205 RegCloseKey 6846->6847 6848 32d7227 6846->6848 6847->6854 6849 32d728e RegCloseKey 6848->6849 6850 32d72b8 ___ascii_stricmp 6848->6850 6849->6854 6851 32d72cd RegCloseKey 6850->6851 6852 32d72dd 6850->6852 6851->6854 6853 32d7311 RegCloseKey 6852->6853 6855 32d7335 6852->6855 6853->6854 6854->6326 6856 32d73d5 RegCloseKey 6855->6856 6858 32d737e GetFileAttributesExA 6855->6858 6859 32d7397 6855->6859 6857 32d73e4 6856->6857 6858->6859 6859->6856 6861 32d741b 6860->6861 6862 32d6dc2 6 API calls 6861->6862 6863 32d743f 6862->6863 6864 32d7469 RegOpenKeyExA 6863->6864 6865 32d77f9 6864->6865 6875 32d7487 ___ascii_stricmp 6864->6875 6865->6829 6866 32d7703 RegEnumKeyA 6867 32d7714 RegCloseKey 6866->6867 6866->6875 6867->6865 6868 32d74d2 RegOpenKeyExA 6868->6875 6869 32d772c 6871 32d774b 6869->6871 6872 32d7742 RegCloseKey 6869->6872 6870 32d7521 RegQueryValueExA 6870->6875 6873 32d77ec RegCloseKey 6871->6873 6872->6871 6873->6865 6874 32d76e4 RegCloseKey 6874->6875 6875->6866 6875->6868 6875->6869 6875->6870 6875->6874 6876 32d7769 6875->6876 6878 32df1a5 lstrlenA 6875->6878 6879 32d777e GetFileAttributesExA 6875->6879 6877 32d77e3 RegCloseKey 6876->6877 6877->6873 6878->6875 6879->6876 6881 32d783d LookupAccountNameA 6880->6881 6887 32d7a8d 6880->6887 6882 32d7874 GetLengthSid GetFileSecurityA 6881->6882 6881->6887 6883 32d78a8 GetSecurityDescriptorOwner 6882->6883 6882->6887 6884 32d791d GetSecurityDescriptorDacl 6883->6884 6885 32d78c5 EqualSid 6883->6885 6884->6887 6897 32d7941 6884->6897 6885->6884 6886 32d78dc LocalAlloc 6885->6886 6886->6884 6888 32d78ef InitializeSecurityDescriptor 6886->6888 6887->6831 6889 32d78fb SetSecurityDescriptorOwner 6888->6889 6890 32d7916 LocalFree 6888->6890 6889->6890 6892 32d790b SetFileSecurityA 6889->6892 6890->6884 6891 32d795b GetAce 6891->6897 6892->6890 6893 32d7980 EqualSid 6893->6897 6894 32d79be EqualSid 6894->6897 6895 32d7a3d 6895->6887 6896 32d7a43 LocalAlloc 6895->6896 6896->6887 6899 32d7a56 InitializeSecurityDescriptor 6896->6899 6897->6887 6897->6891 6897->6893 6897->6894 6897->6895 6898 32d799d DeleteAce 6897->6898 6898->6897 6900 32d7a86 LocalFree 6899->6900 6901 32d7a62 SetSecurityDescriptorDacl 6899->6901 6900->6887 6901->6900 6902 32d7a73 SetFileSecurityA 6901->6902 6902->6900 6903 32d7a83 6902->6903 6903->6900 6905 32d7fa6 6904->6905 6905->6834 6907 32d7acb GetUserNameA 6906->6907 6908 32d7ac4 6906->6908 6909 32d7aed LookupAccountNameA 6907->6909 6910 32d7da7 RegCloseKey 6907->6910 6908->6827 6909->6910 6911 32d7b24 RegGetKeySecurity 6909->6911 6910->6908 6911->6910 6912 32d7b49 GetSecurityDescriptorOwner 6911->6912 6913 32d7bb8 GetSecurityDescriptorDacl 6912->6913 6914 32d7b63 EqualSid 6912->6914 6916 32d7da6 6913->6916 6929 32d7bdc 6913->6929 6914->6913 6915 32d7b74 LocalAlloc 6914->6915 6915->6913 6917 32d7b8a InitializeSecurityDescriptor 6915->6917 6916->6910 6918 32d7b96 SetSecurityDescriptorOwner 6917->6918 6919 32d7bb1 LocalFree 6917->6919 6918->6919 6921 32d7ba6 RegSetKeySecurity 6918->6921 6919->6913 6920 32d7bf8 GetAce 6920->6929 6921->6919 6922 32d7c1d EqualSid 6922->6929 6923 32d7c5f EqualSid 6923->6929 6924 32d7cd9 6924->6916 6926 32d7d5a LocalAlloc 6924->6926 6927 32d7cf2 RegOpenKeyExA 6924->6927 6925 32d7c3a DeleteAce 6925->6929 6926->6916 6928 32d7d70 InitializeSecurityDescriptor 6926->6928 6927->6926 6934 32d7d0f 6927->6934 6930 32d7d7c SetSecurityDescriptorDacl 6928->6930 6931 32d7d9f LocalFree 6928->6931 6929->6916 6929->6920 6929->6922 6929->6923 6929->6924 6929->6925 6930->6931 6932 32d7d8c RegSetKeySecurity 6930->6932 6931->6916 6932->6931 6933 32d7d9c 6932->6933 6933->6931 6935 32d7d43 RegSetValueExA 6934->6935 6935->6926 6936 32d7d54 6935->6936 6936->6926 6938 32df1c3 6937->6938 6938->6844 6939->6345 6941 32ddd05 6 API calls 6940->6941 6944 32de65f 6941->6944 6942 32de6a5 6943 32debcc 4 API calls 6942->6943 6946 32de6f5 6942->6946 6947 32de6b0 6943->6947 6944->6942 6945 32de68c lstrcmpA 6944->6945 6945->6944 6948 32de6b7 6946->6948 6950 32de71d lstrcmpA 6946->6950 6947->6946 6947->6948 6949 32de6e0 lstrcpynA 6947->6949 6948->6347 6949->6946 6950->6946 6951->6353 6953 32d268e 6952->6953 6954 32d2692 inet_addr 6952->6954 6956 32df428 6953->6956 6954->6953 6955 32d269e gethostbyname 6954->6955 6955->6953 7104 32df315 6956->7104 6959 32df43e 6960 32df473 recv 6959->6960 6961 32df47c 6960->6961 6962 32df458 6960->6962 6961->6384 6962->6960 6962->6961 6964 32dc532 6963->6964 6965 32dc525 6963->6965 6966 32dc548 6964->6966 7117 32de7ff 6964->7117 6965->6964 6967 32dec2e codecvt 4 API calls 6965->6967 6969 32de7ff lstrcmpiA 6966->6969 6977 32dc54f 6966->6977 6967->6964 6970 32dc615 6969->6970 6971 32debcc 4 API calls 6970->6971 6970->6977 6971->6977 6973 32dc5d1 6974 32debcc 4 API calls 6973->6974 6974->6977 6975 32de819 11 API calls 6976 32dc5b7 6975->6976 6978 32df04e 4 API calls 6976->6978 6977->6366 6979 32dc5bf 6978->6979 6979->6966 6979->6973 6981 32dc8d2 6980->6981 6982 32dc907 6981->6982 6983 32dc517 23 API calls 6981->6983 6982->6368 6983->6982 6985 32dc670 6984->6985 6986 32dc67d 6984->6986 6987 32debcc 4 API calls 6985->6987 6988 32debcc 4 API calls 6986->6988 6990 32dc699 6986->6990 6987->6986 6988->6990 6989 32dc6f3 6989->6397 6989->6460 6990->6989 6991 32dc73c send 6990->6991 6991->6989 6993 32dc770 6992->6993 6994 32dc77d 6992->6994 6996 32debcc 4 API calls 6993->6996 6995 32dc799 6994->6995 6997 32debcc 4 API calls 6994->6997 6998 32dc7b5 6995->6998 6999 32debcc 4 API calls 6995->6999 6996->6994 6997->6995 7000 32df43e recv 6998->7000 6999->6998 7001 32dc7cb 7000->7001 7002 32df43e recv 7001->7002 7003 32dc7d3 7001->7003 7002->7003 7003->6460 7120 32d7db7 7004->7120 7007 32df04e 4 API calls 7009 32d7e4c 7007->7009 7008 32d7e96 7008->6460 7011 32df04e 4 API calls 7009->7011 7012 32d7e70 7009->7012 7010 32df04e 4 API calls 7010->7008 7011->7012 7012->7008 7012->7010 7014 32d6ec3 2 API calls 7013->7014 7015 32d7fdd 7014->7015 7016 32d73ff 17 API calls 7015->7016 7025 32d80c2 CreateProcessA 7015->7025 7017 32d7fff 7016->7017 7018 32d7809 21 API calls 7017->7018 7017->7025 7019 32d804d 7018->7019 7020 32def1e lstrlenA 7019->7020 7019->7025 7021 32d809e 7020->7021 7022 32def1e lstrlenA 7021->7022 7023 32d80af 7022->7023 7024 32d7a95 24 API calls 7023->7024 7024->7025 7025->6449 7025->6450 7027 32d7db7 2 API calls 7026->7027 7028 32d7eb8 7027->7028 7029 32df04e 4 API calls 7028->7029 7030 32d7ece DeleteFileA 7029->7030 7030->6460 7032 32ddd05 6 API calls 7031->7032 7033 32de31d 7032->7033 7124 32de177 7033->7124 7035 32de326 7035->6421 7037 32d31f3 7036->7037 7047 32d31ec 7036->7047 7038 32debcc 4 API calls 7037->7038 7052 32d31fc 7038->7052 7039 32d344b 7040 32d349d 7039->7040 7041 32d3459 7039->7041 7042 32dec2e codecvt 4 API calls 7040->7042 7043 32df04e 4 API calls 7041->7043 7042->7047 7044 32d345f 7043->7044 7046 32d30fa 4 API calls 7044->7046 7045 32debcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7045->7052 7046->7047 7047->6460 7048 32d344d 7049 32dec2e codecvt 4 API calls 7048->7049 7049->7039 7051 32d3141 lstrcmpiA 7051->7052 7052->7039 7052->7045 7052->7047 7052->7048 7052->7051 7150 32d30fa GetTickCount 7052->7150 7054 32d30fa 4 API calls 7053->7054 7055 32d3c1a 7054->7055 7056 32d3ce6 7055->7056 7155 32d3a72 7055->7155 7056->6460 7059 32d3a72 9 API calls 7061 32d3c5e 7059->7061 7060 32d3a72 9 API calls 7060->7061 7061->7056 7061->7060 7062 32dec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7061->7062 7062->7061 7064 32d3a10 7063->7064 7065 32d30fa 4 API calls 7064->7065 7066 32d3a1a 7065->7066 7066->6460 7068 32ddd05 6 API calls 7067->7068 7069 32de7be 7068->7069 7069->6460 7071 32dc07e wsprintfA 7070->7071 7072 32dc105 7070->7072 7164 32dbfce GetTickCount wsprintfA 7071->7164 7072->6460 7074 32dc0ef 7165 32dbfce GetTickCount wsprintfA 7074->7165 7077 32d6f88 LookupAccountNameA 7076->7077 7078 32d7047 7076->7078 7080 32d6fcb 7077->7080 7081 32d7025 7077->7081 7078->6460 7084 32d6fdb ConvertSidToStringSidA 7080->7084 7166 32d6edd 7081->7166 7084->7081 7085 32d6ff1 7084->7085 7086 32d7013 LocalFree 7085->7086 7086->7081 7088 32ddd05 6 API calls 7087->7088 7089 32de85c 7088->7089 7090 32ddd84 lstrcmpiA 7089->7090 7091 32de867 7090->7091 7092 32de885 lstrcpyA 7091->7092 7177 32d24a5 7091->7177 7180 32ddd69 7092->7180 7098 32d7db7 2 API calls 7097->7098 7099 32d7de1 7098->7099 7100 32df04e 4 API calls 7099->7100 7103 32d7e16 7099->7103 7101 32d7df2 7100->7101 7102 32df04e 4 API calls 7101->7102 7101->7103 7102->7103 7103->6460 7105 32df33b 7104->7105 7113 32dca1d 7104->7113 7106 32df347 htons socket 7105->7106 7107 32df374 closesocket 7106->7107 7108 32df382 ioctlsocket 7106->7108 7107->7113 7109 32df39d 7108->7109 7110 32df3aa connect select 7108->7110 7111 32df39f closesocket 7109->7111 7112 32df3f2 __WSAFDIsSet 7110->7112 7110->7113 7111->7113 7112->7111 7114 32df403 ioctlsocket 7112->7114 7113->6381 7113->6959 7116 32df26d setsockopt setsockopt setsockopt setsockopt setsockopt 7114->7116 7116->7113 7118 32ddd84 lstrcmpiA 7117->7118 7119 32dc58e 7118->7119 7119->6966 7119->6973 7119->6975 7121 32d7dc8 InterlockedExchange 7120->7121 7122 32d7dd4 7121->7122 7123 32d7dc0 Sleep 7121->7123 7122->7007 7122->7012 7123->7121 7126 32de184 7124->7126 7125 32de2e4 7125->7035 7126->7125 7127 32de223 7126->7127 7140 32ddfe2 7126->7140 7127->7125 7129 32ddfe2 8 API calls 7127->7129 7133 32de23c 7129->7133 7130 32de1be 7130->7127 7131 32ddbcf 3 API calls 7130->7131 7134 32de1d6 7131->7134 7132 32de21a CloseHandle 7132->7127 7133->7125 7144 32de095 RegCreateKeyExA 7133->7144 7134->7127 7134->7132 7135 32de1f9 WriteFile 7134->7135 7135->7132 7137 32de213 7135->7137 7137->7132 7138 32de2a3 7138->7125 7139 32de095 4 API calls 7138->7139 7139->7125 7141 32ddffc 7140->7141 7143 32de024 7140->7143 7142 32ddb2e 8 API calls 7141->7142 7141->7143 7142->7143 7143->7130 7145 32de172 7144->7145 7147 32de0c0 7144->7147 7145->7138 7146 32de13d 7148 32de14e RegDeleteValueA RegCloseKey 7146->7148 7147->7146 7149 32de115 RegSetValueExA 7147->7149 7148->7145 7149->7146 7149->7147 7151 32d3122 InterlockedExchange 7150->7151 7152 32d310f GetTickCount 7151->7152 7153 32d312e 7151->7153 7152->7153 7154 32d311a Sleep 7152->7154 7153->7052 7154->7151 7156 32df04e 4 API calls 7155->7156 7163 32d3a83 7156->7163 7157 32d3ac1 7157->7056 7157->7059 7158 32d3be6 7159 32dec2e codecvt 4 API calls 7158->7159 7159->7157 7160 32d3bc0 7160->7158 7162 32dec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7160->7162 7161 32d3b66 lstrlenA 7161->7157 7161->7163 7162->7160 7163->7157 7163->7160 7163->7161 7164->7074 7165->7072 7167 32d6f55 wsprintfA 7166->7167 7168 32d6eef AllocateAndInitializeSid 7166->7168 7167->7078 7169 32d6f1c CheckTokenMembership 7168->7169 7170 32d6f44 7168->7170 7171 32d6f2e 7169->7171 7172 32d6f3b FreeSid 7169->7172 7170->7167 7174 32d6e36 GetUserNameW 7170->7174 7171->7172 7172->7170 7175 32d6e5f LookupAccountNameW 7174->7175 7176 32d6e97 7174->7176 7175->7176 7176->7167 7178 32d2419 4 API calls 7177->7178 7179 32d24b6 7178->7179 7179->7092 7181 32ddd79 lstrlenA 7180->7181 7181->6460 7183 32deb17 7182->7183 7185 32deb21 7182->7185 7184 32deae4 2 API calls 7183->7184 7184->7185 7185->6506 7187 32d69b9 WriteFile 7186->7187 7189 32d6a3c 7187->7189 7191 32d69ff 7187->7191 7189->6504 7189->6505 7190 32d6a10 WriteFile 7190->7189 7190->7191 7191->7189 7191->7190 7193 32d3edc 7192->7193 7194 32d3ee2 7192->7194 7195 32d6dc2 6 API calls 7193->7195 7194->6519 7195->7194 7197 32d400b CreateFileA 7196->7197 7198 32d402c GetLastError 7197->7198 7200 32d4052 7197->7200 7199 32d4037 7198->7199 7198->7200 7199->7200 7201 32d4041 Sleep 7199->7201 7200->6522 7201->7197 7201->7200 7203 32d3f7c 7202->7203 7204 32d3f4e GetLastError 7202->7204 7206 32d3f8c ReadFile 7203->7206 7204->7203 7205 32d3f5b WaitForSingleObject GetOverlappedResult 7204->7205 7205->7203 7207 32d3ff0 7206->7207 7208 32d3fc2 GetLastError 7206->7208 7207->6527 7207->6528 7208->7207 7209 32d3fcf WaitForSingleObject GetOverlappedResult 7208->7209 7209->7207 7211 32d1924 GetVersionExA 7210->7211 7211->6567 7213 32df0ed 7212->7213 7214 32df0f1 7212->7214 7213->6599 7215 32df119 7214->7215 7216 32df0fa lstrlenA SysAllocStringByteLen 7214->7216 7217 32df11c MultiByteToWideChar 7215->7217 7216->7217 7218 32df117 7216->7218 7217->7218 7218->6599 7220 32d1820 17 API calls 7219->7220 7221 32d18f2 7220->7221 7222 32d18f9 7221->7222 7236 32d1280 7221->7236 7222->6587 7224 32d1908 7224->6587 7248 32d1000 7225->7248 7227 32d1839 7228 32d183d 7227->7228 7229 32d1851 GetCurrentProcess 7227->7229 7228->6586 7230 32d1864 7229->7230 7230->6586 7232 32d920e 7231->7232 7235 32d9308 7231->7235 7233 32d92f1 Sleep 7232->7233 7234 32d92bf ShellExecuteA 7232->7234 7232->7235 7233->7232 7234->7232 7234->7235 7235->6587 7237 32d12e1 7236->7237 7238 32d16f9 GetLastError 7237->7238 7240 32d13a8 7237->7240 7239 32d1699 7238->7239 7239->7224 7240->7239 7241 32d1570 lstrlenW 7240->7241 7242 32d15be GetStartupInfoW 7240->7242 7243 32d15ff CreateProcessWithLogonW 7240->7243 7247 32d1668 CloseHandle 7240->7247 7241->7240 7242->7240 7244 32d16bf GetLastError 7243->7244 7245 32d163f WaitForSingleObject 7243->7245 7244->7239 7245->7240 7246 32d1659 CloseHandle 7245->7246 7246->7240 7247->7240 7249 32d100d LoadLibraryA 7248->7249 7257 32d1023 7248->7257 7250 32d1021 7249->7250 7249->7257 7250->7227 7251 32d10b5 GetProcAddress 7252 32d127b 7251->7252 7253 32d10d1 GetProcAddress 7251->7253 7252->7227 7253->7252 7254 32d10f0 GetProcAddress 7253->7254 7254->7252 7255 32d1110 GetProcAddress 7254->7255 7255->7252 7256 32d1130 GetProcAddress 7255->7256 7256->7252 7258 32d114f GetProcAddress 7256->7258 7257->7251 7268 32d10ae 7257->7268 7258->7252 7259 32d116f GetProcAddress 7258->7259 7259->7252 7260 32d118f GetProcAddress 7259->7260 7260->7252 7261 32d11ae GetProcAddress 7260->7261 7261->7252 7262 32d11ce GetProcAddress 7261->7262 7262->7252 7263 32d11ee GetProcAddress 7262->7263 7263->7252 7264 32d1209 GetProcAddress 7263->7264 7264->7252 7265 32d1225 GetProcAddress 7264->7265 7265->7252 7266 32d1241 GetProcAddress 7265->7266 7266->7252 7267 32d125c GetProcAddress 7266->7267 7267->7252 7268->7227 7270 32d908d 7269->7270 7271 32d90e2 wsprintfA 7270->7271 7272 32dee2a 7271->7272 7273 32d90fd CreateFileA 7272->7273 7274 32d913f 7273->7274 7275 32d911a lstrlenA WriteFile CloseHandle 7273->7275 7274->6622 7274->6623 7275->7274 7277 32dee2a 7276->7277 7278 32d9794 CreateProcessA 7277->7278 7279 32d97bb 7278->7279 7280 32d97c2 7278->7280 7279->6632 7281 32d97d4 GetThreadContext 7280->7281 7282 32d97f5 7281->7282 7283 32d9801 7281->7283 7284 32d97f6 TerminateProcess 7282->7284 7290 32d637c 7283->7290 7284->7279 7286 32d9816 7286->7284 7287 32d981e WriteProcessMemory 7286->7287 7287->7282 7288 32d983b SetThreadContext 7287->7288 7288->7282 7289 32d9858 ResumeThread 7288->7289 7289->7279 7291 32d638a GetModuleHandleA VirtualAlloc 7290->7291 7292 32d6386 7290->7292 7293 32d63b6 7291->7293 7297 32d63f5 7291->7297 7292->7286 7294 32d63be VirtualAllocEx 7293->7294 7295 32d63d6 7294->7295 7294->7297 7296 32d63df WriteProcessMemory 7295->7296 7296->7297 7297->7286 7299 32d407d 7298->7299 7300 32d4084 7298->7300 7301 32d3ecd 6 API calls 7300->7301 7302 32d408f 7301->7302 7303 32d4000 3 API calls 7302->7303 7304 32d4095 7303->7304 7305 32d4130 7304->7305 7306 32d40c0 7304->7306 7307 32d3ecd 6 API calls 7305->7307 7311 32d3f18 4 API calls 7306->7311 7308 32d4159 CreateNamedPipeA 7307->7308 7309 32d4188 ConnectNamedPipe 7308->7309 7310 32d4167 Sleep 7308->7310 7313 32d4195 GetLastError 7309->7313 7324 32d41ab 7309->7324 7310->7305 7314 32d4176 CloseHandle 7310->7314 7312 32d40da 7311->7312 7315 32d3f8c 4 API calls 7312->7315 7316 32d425e DisconnectNamedPipe 7313->7316 7313->7324 7314->7309 7318 32d40ec 7315->7318 7316->7309 7317 32d3f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7317->7324 7319 32d4127 CloseHandle 7318->7319 7320 32d4101 7318->7320 7319->7305 7322 32d3f18 4 API calls 7320->7322 7321 32d3f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7321->7324 7323 32d411c ExitProcess 7322->7323 7324->7309 7324->7316 7324->7317 7324->7321 7325 32d426a CloseHandle CloseHandle 7324->7325 7326 32de318 23 API calls 7325->7326 7327 32d427b 7326->7327 7327->7327 7329 32d879f 7328->7329 7330 32d8791 7328->7330 7331 32d87bc 7329->7331 7333 32df04e 4 API calls 7329->7333 7332 32df04e 4 API calls 7330->7332 7334 32de819 11 API calls 7331->7334 7332->7329 7333->7331 7335 32d87d7 7334->7335 7342 32d8803 7335->7342 7453 32d26b2 gethostbyaddr 7335->7453 7338 32d87eb 7340 32de8a1 30 API calls 7338->7340 7338->7342 7340->7342 7344 32df04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7342->7344 7345 32de819 11 API calls 7342->7345 7346 32d88a0 Sleep 7342->7346 7348 32d26b2 2 API calls 7342->7348 7349 32de8a1 30 API calls 7342->7349 7350 32d8cee 7342->7350 7358 32dc4d6 7342->7358 7361 32dc4e2 7342->7361 7364 32d2011 7342->7364 7399 32d8328 7342->7399 7344->7342 7345->7342 7346->7342 7348->7342 7349->7342 7351 32d8dae 7350->7351 7352 32d8d02 GetTickCount 7350->7352 7351->7342 7352->7351 7353 32d8d19 7352->7353 7354 32d8da1 GetTickCount 7353->7354 7357 32d8d89 7353->7357 7458 32da677 7353->7458 7461 32da688 7353->7461 7354->7351 7357->7354 7469 32dc2dc 7358->7469 7362 32dc2dc 142 API calls 7361->7362 7363 32dc4ec 7362->7363 7363->7342 7365 32d202e 7364->7365 7366 32d2020 7364->7366 7368 32d204b 7365->7368 7369 32df04e 4 API calls 7365->7369 7367 32df04e 4 API calls 7366->7367 7367->7365 7370 32d206e GetTickCount 7368->7370 7371 32df04e 4 API calls 7368->7371 7369->7368 7372 32d20db GetTickCount 7370->7372 7373 32d2090 7370->7373 7376 32d2068 7371->7376 7374 32d20e7 7372->7374 7375 32d2132 GetTickCount GetTickCount 7372->7375 7377 32d20d4 GetTickCount 7373->7377 7380 32d2684 2 API calls 7373->7380 7388 32d20ce 7373->7388 7809 32d1978 7373->7809 7379 32d212b GetTickCount 7374->7379 7390 32d2125 7374->7390 7393 32d1978 15 API calls 7374->7393 7799 32d2ef8 7374->7799 7378 32df04e 4 API calls 7375->7378 7376->7370 7377->7372 7382 32d2159 7378->7382 7379->7375 7380->7373 7381 32d21b4 7384 32df04e 4 API calls 7381->7384 7382->7381 7385 32de854 13 API calls 7382->7385 7387 32d21d1 7384->7387 7389 32d218e 7385->7389 7391 32d21f2 7387->7391 7394 32dea84 30 API calls 7387->7394 7388->7377 7392 32de819 11 API calls 7389->7392 7390->7379 7391->7342 7395 32d219c 7392->7395 7393->7374 7396 32d21ec 7394->7396 7395->7381 7814 32d1c5f 7395->7814 7397 32df04e 4 API calls 7396->7397 7397->7391 7400 32d7dd6 6 API calls 7399->7400 7401 32d833c 7400->7401 7402 32d6ec3 2 API calls 7401->7402 7408 32d8340 7401->7408 7403 32d834f 7402->7403 7404 32d835c 7403->7404 7410 32d846b 7403->7410 7405 32d73ff 17 API calls 7404->7405 7428 32d8373 7405->7428 7406 32d85df 7407 32d8626 GetTempPathA 7406->7407 7421 32d8768 7406->7421 7438 32d8671 7406->7438 7431 32d8638 7407->7431 7408->7342 7409 32d675c 21 API calls 7409->7406 7411 32d84a7 RegOpenKeyExA 7410->7411 7434 32d8450 7410->7434 7413 32d84c0 RegQueryValueExA 7411->7413 7414 32d852f 7411->7414 7416 32d84dd 7413->7416 7417 32d8521 RegCloseKey 7413->7417 7419 32d8564 RegOpenKeyExA 7414->7419 7422 32d85a5 7414->7422 7415 32d86ad 7418 32d8762 7415->7418 7420 32d7e2f 6 API calls 7415->7420 7416->7417 7425 32debcc 4 API calls 7416->7425 7417->7414 7418->7421 7419->7422 7423 32d8573 RegSetValueExA RegCloseKey 7419->7423 7424 32d86bb 7420->7424 7421->7408 7427 32dec2e codecvt 4 API calls 7421->7427 7422->7434 7437 32dec2e codecvt 4 API calls 7422->7437 7423->7422 7426 32d875b DeleteFileA 7424->7426 7442 32d86e0 lstrcpyA lstrlenA 7424->7442 7430 32d84f0 7425->7430 7426->7418 7427->7408 7428->7408 7432 32d83ea RegOpenKeyExA 7428->7432 7428->7434 7430->7417 7433 32d84f8 RegQueryValueExA 7430->7433 7431->7438 7432->7434 7435 32d83fd RegQueryValueExA 7432->7435 7433->7417 7436 32d8515 7433->7436 7434->7406 7434->7409 7439 32d842d RegSetValueExA 7435->7439 7440 32d841e 7435->7440 7441 32dec2e codecvt 4 API calls 7436->7441 7437->7434 7886 32d6ba7 IsBadCodePtr 7438->7886 7443 32d8447 RegCloseKey 7439->7443 7440->7439 7440->7443 7444 32d851d 7441->7444 7445 32d7fcf 64 API calls 7442->7445 7443->7434 7444->7417 7446 32d8719 CreateProcessA 7445->7446 7447 32d873d CloseHandle CloseHandle 7446->7447 7448 32d874f 7446->7448 7447->7421 7449 32d7ee6 64 API calls 7448->7449 7450 32d8754 7449->7450 7451 32d7ead 6 API calls 7450->7451 7452 32d875a 7451->7452 7452->7426 7454 32d26cd 7453->7454 7455 32d26fb 7453->7455 7456 32d26e1 inet_ntoa 7454->7456 7457 32d26de 7454->7457 7455->7338 7456->7457 7457->7338 7464 32da63d 7458->7464 7460 32da685 7460->7353 7462 32da63d GetTickCount 7461->7462 7463 32da696 7462->7463 7463->7353 7465 32da64d 7464->7465 7466 32da645 7464->7466 7467 32da65e GetTickCount 7465->7467 7468 32da66e 7465->7468 7466->7460 7467->7468 7468->7460 7486 32da4c7 GetTickCount 7469->7486 7472 32dc47a 7477 32dc4ab InterlockedIncrement CreateThread 7472->7477 7478 32dc4d2 7472->7478 7473 32dc326 7475 32dc337 7473->7475 7476 32dc32b GetTickCount 7473->7476 7474 32dc300 GetTickCount 7474->7475 7475->7472 7479 32dc363 GetTickCount 7475->7479 7476->7475 7477->7478 7480 32dc4cb CloseHandle 7477->7480 7491 32db535 7477->7491 7478->7342 7479->7472 7481 32dc373 7479->7481 7480->7478 7482 32dc37f 7481->7482 7483 32dc378 GetTickCount 7481->7483 7484 32dc43b GetTickCount 7482->7484 7483->7482 7485 32dc45e 7484->7485 7485->7472 7487 32da4f7 InterlockedExchange 7486->7487 7488 32da4e4 GetTickCount 7487->7488 7489 32da500 7487->7489 7488->7489 7490 32da4ef Sleep 7488->7490 7489->7472 7489->7473 7489->7474 7490->7487 7492 32db566 7491->7492 7493 32debcc 4 API calls 7492->7493 7494 32db587 7493->7494 7495 32debcc 4 API calls 7494->7495 7528 32db590 7495->7528 7496 32dbdcd InterlockedDecrement 7497 32dbde2 7496->7497 7499 32dec2e codecvt 4 API calls 7497->7499 7500 32dbdea 7499->7500 7501 32dec2e codecvt 4 API calls 7500->7501 7503 32dbdf2 7501->7503 7502 32dbdb7 Sleep 7502->7528 7504 32dbe05 7503->7504 7506 32dec2e codecvt 4 API calls 7503->7506 7505 32dbdcc 7505->7496 7506->7504 7507 32debed 8 API calls 7507->7528 7510 32db6b6 lstrlenA 7510->7528 7511 32d30b5 2 API calls 7511->7528 7512 32db6ed lstrcpyA 7566 32d5ce1 7512->7566 7513 32de819 11 API calls 7513->7528 7516 32db71f lstrcmpA 7517 32db731 lstrlenA 7516->7517 7516->7528 7517->7528 7518 32db772 GetTickCount 7518->7528 7519 32dbd49 InterlockedIncrement 7660 32da628 7519->7660 7522 32dbc5b InterlockedIncrement 7522->7528 7523 32db7ce InterlockedIncrement 7576 32dacd7 7523->7576 7524 32d38f0 6 API calls 7524->7528 7527 32db912 GetTickCount 7527->7528 7528->7496 7528->7502 7528->7505 7528->7507 7528->7510 7528->7511 7528->7512 7528->7513 7528->7516 7528->7517 7528->7518 7528->7519 7528->7522 7528->7523 7528->7524 7528->7527 7529 32db826 InterlockedIncrement 7528->7529 7530 32dbcdc closesocket 7528->7530 7531 32db932 GetTickCount 7528->7531 7534 32da7c1 22 API calls 7528->7534 7535 32dbba6 InterlockedIncrement 7528->7535 7538 32dbc4c closesocket 7528->7538 7540 32d5ce1 22 API calls 7528->7540 7541 32dba71 wsprintfA 7528->7541 7542 32d5ded 12 API calls 7528->7542 7545 32dab81 lstrcpynA InterlockedIncrement 7528->7545 7546 32def1e lstrlenA 7528->7546 7547 32da688 GetTickCount 7528->7547 7548 32d3e10 7528->7548 7551 32d3e4f 7528->7551 7554 32d384f 7528->7554 7574 32da7a3 inet_ntoa 7528->7574 7581 32dabee 7528->7581 7593 32d1feb GetTickCount 7528->7593 7614 32d3cfb 7528->7614 7617 32db3c5 7528->7617 7648 32dab81 7528->7648 7529->7518 7530->7528 7531->7528 7532 32dbc6d InterlockedIncrement 7531->7532 7532->7528 7534->7528 7535->7528 7538->7528 7540->7528 7594 32da7c1 7541->7594 7542->7528 7545->7528 7546->7528 7547->7528 7549 32d30fa 4 API calls 7548->7549 7550 32d3e1d 7549->7550 7550->7528 7552 32d30fa 4 API calls 7551->7552 7553 32d3e5c 7552->7553 7553->7528 7555 32d30fa 4 API calls 7554->7555 7557 32d3863 7555->7557 7556 32d38b2 7556->7528 7557->7556 7558 32d38b9 7557->7558 7559 32d3889 7557->7559 7669 32d35f9 7558->7669 7663 32d3718 7559->7663 7564 32d35f9 6 API calls 7564->7556 7565 32d3718 6 API calls 7565->7556 7567 32d5cec 7566->7567 7568 32d5cf4 7566->7568 7675 32d4bd1 GetTickCount 7567->7675 7569 32d4bd1 4 API calls 7568->7569 7571 32d5d02 7569->7571 7680 32d5472 7571->7680 7575 32da7b9 7574->7575 7575->7528 7577 32df315 14 API calls 7576->7577 7578 32daceb 7577->7578 7579 32dacff 7578->7579 7580 32df315 14 API calls 7578->7580 7579->7528 7580->7579 7582 32dabfb 7581->7582 7585 32dac65 7582->7585 7743 32d2f22 7582->7743 7584 32df315 14 API calls 7584->7585 7585->7584 7586 32dac6f 7585->7586 7587 32dac8a 7585->7587 7589 32dab81 2 API calls 7586->7589 7587->7528 7588 32dac23 7588->7585 7591 32d2684 2 API calls 7588->7591 7590 32dac81 7589->7590 7751 32d38f0 7590->7751 7591->7588 7593->7528 7595 32da87d lstrlenA send 7594->7595 7596 32da7df 7594->7596 7597 32da8bf 7595->7597 7598 32da899 7595->7598 7596->7595 7602 32da7fa wsprintfA 7596->7602 7605 32da80a 7596->7605 7606 32da8f2 7596->7606 7600 32da8c4 send 7597->7600 7597->7606 7599 32da8a5 wsprintfA 7598->7599 7607 32da89e 7598->7607 7599->7607 7603 32da8d8 wsprintfA 7600->7603 7600->7606 7601 32da978 recv 7601->7606 7608 32da982 7601->7608 7602->7605 7603->7607 7604 32da9b0 wsprintfA 7604->7607 7605->7595 7606->7601 7606->7604 7606->7608 7607->7528 7608->7607 7609 32d30b5 2 API calls 7608->7609 7610 32dab05 7609->7610 7611 32de819 11 API calls 7610->7611 7612 32dab17 7611->7612 7613 32da7a3 inet_ntoa 7612->7613 7613->7607 7615 32d30fa 4 API calls 7614->7615 7616 32d3d0b 7615->7616 7616->7528 7618 32d5ce1 22 API calls 7617->7618 7619 32db3e6 7618->7619 7620 32d5ce1 22 API calls 7619->7620 7621 32db404 7620->7621 7622 32db440 7621->7622 7624 32def7c 3 API calls 7621->7624 7623 32def7c 3 API calls 7622->7623 7625 32db458 wsprintfA 7623->7625 7626 32db42b 7624->7626 7628 32def7c 3 API calls 7625->7628 7627 32def7c 3 API calls 7626->7627 7627->7622 7629 32db480 7628->7629 7630 32def7c 3 API calls 7629->7630 7631 32db493 7630->7631 7632 32def7c 3 API calls 7631->7632 7633 32db4bb 7632->7633 7767 32dad89 GetLocalTime SystemTimeToFileTime 7633->7767 7637 32db4cc 7638 32def7c 3 API calls 7637->7638 7639 32db4dd 7638->7639 7640 32db211 7 API calls 7639->7640 7641 32db4ec 7640->7641 7642 32def7c 3 API calls 7641->7642 7643 32db4fd 7642->7643 7644 32db211 7 API calls 7643->7644 7645 32db509 7644->7645 7646 32def7c 3 API calls 7645->7646 7647 32db51a 7646->7647 7647->7528 7649 32dabe9 GetTickCount 7648->7649 7651 32dab8c 7648->7651 7653 32da51d 7649->7653 7650 32daba8 lstrcpynA 7650->7651 7651->7649 7651->7650 7652 32dabe1 InterlockedIncrement 7651->7652 7652->7651 7654 32da4c7 4 API calls 7653->7654 7655 32da52c 7654->7655 7656 32da542 GetTickCount 7655->7656 7658 32da539 GetTickCount 7655->7658 7656->7658 7659 32da56c 7658->7659 7659->7528 7661 32da4c7 4 API calls 7660->7661 7662 32da633 7661->7662 7662->7528 7664 32df04e 4 API calls 7663->7664 7666 32d372a 7664->7666 7665 32d3847 7665->7556 7665->7565 7666->7665 7667 32d37b3 GetCurrentThreadId 7666->7667 7667->7666 7668 32d37c8 GetCurrentThreadId 7667->7668 7668->7666 7670 32df04e 4 API calls 7669->7670 7671 32d360c 7670->7671 7672 32d36da GetCurrentThreadId 7671->7672 7674 32d36f1 7671->7674 7673 32d36e5 GetCurrentThreadId 7672->7673 7672->7674 7673->7674 7674->7556 7674->7564 7676 32d4bff InterlockedExchange 7675->7676 7677 32d4bec GetTickCount 7676->7677 7678 32d4c08 7676->7678 7677->7678 7679 32d4bf7 Sleep 7677->7679 7678->7568 7679->7676 7699 32d4763 7680->7699 7682 32d5b58 7709 32d4699 7682->7709 7685 32d4763 lstrlenA 7686 32d5b6e 7685->7686 7730 32d4f9f 7686->7730 7688 32d4ae6 8 API calls 7696 32d548a 7688->7696 7689 32d5b79 7689->7528 7691 32d5549 lstrlenA 7691->7696 7693 32d558d lstrcpynA 7693->7696 7694 32d5a9f lstrcpyA 7694->7696 7695 32d5472 13 API calls 7695->7696 7696->7682 7696->7688 7696->7693 7696->7694 7696->7695 7697 32d5935 lstrcpynA 7696->7697 7698 32d58e7 lstrcpyA 7696->7698 7703 32d4ae6 7696->7703 7707 32def7c lstrlenA lstrlenA lstrlenA 7696->7707 7697->7696 7698->7696 7702 32d477a 7699->7702 7700 32d4859 7700->7696 7701 32d480d lstrlenA 7701->7702 7702->7700 7702->7701 7704 32d4af3 7703->7704 7706 32d4b03 7703->7706 7705 32debed 8 API calls 7704->7705 7705->7706 7706->7691 7708 32defb4 7707->7708 7708->7696 7735 32d45b3 7709->7735 7712 32d45b3 7 API calls 7713 32d46c6 7712->7713 7714 32d45b3 7 API calls 7713->7714 7715 32d46d8 7714->7715 7716 32d45b3 7 API calls 7715->7716 7717 32d46ea 7716->7717 7718 32d45b3 7 API calls 7717->7718 7719 32d46ff 7718->7719 7720 32d45b3 7 API calls 7719->7720 7721 32d4711 7720->7721 7722 32d45b3 7 API calls 7721->7722 7723 32d4723 7722->7723 7724 32def7c 3 API calls 7723->7724 7725 32d4735 7724->7725 7726 32def7c 3 API calls 7725->7726 7727 32d474a 7726->7727 7728 32def7c 3 API calls 7727->7728 7729 32d475c 7728->7729 7729->7685 7731 32d4fac 7730->7731 7734 32d4fb0 7730->7734 7731->7689 7732 32d4ffd 7732->7689 7733 32d4fd5 IsBadCodePtr 7733->7734 7734->7732 7734->7733 7736 32d45c8 7735->7736 7737 32d45c1 7735->7737 7739 32debcc 4 API calls 7736->7739 7740 32d45e1 7736->7740 7738 32debcc 4 API calls 7737->7738 7738->7736 7739->7740 7741 32d4691 7740->7741 7742 32def7c 3 API calls 7740->7742 7741->7712 7742->7740 7758 32d2d21 GetModuleHandleA 7743->7758 7746 32d2f4f 7746->7746 7748 32d2f6b GetProcessHeap HeapFree 7746->7748 7747 32d2fcf GetProcessHeap HeapFree 7750 32d2f44 7747->7750 7748->7750 7749 32d2f85 7749->7747 7750->7588 7752 32d3900 7751->7752 7757 32d3980 7751->7757 7753 32d30fa 4 API calls 7752->7753 7755 32d390a 7753->7755 7754 32d391b GetCurrentThreadId 7754->7755 7755->7754 7756 32d3939 GetCurrentThreadId 7755->7756 7755->7757 7756->7755 7757->7587 7759 32d2d5b GetProcAddress 7758->7759 7760 32d2d46 LoadLibraryA 7758->7760 7761 32d2d54 7759->7761 7762 32d2d6b DnsQuery_A 7759->7762 7760->7759 7760->7761 7761->7746 7761->7749 7761->7750 7762->7761 7763 32d2d7d 7762->7763 7763->7761 7764 32d2d97 GetProcessHeap HeapAlloc 7763->7764 7764->7761 7766 32d2dac 7764->7766 7765 32d2db5 lstrcpynA 7765->7766 7766->7763 7766->7765 7768 32dadbf 7767->7768 7792 32dad08 gethostname 7768->7792 7771 32d30b5 2 API calls 7772 32dadd3 7771->7772 7773 32da7a3 inet_ntoa 7772->7773 7781 32dade4 7772->7781 7773->7781 7774 32dae85 wsprintfA 7775 32def7c 3 API calls 7774->7775 7776 32daebb 7775->7776 7778 32def7c 3 API calls 7776->7778 7777 32dae36 wsprintfA wsprintfA 7779 32def7c 3 API calls 7777->7779 7780 32daed2 7778->7780 7779->7781 7782 32db211 7780->7782 7781->7774 7781->7777 7783 32db2af GetLocalTime 7782->7783 7784 32db2bb FileTimeToLocalFileTime FileTimeToSystemTime 7782->7784 7785 32db2d2 7783->7785 7784->7785 7786 32db31c GetTimeZoneInformation 7785->7786 7787 32db2d9 SystemTimeToFileTime 7785->7787 7790 32db33a wsprintfA 7786->7790 7788 32db2ec 7787->7788 7789 32db312 FileTimeToSystemTime 7788->7789 7789->7786 7790->7637 7793 32dad71 7792->7793 7798 32dad26 lstrlenA 7792->7798 7795 32dad79 lstrcpyA 7793->7795 7796 32dad85 7793->7796 7795->7796 7796->7771 7797 32dad68 lstrlenA 7797->7793 7798->7793 7798->7797 7800 32d2d21 7 API calls 7799->7800 7801 32d2f01 7800->7801 7802 32d2f14 7801->7802 7803 32d2f06 7801->7803 7805 32d2684 2 API calls 7802->7805 7822 32d2df2 GetModuleHandleA 7803->7822 7807 32d2f1d 7805->7807 7807->7374 7808 32d2f1f 7808->7374 7810 32df428 14 API calls 7809->7810 7811 32d198a 7810->7811 7812 32d1998 7811->7812 7813 32d1990 closesocket 7811->7813 7812->7373 7813->7812 7815 32d1c80 7814->7815 7816 32d1d1c 7815->7816 7817 32d1cc2 wsprintfA 7815->7817 7821 32d1d79 7815->7821 7816->7816 7819 32d1d47 wsprintfA 7816->7819 7818 32d2684 2 API calls 7817->7818 7818->7815 7820 32d2684 2 API calls 7819->7820 7820->7821 7821->7381 7823 32d2e0b 7822->7823 7824 32d2e10 LoadLibraryA 7822->7824 7823->7824 7825 32d2e17 7823->7825 7824->7825 7826 32d2ef1 7825->7826 7827 32d2e28 GetProcAddress 7825->7827 7826->7802 7826->7808 7827->7826 7828 32d2e3e GetProcessHeap HeapAlloc 7827->7828 7831 32d2e62 7828->7831 7829 32d2ede GetProcessHeap HeapFree 7829->7826 7830 32d2e7f htons inet_addr 7830->7831 7832 32d2ea5 gethostbyname 7830->7832 7831->7826 7831->7829 7831->7830 7831->7832 7834 32d2ceb 7831->7834 7832->7831 7835 32d2cf2 7834->7835 7837 32d2d1c 7835->7837 7838 32d2d0e Sleep 7835->7838 7839 32d2a62 GetProcessHeap HeapAlloc 7835->7839 7837->7831 7838->7835 7838->7837 7840 32d2a99 socket 7839->7840 7841 32d2a92 7839->7841 7842 32d2ab4 7840->7842 7843 32d2cd3 GetProcessHeap HeapFree 7840->7843 7841->7835 7842->7843 7848 32d2abd 7842->7848 7843->7841 7844 32d2adb htons 7859 32d26ff 7844->7859 7846 32d2b04 select 7846->7848 7847 32d2ca4 7849 32d2cb3 GetProcessHeap HeapFree closesocket 7847->7849 7848->7844 7848->7846 7848->7847 7848->7849 7850 32d2b3f recv 7848->7850 7851 32d2b66 htons 7848->7851 7852 32d2b87 htons 7848->7852 7855 32d2bf3 GetProcessHeap HeapAlloc 7848->7855 7856 32d2c17 htons 7848->7856 7858 32d2c4d GetProcessHeap HeapFree 7848->7858 7866 32d2923 7848->7866 7878 32d2904 7848->7878 7849->7841 7850->7848 7851->7847 7851->7848 7852->7847 7852->7848 7855->7848 7874 32d2871 7856->7874 7858->7848 7860 32d2717 7859->7860 7861 32d271d 7859->7861 7862 32debcc 4 API calls 7860->7862 7863 32d272b GetTickCount htons 7861->7863 7862->7861 7864 32d27cc htons htons sendto 7863->7864 7865 32d278a 7863->7865 7864->7848 7865->7864 7867 32d2944 7866->7867 7869 32d293d 7866->7869 7882 32d2816 htons 7867->7882 7869->7848 7870 32d2871 htons 7873 32d2950 7870->7873 7871 32d29bd htons htons htons 7871->7869 7872 32d29f6 GetProcessHeap HeapAlloc 7871->7872 7872->7869 7872->7873 7873->7869 7873->7870 7873->7871 7875 32d28e3 7874->7875 7876 32d2889 7874->7876 7875->7848 7876->7875 7877 32d28c3 htons 7876->7877 7877->7875 7877->7876 7879 32d2908 7878->7879 7880 32d2921 7878->7880 7881 32d2909 GetProcessHeap HeapFree 7879->7881 7880->7848 7881->7880 7881->7881 7883 32d286b 7882->7883 7884 32d2836 7882->7884 7883->7873 7884->7883 7885 32d285c htons 7884->7885 7885->7883 7885->7884 7887 32d6bbc 7886->7887 7888 32d6bc0 7886->7888 7887->7415 7889 32debcc 4 API calls 7888->7889 7899 32d6bd4 7888->7899 7890 32d6be4 7889->7890 7891 32d6bfc 7890->7891 7892 32d6c07 CreateFileA 7890->7892 7890->7899 7893 32dec2e codecvt 4 API calls 7891->7893 7894 32d6c2a 7892->7894 7895 32d6c34 WriteFile 7892->7895 7893->7899 7896 32dec2e codecvt 4 API calls 7894->7896 7897 32d6c49 CloseHandle DeleteFileA 7895->7897 7898 32d6c5a CloseHandle 7895->7898 7896->7899 7897->7894 7900 32dec2e codecvt 4 API calls 7898->7900 7899->7415 7900->7899 7914 32d35a5 7915 32d30fa 4 API calls 7914->7915 7916 32d35b3 7915->7916 7920 32d35ea 7916->7920 7921 32d355d 7916->7921 7918 32d35da 7919 32d355d 4 API calls 7918->7919 7918->7920 7919->7920 7922 32df04e 4 API calls 7921->7922 7923 32d356a 7922->7923 7923->7918 7924 32d5e21 7925 32d5e29 7924->7925 7926 32d5e36 7924->7926 7928 32d50dc 7925->7928 7929 32d4bd1 4 API calls 7928->7929 7930 32d50f2 7929->7930 7931 32d4ae6 8 API calls 7930->7931 7937 32d50ff 7931->7937 7932 32d5130 7934 32d4ae6 8 API calls 7932->7934 7933 32d4ae6 8 API calls 7935 32d5110 lstrcmpA 7933->7935 7936 32d5138 7934->7936 7935->7932 7935->7937 7939 32d513e 7936->7939 7940 32d516e 7936->7940 7941 32d4ae6 8 API calls 7936->7941 7937->7932 7937->7933 7938 32d4ae6 8 API calls 7937->7938 7938->7937 7939->7926 7940->7939 7943 32d4ae6 8 API calls 7940->7943 7942 32d515e 7941->7942 7942->7940 7945 32d4ae6 8 API calls 7942->7945 7944 32d51b6 7943->7944 7971 32d4a3d 7944->7971 7945->7940 7948 32d4ae6 8 API calls 7949 32d51c7 7948->7949 7950 32d4ae6 8 API calls 7949->7950 7951 32d51d7 7950->7951 7952 32d4ae6 8 API calls 7951->7952 7953 32d51e7 7952->7953 7953->7939 7954 32d4ae6 8 API calls 7953->7954 7955 32d5219 7954->7955 7956 32d4ae6 8 API calls 7955->7956 7957 32d5227 7956->7957 7958 32d4ae6 8 API calls 7957->7958 7959 32d524f lstrcpyA 7958->7959 7960 32d4ae6 8 API calls 7959->7960 7963 32d5263 7960->7963 7961 32d4ae6 8 API calls 7962 32d5315 7961->7962 7964 32d4ae6 8 API calls 7962->7964 7963->7961 7965 32d5323 7964->7965 7966 32d4ae6 8 API calls 7965->7966 7968 32d5331 7966->7968 7967 32d4ae6 8 API calls 7967->7968 7968->7939 7968->7967 7969 32d4ae6 8 API calls 7968->7969 7970 32d5351 lstrcmpA 7969->7970 7970->7939 7970->7968 7972 32d4a4a 7971->7972 7973 32d4a53 7971->7973 7975 32debed 8 API calls 7972->7975 7974 32d4a78 7973->7974 7976 32debed 8 API calls 7973->7976 7977 32d4a8e 7974->7977 7978 32d4aa3 7974->7978 7975->7973 7976->7974 7979 32d4a9b 7977->7979 7980 32dec2e codecvt 4 API calls 7977->7980 7978->7979 7981 32debed 8 API calls 7978->7981 7979->7948 7980->7979 7981->7979 8085 32d9961 RegisterServiceCtrlHandlerA 8086 32d997d 8085->8086 8093 32d99cb 8085->8093 8095 32d9892 8086->8095 8088 32d99ba 8092 32d9892 SetServiceStatus 8088->8092 8088->8093 8089 32d999a 8089->8088 8090 32d9892 SetServiceStatus 8089->8090 8091 32d99aa 8090->8091 8091->8088 8094 32d98f2 41 API calls 8091->8094 8092->8093 8094->8088 8096 32d98c2 SetServiceStatus 8095->8096 8096->8089 8098 32d4861 IsBadWritePtr 8099 32d4876 8098->8099 8100 32d4960 8101 32d496d 8100->8101 8103 32d497d 8100->8103 8102 32debed 8 API calls 8101->8102 8102->8103 7982 32d5d34 IsBadWritePtr 7983 32d5d47 7982->7983 7984 32d5d4a 7982->7984 7987 32d5389 7984->7987 7988 32d4bd1 4 API calls 7987->7988 7989 32d53a5 7988->7989 7990 32d4ae6 8 API calls 7989->7990 7993 32d53ad 7990->7993 7991 32d5407 7992 32d4ae6 8 API calls 7992->7993 7993->7991 7993->7992 7994 32dbe31 lstrcmpiA 7995 32dbe55 lstrcmpiA 7994->7995 8001 32dbe71 7994->8001 7996 32dbe61 lstrcmpiA 7995->7996 7995->8001 7999 32dbfc8 7996->7999 7996->8001 7997 32dbf62 lstrcmpiA 7998 32dbf77 lstrcmpiA 7997->7998 8002 32dbf70 7997->8002 8000 32dbf8c lstrcmpiA 7998->8000 7998->8002 8000->8002 8001->7997 8005 32debcc 4 API calls 8001->8005 8002->7999 8003 32dbfc2 8002->8003 8004 32dec2e codecvt 4 API calls 8002->8004 8006 32dec2e codecvt 4 API calls 8003->8006 8004->8002 8009 32dbeb6 8005->8009 8006->7999 8007 32dbf5a 8007->7997 8008 32debcc 4 API calls 8008->8009 8009->7997 8009->7999 8009->8007 8009->8008 8010 32d5e0d 8011 32d50dc 17 API calls 8010->8011 8012 32d5e20 8011->8012 8013 32d4c0d 8014 32d4ae6 8 API calls 8013->8014 8015 32d4c17 8014->8015 8120 32d5e4d 8125 32d5048 8120->8125 8126 32d4bd1 4 API calls 8125->8126 8127 32d5056 8126->8127 8128 32dec2e codecvt 4 API calls 8127->8128 8129 32d508b 8127->8129 8128->8129 8130 32de749 8131 32ddd05 6 API calls 8130->8131 8132 32de751 8131->8132 8133 32de781 lstrcmpA 8132->8133 8134 32de799 8132->8134 8133->8132 8016 32d448b 8017 32d4499 8016->8017 8018 32d44ab 8017->8018 8020 32d1940 8017->8020 8021 32dec2e codecvt 4 API calls 8020->8021 8022 32d1949 8021->8022 8022->8018 8032 32d5c05 IsBadWritePtr 8033 32d5c24 IsBadWritePtr 8032->8033 8040 32d5ca6 8032->8040 8034 32d5c32 8033->8034 8033->8040 8035 32d5c82 8034->8035 8036 32d4bd1 4 API calls 8034->8036 8037 32d4bd1 4 API calls 8035->8037 8036->8035 8038 32d5c90 8037->8038 8039 32d5472 18 API calls 8038->8039 8039->8040 8041 32df304 8044 32df26d setsockopt setsockopt setsockopt setsockopt setsockopt 8041->8044 8043 32df312 8044->8043 8045 32d5b84 IsBadWritePtr 8046 32d5b99 8045->8046 8047 32d5b9d 8045->8047 8048 32d4bd1 4 API calls 8047->8048 8049 32d5bcc 8048->8049 8050 32d5472 18 API calls 8049->8050 8051 32d5be5 8050->8051 8052 32df483 WSAStartup 8053 32d5099 8054 32d4bd1 4 API calls 8053->8054 8055 32d50a2 8054->8055 8139 32d195b 8140 32d196b 8139->8140 8141 32d1971 8139->8141 8142 32dec2e codecvt 4 API calls 8140->8142 8142->8141 8056 32d8314 8057 32d675c 21 API calls 8056->8057 8058 32d8324 8057->8058 8059 32d6511 wsprintfA IsBadReadPtr 8060 32d674e 8059->8060 8061 32d656a htonl htonl wsprintfA wsprintfA 8059->8061 8063 32de318 23 API calls 8060->8063 8062 32d65f3 8061->8062 8065 32d668a GetCurrentProcess StackWalk64 8062->8065 8066 32d66a0 wsprintfA 8062->8066 8068 32d6652 wsprintfA 8062->8068 8064 32d6753 ExitProcess 8063->8064 8065->8062 8065->8066 8067 32d66ba 8066->8067 8069 32d6712 wsprintfA 8067->8069 8071 32d66ed wsprintfA 8067->8071 8072 32d66da wsprintfA 8067->8072 8068->8062 8070 32de8a1 30 API calls 8069->8070 8073 32d6739 8070->8073 8071->8067 8072->8071 8074 32de318 23 API calls 8073->8074 8075 32d6741 8074->8075 8143 32d8c51 8144 32d8c5d 8143->8144 8145 32d8c86 8143->8145 8148 32d8c7d 8144->8148 8149 32d8c6e 8144->8149 8146 32d8c8b lstrcmpA 8145->8146 8156 32d8c7b 8145->8156 8147 32d8c9e 8146->8147 8146->8156 8150 32d8cad 8147->8150 8153 32dec2e codecvt 4 API calls 8147->8153 8165 32d8bb3 8148->8165 8157 32d8be7 8149->8157 8155 32debcc 4 API calls 8150->8155 8150->8156 8153->8150 8155->8156 8158 32d8c2a 8157->8158 8159 32d8bf2 8157->8159 8158->8156 8160 32d8bb3 6 API calls 8159->8160 8161 32d8bf8 8160->8161 8169 32d6410 8161->8169 8163 32d8c01 8163->8158 8184 32d6246 8163->8184 8166 32d8be4 8165->8166 8167 32d8bbc 8165->8167 8167->8166 8168 32d6246 6 API calls 8167->8168 8168->8166 8170 32d641e 8169->8170 8171 32d6421 8169->8171 8170->8163 8172 32d643a 8171->8172 8173 32d643e VirtualAlloc 8171->8173 8172->8163 8174 32d645b VirtualAlloc 8173->8174 8175 32d6472 8173->8175 8174->8175 8177 32d64fb 8174->8177 8176 32debcc 4 API calls 8175->8176 8178 32d6479 8176->8178 8177->8163 8178->8177 8194 32d6069 8178->8194 8181 32d64da 8181->8177 8183 32d6246 6 API calls 8181->8183 8183->8177 8185 32d62b3 8184->8185 8190 32d6252 8184->8190 8185->8158 8186 32d6297 8187 32d62ad 8186->8187 8188 32d62a0 VirtualFree 8186->8188 8193 32dec2e codecvt 4 API calls 8187->8193 8188->8187 8189 32d628f 8192 32dec2e codecvt 4 API calls 8189->8192 8190->8186 8190->8189 8191 32d6281 FreeLibrary 8190->8191 8191->8190 8192->8186 8193->8185 8195 32d6090 IsBadReadPtr 8194->8195 8197 32d6089 8194->8197 8195->8197 8201 32d60aa 8195->8201 8196 32d60c0 LoadLibraryA 8196->8197 8196->8201 8197->8181 8204 32d5f3f 8197->8204 8198 32debcc 4 API calls 8198->8201 8199 32debed 8 API calls 8199->8201 8200 32d6191 IsBadReadPtr 8200->8197 8200->8201 8201->8196 8201->8197 8201->8198 8201->8199 8201->8200 8202 32d6155 GetProcAddress 8201->8202 8203 32d6141 GetProcAddress 8201->8203 8202->8201 8203->8201 8205 32d5fe6 8204->8205 8207 32d5f61 8204->8207 8205->8181 8206 32d5fbf VirtualProtect 8206->8205 8206->8207 8207->8205 8207->8206 8076 32d5d93 IsBadWritePtr 8077 32d5ddc 8076->8077 8078 32d5da8 8076->8078 8078->8077 8079 32d5389 12 API calls 8078->8079 8079->8077 8208 32d5453 8213 32d543a 8208->8213 8214 32d5048 8 API calls 8213->8214 8215 32d544b 8214->8215 8216 32d4ed3 8221 32d4c9a 8216->8221 8222 32d4cd8 8221->8222 8224 32d4ca9 8221->8224 8223 32dec2e codecvt 4 API calls 8223->8222 8224->8223 8080 32d4e92 GetTickCount 8081 32d4ec0 InterlockedExchange 8080->8081 8082 32d4ead GetTickCount 8081->8082 8083 32d4ec9 8081->8083 8082->8083 8084 32d4eb8 Sleep 8082->8084 8084->8081 8225 32d43d2 8226 32d43e0 8225->8226 8227 32d1940 4 API calls 8226->8227 8228 32d43ef 8226->8228 8227->8228
                                                                                    APIs
                                                                                    • closesocket.WS2_32(?), ref: 032DCA4E
                                                                                    • closesocket.WS2_32(?), ref: 032DCB63
                                                                                    • GetTempPathA.KERNEL32(00000120,?), ref: 032DCC28
                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 032DCCB4
                                                                                    • WriteFile.KERNEL32(032DA4B3,?,-000000E8,?,00000000), ref: 032DCCDC
                                                                                    • CloseHandle.KERNEL32(032DA4B3), ref: 032DCCED
                                                                                    • wsprintfA.USER32 ref: 032DCD21
                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 032DCD77
                                                                                    • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 032DCD89
                                                                                    • CloseHandle.KERNEL32(?), ref: 032DCD98
                                                                                    • CloseHandle.KERNEL32(?), ref: 032DCD9D
                                                                                    • DeleteFileA.KERNEL32(?), ref: 032DCDC4
                                                                                    • CloseHandle.KERNEL32(032DA4B3), ref: 032DCDCC
                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 032DCFB1
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 032DCFEF
                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 032DD033
                                                                                    • lstrcatA.KERNEL32(?,04900108), ref: 032DD10C
                                                                                    • SetFileAttributesA.KERNEL32(?,00000080), ref: 032DD155
                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 032DD171
                                                                                    • WriteFile.KERNEL32(00000000,0490012C,?,?,00000000), ref: 032DD195
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 032DD19C
                                                                                    • SetFileAttributesA.KERNEL32(?,00000002), ref: 032DD1C8
                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 032DD231
                                                                                    • lstrcatA.KERNEL32(?,04900108,?,?,?,?,?,?,?,00000100), ref: 032DD27C
                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 032DD2AB
                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 032DD2C7
                                                                                    • WriteFile.KERNEL32(00000000,0490012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 032DD2EB
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 032DD2F2
                                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 032DD326
                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 032DD372
                                                                                    • lstrcatA.KERNEL32(?,04900108,?,?,?,?,?,?,?,00000100), ref: 032DD3BD
                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 032DD3EC
                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 032DD408
                                                                                    • WriteFile.KERNEL32(00000000,0490012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 032DD428
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 032DD42F
                                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 032DD45B
                                                                                    • CreateProcessA.KERNEL32(?,032E0264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 032DD4DE
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 032DD4F4
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 032DD4FC
                                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 032DD513
                                                                                    • closesocket.WS2_32(?), ref: 032DD56C
                                                                                    • Sleep.KERNEL32(000003E8), ref: 032DD577
                                                                                    • ExitProcess.KERNEL32 ref: 032DD583
                                                                                    • wsprintfA.USER32 ref: 032DD81F
                                                                                      • Part of subcall function 032DC65C: send.WS2_32(00000000,?,00000000), ref: 032DC74B
                                                                                    • closesocket.WS2_32(?), ref: 032DDAD5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                    • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                    • API String ID: 562065436-560688855
                                                                                    • Opcode ID: a0f9ba3f568db225798814e6ec6395a4b540ed35f20a702c99aeb5e83f428aa3
                                                                                    • Instruction ID: 25820bae0b3b3247657cf1b40bde114345857aa7dbe36c9e217b8acef623d3bd
                                                                                    • Opcode Fuzzy Hash: a0f9ba3f568db225798814e6ec6395a4b540ed35f20a702c99aeb5e83f428aa3
                                                                                    • Instruction Fuzzy Hash: 33B2B975960319AFEB21EFA4EC49EEEBBBDEF04300F148469E605AB141D7B099C5CB50
                                                                                    APIs
                                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 032D9A7F
                                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 032D9A83
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(032D6511), ref: 032D9A8A
                                                                                      • Part of subcall function 032DEC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 032DEC5E
                                                                                      • Part of subcall function 032DEC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 032DEC72
                                                                                      • Part of subcall function 032DEC54: GetTickCount.KERNEL32 ref: 032DEC78
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 032D9AB3
                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 032D9ABA
                                                                                    • GetCommandLineA.KERNEL32 ref: 032D9AFD
                                                                                    • lstrlenA.KERNEL32(?), ref: 032D9B99
                                                                                    • ExitProcess.KERNEL32 ref: 032D9C06
                                                                                    • GetTempPathA.KERNEL32(000001F4,?), ref: 032D9CAC
                                                                                    • lstrcpyA.KERNEL32(?,00000000), ref: 032D9D7A
                                                                                    • lstrcatA.KERNEL32(?,?), ref: 032D9D8B
                                                                                    • lstrcatA.KERNEL32(?,032E070C), ref: 032D9D9D
                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 032D9DED
                                                                                    • DeleteFileA.KERNEL32(00000022), ref: 032D9E38
                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 032D9E6F
                                                                                    • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 032D9EC8
                                                                                    • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 032D9ED5
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 032D9F3B
                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 032D9F5E
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 032D9F6A
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 032D9FAD
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 032D9FB4
                                                                                    • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 032D9FFE
                                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 032DA038
                                                                                    • lstrcatA.KERNEL32(00000022,032E0A34), ref: 032DA05E
                                                                                    • lstrcatA.KERNEL32(00000022,00000022), ref: 032DA072
                                                                                    • lstrcatA.KERNEL32(00000022,032E0A34), ref: 032DA08D
                                                                                    • wsprintfA.USER32 ref: 032DA0B6
                                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 032DA0DE
                                                                                    • lstrcatA.KERNEL32(00000022,?), ref: 032DA0FD
                                                                                    • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 032DA120
                                                                                    • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 032DA131
                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 032DA174
                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 032DA17B
                                                                                    • GetDriveTypeA.KERNEL32(00000022), ref: 032DA1B6
                                                                                    • GetCommandLineA.KERNEL32 ref: 032DA1E5
                                                                                      • Part of subcall function 032D99D2: lstrcpyA.KERNEL32(?,?,00000100,032E22F8,00000000,?,032D9E9D,?,00000022,?,?,?,?,?,?,?), ref: 032D99DF
                                                                                      • Part of subcall function 032D99D2: lstrcatA.KERNEL32(00000022,00000000,?,?,032D9E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 032D9A3C
                                                                                      • Part of subcall function 032D99D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,032D9E9D,?,00000022,?,?,?), ref: 032D9A52
                                                                                    • lstrlenA.KERNEL32(?), ref: 032DA288
                                                                                    • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 032DA3B7
                                                                                    • GetLastError.KERNEL32 ref: 032DA3ED
                                                                                    • Sleep.KERNEL32(000003E8), ref: 032DA400
                                                                                    • DeleteFileA.KERNELBASE(032E33D8), ref: 032DA407
                                                                                    • CreateThread.KERNELBASE(00000000,00000000,032D405E,00000000,00000000,00000000), ref: 032DA42C
                                                                                    • WSAStartup.WS2_32(00001010,?), ref: 032DA43A
                                                                                    • CreateThread.KERNELBASE(00000000,00000000,032D877E,00000000,00000000,00000000), ref: 032DA469
                                                                                    • Sleep.KERNELBASE(00000BB8), ref: 032DA48A
                                                                                    • GetTickCount.KERNEL32 ref: 032DA49F
                                                                                    • GetTickCount.KERNEL32 ref: 032DA4B7
                                                                                    • Sleep.KERNELBASE(00001A90), ref: 032DA4C3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                    • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe$D$P$\$rxarouyf
                                                                                    • API String ID: 2089075347-1793620045
                                                                                    • Opcode ID: e81ca24c3a9ee87903cebd919cc0eb8c8775990eccec7e9bd3be8354ff4c74cc
                                                                                    • Instruction ID: e16e0d7baa6e66c62cb003eb6c188d014ee007c294d6a59de6e655f21844f89f
                                                                                    • Opcode Fuzzy Hash: e81ca24c3a9ee87903cebd919cc0eb8c8775990eccec7e9bd3be8354ff4c74cc
                                                                                    • Instruction Fuzzy Hash: 1852A6B5C50359AFDF11EFA1DC49EEE77BCAB04700F1884A5F509EA141D7B09AC58B60

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 905 32d199c-32d19cc inet_addr LoadLibraryA 906 32d19ce-32d19d0 905->906 907 32d19d5-32d19fe GetProcAddress * 3 905->907 908 32d1abf-32d1ac2 906->908 909 32d1a04-32d1a06 907->909 910 32d1ab3-32d1ab6 FreeLibrary 907->910 909->910 911 32d1a0c-32d1a0e 909->911 912 32d1abc 910->912 911->910 913 32d1a14-32d1a28 GetBestInterface GetProcessHeap 911->913 914 32d1abe 912->914 913->912 915 32d1a2e-32d1a40 HeapAlloc 913->915 914->908 915->912 916 32d1a42-32d1a50 GetAdaptersInfo 915->916 917 32d1a62-32d1a67 916->917 918 32d1a52-32d1a60 HeapReAlloc 916->918 919 32d1a69-32d1a73 GetAdaptersInfo 917->919 920 32d1aa1-32d1aad FreeLibrary 917->920 918->917 919->920 921 32d1a75 919->921 920->912 922 32d1aaf-32d1ab1 920->922 923 32d1a77-32d1a80 921->923 922->914 924 32d1a8a-32d1a91 923->924 925 32d1a82-32d1a86 923->925 927 32d1a96-32d1a9b HeapFree 924->927 928 32d1a93 924->928 925->923 926 32d1a88 925->926 926->927 927->920 928->927
                                                                                    APIs
                                                                                    • inet_addr.WS2_32(123.45.67.89), ref: 032D19B1
                                                                                    • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,032D1E9E), ref: 032D19BF
                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 032D19E2
                                                                                    • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 032D19ED
                                                                                    • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 032D19F9
                                                                                    • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,032D1E9E), ref: 032D1A1B
                                                                                    • GetProcessHeap.KERNEL32(?,?,?,?,00000001,032D1E9E), ref: 032D1A1D
                                                                                    • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,032D1E9E), ref: 032D1A36
                                                                                    • GetAdaptersInfo.IPHLPAPI(00000000,032D1E9E,?,?,?,?,00000001,032D1E9E), ref: 032D1A4A
                                                                                    • HeapReAlloc.KERNEL32(?,00000000,00000000,032D1E9E,?,?,?,?,00000001,032D1E9E), ref: 032D1A5A
                                                                                    • GetAdaptersInfo.IPHLPAPI(00000000,032D1E9E,?,?,?,?,00000001,032D1E9E), ref: 032D1A6E
                                                                                    • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,032D1E9E), ref: 032D1A9B
                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,032D1E9E), ref: 032D1AA4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                    • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                    • API String ID: 293628436-270533642
                                                                                    • Opcode ID: ee020c9297f8c0700c3172d6d3ddb46e12bd422f2a4c3d622ac8189553030f95
                                                                                    • Instruction ID: 023aaee57ab973b38fa312dd768d87e3c74fa141e03bee6d23ae997e349e5926
                                                                                    • Opcode Fuzzy Hash: ee020c9297f8c0700c3172d6d3ddb46e12bd422f2a4c3d622ac8189553030f95
                                                                                    • Instruction Fuzzy Hash: A831A036D1020AAFCF51EFE5DD8D8BEBBB9EF44601B588179E101AB500D7B05E91CB90

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 696 32d7a95-32d7ac2 RegOpenKeyExA 697 32d7acb-32d7ae7 GetUserNameA 696->697 698 32d7ac4-32d7ac6 696->698 700 32d7aed-32d7b1e LookupAccountNameA 697->700 701 32d7da7-32d7db3 RegCloseKey 697->701 699 32d7db4-32d7db6 698->699 700->701 702 32d7b24-32d7b43 RegGetKeySecurity 700->702 701->699 702->701 703 32d7b49-32d7b61 GetSecurityDescriptorOwner 702->703 704 32d7bb8-32d7bd6 GetSecurityDescriptorDacl 703->704 705 32d7b63-32d7b72 EqualSid 703->705 707 32d7bdc-32d7be1 704->707 708 32d7da6 704->708 705->704 706 32d7b74-32d7b88 LocalAlloc 705->706 706->704 709 32d7b8a-32d7b94 InitializeSecurityDescriptor 706->709 707->708 710 32d7be7-32d7bf2 707->710 708->701 711 32d7b96-32d7ba4 SetSecurityDescriptorOwner 709->711 712 32d7bb1-32d7bb2 LocalFree 709->712 710->708 713 32d7bf8-32d7c08 GetAce 710->713 711->712 714 32d7ba6-32d7bab RegSetKeySecurity 711->714 712->704 715 32d7c0e-32d7c1b 713->715 716 32d7cc6 713->716 714->712 718 32d7c1d-32d7c2f EqualSid 715->718 719 32d7c4f-32d7c52 715->719 717 32d7cc9-32d7cd3 716->717 717->713 722 32d7cd9-32d7cdc 717->722 723 32d7c36-32d7c38 718->723 724 32d7c31-32d7c34 718->724 720 32d7c5f-32d7c71 EqualSid 719->720 721 32d7c54-32d7c5e 719->721 726 32d7c86 720->726 727 32d7c73-32d7c84 720->727 721->720 722->708 728 32d7ce2-32d7ce8 722->728 723->719 725 32d7c3a-32d7c4d DeleteAce 723->725 724->718 724->723 725->717 729 32d7c8b-32d7c8e 726->729 727->729 730 32d7d5a-32d7d6e LocalAlloc 728->730 731 32d7cea-32d7cf0 728->731 733 32d7c9d-32d7c9f 729->733 734 32d7c90-32d7c96 729->734 730->708 735 32d7d70-32d7d7a InitializeSecurityDescriptor 730->735 731->730 732 32d7cf2-32d7d0d RegOpenKeyExA 731->732 732->730 736 32d7d0f-32d7d16 732->736 737 32d7ca7-32d7cc3 733->737 738 32d7ca1-32d7ca5 733->738 734->733 739 32d7d7c-32d7d8a SetSecurityDescriptorDacl 735->739 740 32d7d9f-32d7da0 LocalFree 735->740 741 32d7d19-32d7d1e 736->741 737->716 738->716 738->737 739->740 742 32d7d8c-32d7d9a RegSetKeySecurity 739->742 740->708 741->741 743 32d7d20-32d7d52 call 32d2544 RegSetValueExA 741->743 742->740 744 32d7d9c 742->744 743->730 747 32d7d54 743->747 744->740 747->730
                                                                                    APIs
                                                                                    • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 032D7ABA
                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 032D7ADF
                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,032E070C,?,?,?), ref: 032D7B16
                                                                                    • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 032D7B3B
                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 032D7B59
                                                                                    • EqualSid.ADVAPI32(?,00000022), ref: 032D7B6A
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 032D7B7E
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 032D7B8C
                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 032D7B9C
                                                                                    • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 032D7BAB
                                                                                    • LocalFree.KERNEL32(00000000), ref: 032D7BB2
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,032D7FC9,?,00000000), ref: 032D7BCE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                    • String ID: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe$D
                                                                                    • API String ID: 2976863881-616653794
                                                                                    • Opcode ID: dc0c5fbbfcd40b3d31e7e02e11cfe99db065b50bca529645f6dd5d06338fd45e
                                                                                    • Instruction ID: 9879cb3ff1f67aab781cc162856f926ccb99c153fee34e001b15de0c6dfe36db
                                                                                    • Opcode Fuzzy Hash: dc0c5fbbfcd40b3d31e7e02e11cfe99db065b50bca529645f6dd5d06338fd45e
                                                                                    • Instruction Fuzzy Hash: BFA19F7190021AEFDF11EFA5DC89EEEBBBCFB04301F088069E505E6144E7799A85CB60

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 748 32d7809-32d7837 GetUserNameA 749 32d783d-32d786e LookupAccountNameA 748->749 750 32d7a8e-32d7a94 748->750 749->750 751 32d7874-32d78a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 32d78a8-32d78c3 GetSecurityDescriptorOwner 751->752 753 32d791d-32d793b GetSecurityDescriptorDacl 752->753 754 32d78c5-32d78da EqualSid 752->754 756 32d7a8d 753->756 757 32d7941-32d7946 753->757 754->753 755 32d78dc-32d78ed LocalAlloc 754->755 755->753 758 32d78ef-32d78f9 InitializeSecurityDescriptor 755->758 756->750 757->756 759 32d794c-32d7955 757->759 760 32d78fb-32d7909 SetSecurityDescriptorOwner 758->760 761 32d7916-32d7917 LocalFree 758->761 759->756 762 32d795b-32d796b GetAce 759->762 760->761 763 32d790b-32d7910 SetFileSecurityA 760->763 761->753 764 32d7a2a 762->764 765 32d7971-32d797e 762->765 763->761 768 32d7a2d-32d7a37 764->768 766 32d79ae-32d79b1 765->766 767 32d7980-32d7992 EqualSid 765->767 769 32d79be-32d79d0 EqualSid 766->769 770 32d79b3-32d79bd 766->770 771 32d7999-32d799b 767->771 772 32d7994-32d7997 767->772 768->762 773 32d7a3d-32d7a41 768->773 775 32d79e5 769->775 776 32d79d2-32d79e3 769->776 770->769 771->766 777 32d799d-32d79ac DeleteAce 771->777 772->767 772->771 773->756 774 32d7a43-32d7a54 LocalAlloc 773->774 774->756 778 32d7a56-32d7a60 InitializeSecurityDescriptor 774->778 779 32d79ea-32d79ed 775->779 776->779 777->768 780 32d7a86-32d7a87 LocalFree 778->780 781 32d7a62-32d7a71 SetSecurityDescriptorDacl 778->781 782 32d79ef-32d79f5 779->782 783 32d79f8-32d79fb 779->783 780->756 781->780 784 32d7a73-32d7a81 SetFileSecurityA 781->784 782->783 785 32d79fd-32d7a01 783->785 786 32d7a03-32d7a0e 783->786 784->780 787 32d7a83 784->787 785->764 785->786 788 32d7a19-32d7a24 786->788 789 32d7a10-32d7a17 786->789 787->780 790 32d7a27 788->790 789->790 790->764
                                                                                    APIs
                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 032D782F
                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 032D7866
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 032D7878
                                                                                    • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 032D789A
                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,032D7F63,?), ref: 032D78B8
                                                                                    • EqualSid.ADVAPI32(?,032D7F63), ref: 032D78D2
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 032D78E3
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 032D78F1
                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 032D7901
                                                                                    • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 032D7910
                                                                                    • LocalFree.KERNEL32(00000000), ref: 032D7917
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 032D7933
                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 032D7963
                                                                                    • EqualSid.ADVAPI32(?,032D7F63), ref: 032D798A
                                                                                    • DeleteAce.ADVAPI32(?,00000000), ref: 032D79A3
                                                                                    • EqualSid.ADVAPI32(?,032D7F63), ref: 032D79C5
                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 032D7A4A
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 032D7A58
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 032D7A69
                                                                                    • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 032D7A79
                                                                                    • LocalFree.KERNEL32(00000000), ref: 032D7A87
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                    • String ID: D
                                                                                    • API String ID: 3722657555-2746444292
                                                                                    • Opcode ID: f9503b1e8d489b6cef9f47a625f140be74a10417994cd431c2204a17cbc51747
                                                                                    • Instruction ID: b723cb9723e1ade48ac7c95884d43312b6a56a86a3cf3a85c46178e8e0384ff4
                                                                                    • Opcode Fuzzy Hash: f9503b1e8d489b6cef9f47a625f140be74a10417994cd431c2204a17cbc51747
                                                                                    • Instruction Fuzzy Hash: 00817F72D1011AABDF21DFA9D949EEEBBBCEF08341F148169E505E6140D7798A81CFA0

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 791 32d8328-32d833e call 32d7dd6 794 32d8348-32d8356 call 32d6ec3 791->794 795 32d8340-32d8343 791->795 799 32d835c-32d8378 call 32d73ff 794->799 800 32d846b-32d8474 794->800 796 32d877b-32d877d 795->796 810 32d837e-32d8384 799->810 811 32d8464-32d8466 799->811 802 32d847a-32d8480 800->802 803 32d85c2-32d85ce 800->803 802->803 807 32d8486-32d84ba call 32d2544 RegOpenKeyExA 802->807 805 32d8615-32d8620 803->805 806 32d85d0-32d85da call 32d675c 803->806 808 32d86a7-32d86b0 call 32d6ba7 805->808 809 32d8626-32d864c GetTempPathA call 32d8274 call 32deca5 805->809 819 32d85df-32d85eb 806->819 820 32d84c0-32d84db RegQueryValueExA 807->820 821 32d8543-32d8571 call 32d2544 RegOpenKeyExA 807->821 830 32d86b6-32d86bd call 32d7e2f 808->830 831 32d8762 808->831 849 32d864e-32d866f call 32deca5 809->849 850 32d8671-32d86a4 call 32d2544 call 32def00 call 32dee2a 809->850 810->811 817 32d838a-32d838d 810->817 818 32d8779-32d877a 811->818 817->811 824 32d8393-32d8399 817->824 818->796 819->805 825 32d85ed-32d85ef 819->825 828 32d84dd-32d84e1 820->828 829 32d8521-32d852d RegCloseKey 820->829 842 32d85a5-32d85b7 call 32dee2a 821->842 843 32d8573-32d857b 821->843 833 32d839c-32d83a1 824->833 825->805 827 32d85f1-32d85fa 825->827 827->805 835 32d85fc-32d860f call 32d24c2 827->835 828->829 836 32d84e3-32d84e6 828->836 829->821 840 32d852f-32d8541 call 32deed1 829->840 858 32d875b-32d875c DeleteFileA 830->858 859 32d86c3-32d873b call 32dee2a * 2 lstrcpyA lstrlenA call 32d7fcf CreateProcessA 830->859 838 32d8768-32d876b 831->838 833->833 841 32d83a3-32d83af 833->841 835->805 835->838 836->829 845 32d84e8-32d84f6 call 32debcc 836->845 847 32d876d-32d8775 call 32dec2e 838->847 848 32d8776-32d8778 838->848 840->821 840->842 852 32d83b1 841->852 853 32d83b3-32d83ba 841->853 842->803 878 32d85b9-32d85c1 call 32dec2e 842->878 854 32d857e-32d8583 843->854 845->829 877 32d84f8-32d8513 RegQueryValueExA 845->877 847->848 848->818 849->850 850->808 852->853 864 32d8450-32d845f call 32dee2a 853->864 865 32d83c0-32d83fb call 32d2544 RegOpenKeyExA 853->865 854->854 867 32d8585-32d859f RegSetValueExA RegCloseKey 854->867 858->831 899 32d873d-32d874d CloseHandle * 2 859->899 900 32d874f-32d875a call 32d7ee6 call 32d7ead 859->900 864->803 865->864 882 32d83fd-32d841c RegQueryValueExA 865->882 867->842 877->829 883 32d8515-32d851e call 32dec2e 877->883 878->803 887 32d842d-32d8441 RegSetValueExA 882->887 888 32d841e-32d8421 882->888 883->829 894 32d8447-32d844a RegCloseKey 887->894 888->887 893 32d8423-32d8426 888->893 893->887 898 32d8428-32d842b 893->898 894->864 898->887 898->894 899->838 900->858
                                                                                    APIs
                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,032E0750,?,?,00000000,localcfg,00000000), ref: 032D83F3
                                                                                    • RegQueryValueExA.KERNELBASE(032E0750,?,00000000,?,032D8893,?,?,?,00000000,00000103,032E0750,?,?,00000000,localcfg,00000000), ref: 032D8414
                                                                                    • RegSetValueExA.KERNELBASE(032E0750,?,00000000,00000004,032D8893,00000004,?,?,00000000,00000103,032E0750,?,?,00000000,localcfg,00000000), ref: 032D8441
                                                                                    • RegCloseKey.ADVAPI32(032E0750,?,?,00000000,00000103,032E0750,?,?,00000000,localcfg,00000000), ref: 032D844A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Value$CloseOpenQuery
                                                                                    • String ID: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe$localcfg
                                                                                    • API String ID: 237177642-3663302472
                                                                                    • Opcode ID: ed77338cb1a8c981adf9cf40da50c8081f1d38db146b202de5850c6a088bb7b0
                                                                                    • Instruction ID: 3179f3df156f4b9dd69dc2e2db3282289944819f410bc0a8b5f605697d81a28c
                                                                                    • Opcode Fuzzy Hash: ed77338cb1a8c981adf9cf40da50c8081f1d38db146b202de5850c6a088bb7b0
                                                                                    • Instruction Fuzzy Hash: 33C1B5B5D5024DFEEF11EBA4DC85EEEBBBCEB04300F1884A5F505AA041E7B15AC58B61

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetVersionExA.KERNEL32 ref: 032D1DC6
                                                                                    • GetSystemInfo.KERNELBASE(?), ref: 032D1DE8
                                                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 032D1E03
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 032D1E0A
                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 032D1E1B
                                                                                    • GetTickCount.KERNEL32 ref: 032D1FC9
                                                                                      • Part of subcall function 032D1BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 032D1C15
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                    • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                    • API String ID: 4207808166-1381319158
                                                                                    • Opcode ID: 4442b479f60580908f27b17403848a436656aaf565da04b41d49cbe53befdbdc
                                                                                    • Instruction ID: d98af8ea7ec47329ab534c24e9cc8b5e83ff380abe6c1b7725ef57309ad224ed
                                                                                    • Opcode Fuzzy Hash: 4442b479f60580908f27b17403848a436656aaf565da04b41d49cbe53befdbdc
                                                                                    • Instruction Fuzzy Hash: 2C5107B09243446FE360EF769C86F2BBBECEF44604F44481CE5968A542D7F4B584C7A1

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 999 32d73ff-32d7419 1000 32d741d-32d7422 999->1000 1001 32d741b 999->1001 1002 32d7424 1000->1002 1003 32d7426-32d742b 1000->1003 1001->1000 1002->1003 1004 32d742d 1003->1004 1005 32d7430-32d7435 1003->1005 1004->1005 1006 32d743a-32d7481 call 32d6dc2 call 32d2544 RegOpenKeyExA 1005->1006 1007 32d7437 1005->1007 1012 32d77f9-32d77fe call 32dee2a 1006->1012 1013 32d7487-32d749d call 32dee2a 1006->1013 1007->1006 1018 32d7801 1012->1018 1019 32d7703-32d770e RegEnumKeyA 1013->1019 1022 32d7804-32d7808 1018->1022 1020 32d7714-32d771d RegCloseKey 1019->1020 1021 32d74a2-32d74b1 call 32d6cad 1019->1021 1020->1018 1025 32d76ed-32d7700 1021->1025 1026 32d74b7-32d74cc call 32df1a5 1021->1026 1025->1019 1026->1025 1029 32d74d2-32d74f8 RegOpenKeyExA 1026->1029 1030 32d74fe-32d7530 call 32d2544 RegQueryValueExA 1029->1030 1031 32d7727-32d772a 1029->1031 1030->1031 1038 32d7536-32d753c 1030->1038 1033 32d772c-32d7740 call 32def00 1031->1033 1034 32d7755-32d7764 call 32dee2a 1031->1034 1042 32d774b-32d774e 1033->1042 1043 32d7742-32d7745 RegCloseKey 1033->1043 1044 32d76df-32d76e2 1034->1044 1041 32d753f-32d7544 1038->1041 1041->1041 1045 32d7546-32d754b 1041->1045 1046 32d77ec-32d77f7 RegCloseKey 1042->1046 1043->1042 1044->1025 1047 32d76e4-32d76e7 RegCloseKey 1044->1047 1045->1034 1048 32d7551-32d756b call 32dee95 1045->1048 1046->1022 1047->1025 1048->1034 1051 32d7571-32d7593 call 32d2544 call 32dee95 1048->1051 1056 32d7599-32d75a0 1051->1056 1057 32d7753 1051->1057 1058 32d75c8-32d75d7 call 32ded03 1056->1058 1059 32d75a2-32d75c6 call 32def00 call 32ded03 1056->1059 1057->1034 1065 32d75d8-32d75da 1058->1065 1059->1065 1067 32d75dc 1065->1067 1068 32d75df-32d7623 call 32dee95 call 32d2544 call 32dee95 call 32dee2a 1065->1068 1067->1068 1077 32d7626-32d762b 1068->1077 1077->1077 1078 32d762d-32d7634 1077->1078 1079 32d7637-32d763c 1078->1079 1079->1079 1080 32d763e-32d7642 1079->1080 1081 32d765c-32d7673 call 32ded23 1080->1081 1082 32d7644-32d7656 call 32ded77 1080->1082 1087 32d7675-32d767e 1081->1087 1088 32d7680 1081->1088 1082->1081 1089 32d7769-32d777c call 32def00 1082->1089 1090 32d7683-32d768e call 32d6cad 1087->1090 1088->1090 1094 32d77e3-32d77e6 RegCloseKey 1089->1094 1096 32d7694-32d76bf call 32df1a5 call 32d6c96 1090->1096 1097 32d7722-32d7725 1090->1097 1094->1046 1103 32d76d8 1096->1103 1104 32d76c1-32d76c7 1096->1104 1098 32d76dd 1097->1098 1098->1044 1103->1098 1104->1103 1105 32d76c9-32d76d2 1104->1105 1105->1103 1106 32d777e-32d7797 GetFileAttributesExA 1105->1106 1107 32d7799 1106->1107 1108 32d779a-32d779f 1106->1108 1107->1108 1109 32d77a1 1108->1109 1110 32d77a3-32d77a8 1108->1110 1109->1110 1111 32d77aa-32d77c0 call 32dee08 1110->1111 1112 32d77c4-32d77c8 1110->1112 1111->1112 1114 32d77ca-32d77d6 call 32def00 1112->1114 1115 32d77d7-32d77dc 1112->1115 1114->1115 1118 32d77de 1115->1118 1119 32d77e0-32d77e2 1115->1119 1118->1119 1119->1094
                                                                                    APIs
                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 032D7472
                                                                                    • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 032D74F0
                                                                                    • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 032D7528
                                                                                    • ___ascii_stricmp.LIBCMT ref: 032D764D
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 032D76E7
                                                                                    • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 032D7706
                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 032D7717
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 032D7745
                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 032D77EF
                                                                                      • Part of subcall function 032DF1A5: lstrlenA.KERNEL32(000000C8,000000E4,032E22F8,000000C8,032D7150,?), ref: 032DF1AD
                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 032D778F
                                                                                    • RegCloseKey.KERNELBASE(?), ref: 032D77E6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                    • String ID: "
                                                                                    • API String ID: 3433985886-123907689
                                                                                    • Opcode ID: f8c31caa8078ec67a2f85e9961c07edc655e5a5b9fd644d211b62faee3d180c2
                                                                                    • Instruction ID: a85b65ef54948ef41b9e393728c7a0e40aa7dcd01695c7947f6e1f759d08357f
                                                                                    • Opcode Fuzzy Hash: f8c31caa8078ec67a2f85e9961c07edc655e5a5b9fd644d211b62faee3d180c2
                                                                                    • Instruction Fuzzy Hash: 2BC1C77191020AAFEB11DFA9DC45FEEBBBDEF44310F144495E504EA190EBB4DAC48B60

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1121 32d675c-32d6778 1122 32d677a-32d677e SetFileAttributesA 1121->1122 1123 32d6784-32d67a2 CreateFileA 1121->1123 1122->1123 1124 32d67b5-32d67b8 1123->1124 1125 32d67a4-32d67b2 CreateFileA 1123->1125 1126 32d67ba-32d67bf SetFileAttributesA 1124->1126 1127 32d67c5-32d67c9 1124->1127 1125->1124 1126->1127 1128 32d67cf-32d67df GetFileSize 1127->1128 1129 32d6977-32d6986 1127->1129 1130 32d696b 1128->1130 1131 32d67e5-32d67e7 1128->1131 1132 32d696e-32d6971 FindCloseChangeNotification 1130->1132 1131->1130 1133 32d67ed-32d680b ReadFile 1131->1133 1132->1129 1133->1130 1134 32d6811-32d6824 SetFilePointer 1133->1134 1134->1130 1135 32d682a-32d6842 ReadFile 1134->1135 1135->1130 1136 32d6848-32d6861 SetFilePointer 1135->1136 1136->1130 1137 32d6867-32d6876 1136->1137 1138 32d6878-32d688f ReadFile 1137->1138 1139 32d68d5-32d68df 1137->1139 1140 32d6891-32d689e 1138->1140 1141 32d68d2 1138->1141 1139->1132 1142 32d68e5-32d68eb 1139->1142 1143 32d68b7-32d68ba 1140->1143 1144 32d68a0-32d68b5 1140->1144 1141->1139 1145 32d68ed 1142->1145 1146 32d68f0-32d68fe call 32debcc 1142->1146 1147 32d68bd-32d68c3 1143->1147 1144->1147 1145->1146 1146->1130 1153 32d6900-32d690b SetFilePointer 1146->1153 1149 32d68c8-32d68ce 1147->1149 1150 32d68c5 1147->1150 1149->1138 1152 32d68d0 1149->1152 1150->1149 1152->1139 1154 32d690d-32d6920 ReadFile 1153->1154 1155 32d695a-32d6969 call 32dec2e 1153->1155 1154->1155 1156 32d6922-32d6958 1154->1156 1155->1132 1156->1132
                                                                                    APIs
                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 032D677E
                                                                                    • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 032D679A
                                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 032D67B0
                                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 032D67BF
                                                                                    • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 032D67D3
                                                                                    • ReadFile.KERNELBASE(000000FF,?,00000040,032D8244,00000000,?,74DF0F10,00000000), ref: 032D6807
                                                                                    • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 032D681F
                                                                                    • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 032D683E
                                                                                    • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 032D685C
                                                                                    • ReadFile.KERNEL32(000000FF,?,00000028,032D8244,00000000,?,74DF0F10,00000000), ref: 032D688B
                                                                                    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 032D6906
                                                                                    • ReadFile.KERNEL32(000000FF,?,00000000,032D8244,00000000,?,74DF0F10,00000000), ref: 032D691C
                                                                                    • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 032D6971
                                                                                      • Part of subcall function 032DEC2E: GetProcessHeap.KERNEL32(00000000,032DEA27,00000000,032DEA27,00000000), ref: 032DEC41
                                                                                      • Part of subcall function 032DEC2E: RtlFreeHeap.NTDLL(00000000), ref: 032DEC48
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                    • String ID:
                                                                                    • API String ID: 1400801100-0
                                                                                    • Opcode ID: f0e0751555a2dc458238585982d230b926bc3f16de9e4810e566c1e4ecaca763
                                                                                    • Instruction ID: 43ad6a18f072abed1d53d21144e0d93220dbe197dc03623a17f6811c5cd4e1e3
                                                                                    • Opcode Fuzzy Hash: f0e0751555a2dc458238585982d230b926bc3f16de9e4810e566c1e4ecaca763
                                                                                    • Instruction Fuzzy Hash: 2B7156B1C1025EEFDF10DFA4CC849EEBBB8FB04314F5485AAE515A6190E7709E92CB60

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1159 32df315-32df332 1160 32df33b-32df372 call 32dee2a htons socket 1159->1160 1161 32df334-32df336 1159->1161 1165 32df374-32df37d closesocket 1160->1165 1166 32df382-32df39b ioctlsocket 1160->1166 1162 32df424-32df427 1161->1162 1165->1162 1167 32df39d 1166->1167 1168 32df3aa-32df3f0 connect select 1166->1168 1169 32df39f-32df3a8 closesocket 1167->1169 1170 32df421 1168->1170 1171 32df3f2-32df401 __WSAFDIsSet 1168->1171 1172 32df423 1169->1172 1170->1172 1171->1169 1173 32df403-32df416 ioctlsocket call 32df26d 1171->1173 1172->1162 1175 32df41b-32df41f 1173->1175 1175->1172
                                                                                    APIs
                                                                                    • htons.WS2_32(032DCA1D), ref: 032DF34D
                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 032DF367
                                                                                    • closesocket.WS2_32(00000000), ref: 032DF375
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: closesockethtonssocket
                                                                                    • String ID: time_cfg
                                                                                    • API String ID: 311057483-2401304539
                                                                                    • Opcode ID: fc831b56fa4c15e7fc9fcc25aa2e3bd3b55da618c7710b174aa145558bb3394d
                                                                                    • Instruction ID: bb7325c8707b1bde4f6247888090881e2c90e4e3b354baf3a606faeb4edbfa05
                                                                                    • Opcode Fuzzy Hash: fc831b56fa4c15e7fc9fcc25aa2e3bd3b55da618c7710b174aa145558bb3394d
                                                                                    • Instruction Fuzzy Hash: 8D31A276914219BBDB10DFA5EC89DEE7BFCEF48310F008166FA05D7140D7B08A818BA4

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1176 32d405e-32d407b CreateEventA 1177 32d407d-32d4081 1176->1177 1178 32d4084-32d40a8 call 32d3ecd call 32d4000 1176->1178 1183 32d40ae-32d40be call 32dee2a 1178->1183 1184 32d4130-32d413e call 32dee2a 1178->1184 1183->1184 1190 32d40c0-32d40f1 call 32deca5 call 32d3f18 call 32d3f8c 1183->1190 1189 32d413f-32d4165 call 32d3ecd CreateNamedPipeA 1184->1189 1195 32d4188-32d4193 ConnectNamedPipe 1189->1195 1196 32d4167-32d4174 Sleep 1189->1196 1207 32d4127-32d412a CloseHandle 1190->1207 1208 32d40f3-32d40ff 1190->1208 1199 32d41ab-32d41c0 call 32d3f8c 1195->1199 1200 32d4195-32d41a5 GetLastError 1195->1200 1196->1189 1201 32d4176-32d4182 CloseHandle 1196->1201 1199->1195 1209 32d41c2-32d41f2 call 32d3f18 call 32d3f8c 1199->1209 1200->1199 1203 32d425e-32d4265 DisconnectNamedPipe 1200->1203 1201->1195 1203->1195 1207->1184 1208->1207 1210 32d4101-32d4121 call 32d3f18 ExitProcess 1208->1210 1209->1203 1217 32d41f4-32d4200 1209->1217 1217->1203 1218 32d4202-32d4215 call 32d3f8c 1217->1218 1218->1203 1221 32d4217-32d421b 1218->1221 1221->1203 1222 32d421d-32d4230 call 32d3f8c 1221->1222 1222->1203 1225 32d4232-32d4236 1222->1225 1225->1195 1226 32d423c-32d4251 call 32d3f18 1225->1226 1229 32d426a-32d4276 CloseHandle * 2 call 32de318 1226->1229 1230 32d4253-32d4259 1226->1230 1232 32d427b 1229->1232 1230->1195 1232->1232
                                                                                    APIs
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 032D4070
                                                                                    • ExitProcess.KERNEL32 ref: 032D4121
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateEventExitProcess
                                                                                    • String ID:
                                                                                    • API String ID: 2404124870-0
                                                                                    • Opcode ID: 88ad670797b2e95d268f77ccc0e049d78665e837d18a8a5452749d8b38ce6ee1
                                                                                    • Instruction ID: 97a3c1ffdd49ce8169d542f2e86d74c70001c96a703213f182add3b3469464ae
                                                                                    • Opcode Fuzzy Hash: 88ad670797b2e95d268f77ccc0e049d78665e837d18a8a5452749d8b38ce6ee1
                                                                                    • Instruction Fuzzy Hash: CB5183B5D60209BBDF10FBA2DC89FBF7B7CEB15615F144055F600AA080EBB18A81C7A1

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1233 32d2d21-32d2d44 GetModuleHandleA 1234 32d2d5b-32d2d69 GetProcAddress 1233->1234 1235 32d2d46-32d2d52 LoadLibraryA 1233->1235 1236 32d2d54-32d2d56 1234->1236 1237 32d2d6b-32d2d7b DnsQuery_A 1234->1237 1235->1234 1235->1236 1238 32d2dee-32d2df1 1236->1238 1237->1236 1239 32d2d7d-32d2d88 1237->1239 1240 32d2deb 1239->1240 1241 32d2d8a-32d2d8b 1239->1241 1240->1238 1242 32d2d90-32d2d95 1241->1242 1243 32d2d97-32d2daa GetProcessHeap HeapAlloc 1242->1243 1244 32d2de2-32d2de8 1242->1244 1245 32d2dea 1243->1245 1246 32d2dac-32d2dd9 call 32dee2a lstrcpynA 1243->1246 1244->1242 1244->1245 1245->1240 1249 32d2ddb-32d2dde 1246->1249 1250 32d2de0 1246->1250 1249->1244 1250->1244
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,032D2F01,?,032D20FF,032E2000), ref: 032D2D3A
                                                                                    • LoadLibraryA.KERNEL32(?), ref: 032D2D4A
                                                                                    • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 032D2D61
                                                                                    • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 032D2D77
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 032D2D99
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 032D2DA0
                                                                                    • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 032D2DCB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                    • String ID: DnsQuery_A$dnsapi.dll
                                                                                    • API String ID: 233223969-3847274415
                                                                                    • Opcode ID: d6db52e63327fabbc1b80e9afb7bec5c6354fde8fc57a88b9a4d5955b609d4f2
                                                                                    • Instruction ID: 2b3225ad1aad227532aad1d5a86d7b36514d2c028399906b88403f2e363dc614
                                                                                    • Opcode Fuzzy Hash: d6db52e63327fabbc1b80e9afb7bec5c6354fde8fc57a88b9a4d5955b609d4f2
                                                                                    • Instruction Fuzzy Hash: 9C218171910326EBCB21DF95DC499AEBBBCEF08B51F048491F845EB108D3B099C28BE0

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1251 32d80c9-32d80ed call 32d6ec3 1254 32d80ef call 32d7ee6 1251->1254 1255 32d80f9-32d8115 call 32d704c 1251->1255 1258 32d80f4 1254->1258 1260 32d8225-32d822b 1255->1260 1261 32d811b-32d8121 1255->1261 1258->1260 1262 32d822d-32d8233 1260->1262 1263 32d826c-32d8273 1260->1263 1261->1260 1264 32d8127-32d812a 1261->1264 1262->1263 1265 32d8235-32d823f call 32d675c 1262->1265 1264->1260 1266 32d8130-32d8167 call 32d2544 RegOpenKeyExA 1264->1266 1269 32d8244-32d824b 1265->1269 1272 32d816d-32d818b RegQueryValueExA 1266->1272 1273 32d8216-32d8222 call 32dee2a 1266->1273 1269->1263 1271 32d824d-32d8269 call 32d24c2 call 32dec2e 1269->1271 1271->1263 1276 32d818d-32d8191 1272->1276 1277 32d81f7-32d81fe 1272->1277 1273->1260 1276->1277 1278 32d8193-32d8196 1276->1278 1281 32d820d-32d8210 RegCloseKey 1277->1281 1282 32d8200-32d8206 call 32dec2e 1277->1282 1278->1277 1283 32d8198-32d81a8 call 32debcc 1278->1283 1281->1273 1289 32d820c 1282->1289 1283->1281 1291 32d81aa-32d81c2 RegQueryValueExA 1283->1291 1289->1281 1291->1277 1292 32d81c4-32d81ca 1291->1292 1293 32d81cd-32d81d2 1292->1293 1293->1293 1294 32d81d4-32d81e5 call 32debcc 1293->1294 1294->1281 1297 32d81e7-32d81f5 call 32def00 1294->1297 1297->1289
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 032D815F
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,032DA45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 032D8187
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,032DA45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 032D81BE
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 032D8210
                                                                                      • Part of subcall function 032D675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 032D677E
                                                                                      • Part of subcall function 032D675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 032D679A
                                                                                      • Part of subcall function 032D675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 032D67B0
                                                                                      • Part of subcall function 032D675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 032D67BF
                                                                                      • Part of subcall function 032D675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 032D67D3
                                                                                      • Part of subcall function 032D675C: ReadFile.KERNELBASE(000000FF,?,00000040,032D8244,00000000,?,74DF0F10,00000000), ref: 032D6807
                                                                                      • Part of subcall function 032D675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 032D681F
                                                                                      • Part of subcall function 032D675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 032D683E
                                                                                      • Part of subcall function 032D675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 032D685C
                                                                                      • Part of subcall function 032DEC2E: GetProcessHeap.KERNEL32(00000000,032DEA27,00000000,032DEA27,00000000), ref: 032DEC41
                                                                                      • Part of subcall function 032DEC2E: RtlFreeHeap.NTDLL(00000000), ref: 032DEC48
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                    • String ID: C:\Windows\SysWOW64\rxarouyf\cwworbfr.exe
                                                                                    • API String ID: 124786226-3473164681
                                                                                    • Opcode ID: 4d0950ed40ce85b5d3594b9bb157617418cffa9a439909ad80421e63fee9491f
                                                                                    • Instruction ID: 99e8f4a30204ea60cfd09d147009393d13a90a0091691a5bcaa28a25103b8c70
                                                                                    • Opcode Fuzzy Hash: 4d0950ed40ce85b5d3594b9bb157617418cffa9a439909ad80421e63fee9491f
                                                                                    • Instruction Fuzzy Hash: 7341CAB691135DFFDB10FBA0ED89DBE777CDB04604F1488A6E501DB004E6709AC48B61

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1300 32d1ac3-32d1adc LoadLibraryA 1301 32d1b6b-32d1b70 1300->1301 1302 32d1ae2-32d1af3 GetProcAddress 1300->1302 1303 32d1b6a 1302->1303 1304 32d1af5-32d1b01 1302->1304 1303->1301 1305 32d1b1c-32d1b27 GetAdaptersAddresses 1304->1305 1306 32d1b29-32d1b2b 1305->1306 1307 32d1b03-32d1b12 call 32debed 1305->1307 1308 32d1b2d-32d1b32 1306->1308 1309 32d1b5b-32d1b5e 1306->1309 1307->1306 1315 32d1b14-32d1b1b 1307->1315 1311 32d1b69 1308->1311 1312 32d1b34-32d1b3b 1308->1312 1309->1311 1313 32d1b60-32d1b68 call 32dec2e 1309->1313 1311->1303 1316 32d1b3d-32d1b52 1312->1316 1317 32d1b54-32d1b59 1312->1317 1313->1311 1315->1305 1316->1316 1316->1317 1317->1309 1317->1312
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 032D1AD4
                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 032D1AE9
                                                                                    • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 032D1B20
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                    • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                    • API String ID: 3646706440-1087626847
                                                                                    • Opcode ID: badd1a2af0caced3980c4d80046d498788a2c3822cfae15fdf151598baffe71d
                                                                                    • Instruction ID: 54af7045e94b4b2e719fa1f924cb7b042cab684e500bf2316365c8c0da20604e
                                                                                    • Opcode Fuzzy Hash: badd1a2af0caced3980c4d80046d498788a2c3822cfae15fdf151598baffe71d
                                                                                    • Instruction Fuzzy Hash: F3113875E21238BFCF61DBA5DC85CEDFBB9EB44B10B198056E005EB501E6706AD1CB80

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1320 32de3ca-32de3ee RegOpenKeyExA 1321 32de528-32de52d 1320->1321 1322 32de3f4-32de3fb 1320->1322 1323 32de3fe-32de403 1322->1323 1323->1323 1324 32de405-32de40f 1323->1324 1325 32de414-32de452 call 32dee08 call 32df1ed RegQueryValueExA 1324->1325 1326 32de411-32de413 1324->1326 1331 32de51d-32de527 RegCloseKey 1325->1331 1332 32de458-32de486 call 32df1ed RegQueryValueExA 1325->1332 1326->1325 1331->1321 1335 32de488-32de48a 1332->1335 1335->1331 1336 32de490-32de4a1 call 32ddb2e 1335->1336 1336->1331 1339 32de4a3-32de4a6 1336->1339 1340 32de4a9-32de4d3 call 32df1ed RegQueryValueExA 1339->1340 1343 32de4e8-32de4ea 1340->1343 1344 32de4d5-32de4da 1340->1344 1343->1331 1346 32de4ec-32de516 call 32d2544 call 32de332 1343->1346 1344->1343 1345 32de4dc-32de4e6 1344->1345 1345->1340 1345->1343 1346->1331
                                                                                    APIs
                                                                                    • RegOpenKeyExA.KERNELBASE(80000001,032DE5F2,00000000,00020119,032DE5F2,032E22F8), ref: 032DE3E6
                                                                                    • RegQueryValueExA.ADVAPI32(032DE5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 032DE44E
                                                                                    • RegQueryValueExA.ADVAPI32(032DE5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 032DE482
                                                                                    • RegQueryValueExA.ADVAPI32(032DE5F2,?,00000000,?,80000001,?), ref: 032DE4CF
                                                                                    • RegCloseKey.ADVAPI32(032DE5F2,?,?,?,?,000000C8,000000E4), ref: 032DE520
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: QueryValue$CloseOpen
                                                                                    • String ID:
                                                                                    • API String ID: 1586453840-0
                                                                                    • Opcode ID: 8cf45f0a29004a292d2eeef7b5f7be6e59ae45365eeec7e46fb13e58657632e1
                                                                                    • Instruction ID: 63c78acf2517db4726c98739e507556959412c6aa52c3765bdca3f7779525067
                                                                                    • Opcode Fuzzy Hash: 8cf45f0a29004a292d2eeef7b5f7be6e59ae45365eeec7e46fb13e58657632e1
                                                                                    • Instruction Fuzzy Hash: 594148B2D0021EBFDF11EFE4DC85DEEBBBDEB04344F154066EA10AA150E3719A958B60

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1351 32df26d-32df303 setsockopt * 5
                                                                                    APIs
                                                                                    • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 032DF2A0
                                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 032DF2C0
                                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 032DF2DD
                                                                                    • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 032DF2EC
                                                                                    • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 032DF2FD
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: setsockopt
                                                                                    • String ID:
                                                                                    • API String ID: 3981526788-0
                                                                                    • Opcode ID: d0ea01126c8b82c1b60450087838464c8b6cc2d2e107b28645e469538d112ce4
                                                                                    • Instruction ID: 78ed8b550869221ad055f9944232c6cb772dde33f5c958716875d19b5f5f5408
                                                                                    • Opcode Fuzzy Hash: d0ea01126c8b82c1b60450087838464c8b6cc2d2e107b28645e469538d112ce4
                                                                                    • Instruction Fuzzy Hash: F011FBB1A40248BAEB11DE95CD45F9E7FBCEB44751F008066BB04EA1D0E6B19A45CB94

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1352 32d1bdf-32d1c04 call 32d1ac3 1354 32d1c09-32d1c0b 1352->1354 1355 32d1c0d-32d1c1d GetComputerNameA 1354->1355 1356 32d1c5a-32d1c5e 1354->1356 1357 32d1c1f-32d1c24 1355->1357 1358 32d1c45-32d1c57 GetVolumeInformationA 1355->1358 1357->1358 1359 32d1c26-32d1c3b 1357->1359 1358->1356 1359->1359 1360 32d1c3d-32d1c3f 1359->1360 1360->1358 1361 32d1c41-32d1c43 1360->1361 1361->1356
                                                                                    APIs
                                                                                      • Part of subcall function 032D1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 032D1AD4
                                                                                      • Part of subcall function 032D1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 032D1AE9
                                                                                      • Part of subcall function 032D1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 032D1B20
                                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 032D1C15
                                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 032D1C51
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                    • String ID: hi_id$localcfg
                                                                                    • API String ID: 2794401326-2393279970
                                                                                    • Opcode ID: 119cd519379acd896a09f5d78ffbd68cf9eab886de6d979b8603b3c60f3222dc
                                                                                    • Instruction ID: b2d9ac129e4226b9c514f28836d1638439dbd67364591317849d48b40fe503e6
                                                                                    • Opcode Fuzzy Hash: 119cd519379acd896a09f5d78ffbd68cf9eab886de6d979b8603b3c60f3222dc
                                                                                    • Instruction Fuzzy Hash: 13019276A10119BFEB90DAF9C8C68EFFBBCEB44645F144475E602E3540D270AE8486A1
                                                                                    APIs
                                                                                      • Part of subcall function 032D1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 032D1AD4
                                                                                      • Part of subcall function 032D1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 032D1AE9
                                                                                      • Part of subcall function 032D1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 032D1B20
                                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 032D1BA3
                                                                                    • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,032D1EFD,00000000,00000000,00000000,00000000), ref: 032D1BB8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                    • String ID: localcfg
                                                                                    • API String ID: 2794401326-1857712256
                                                                                    • Opcode ID: b3e2ea8576add11cf31933dd468937985997a5db529ca05d8e53a80fe3a5330c
                                                                                    • Instruction ID: 406688823f803299c4137ab291bcd4d0e7aa8d9e5e56bb5531ee752dd2983282
                                                                                    • Opcode Fuzzy Hash: b3e2ea8576add11cf31933dd468937985997a5db529ca05d8e53a80fe3a5330c
                                                                                    • Instruction Fuzzy Hash: 07014BB6D00108BFEB40DAE9C8859EFFABDAB48651F154162A601EB140D5B06E4986A0
                                                                                    APIs
                                                                                    • inet_addr.WS2_32(00000001), ref: 032D2693
                                                                                    • gethostbyname.WS2_32(00000001), ref: 032D269F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: gethostbynameinet_addr
                                                                                    • String ID: time_cfg
                                                                                    • API String ID: 1594361348-2401304539
                                                                                    • Opcode ID: 0bfedac0df1128039f98472425fb368176346a399ed2e411565e19a23d42e890
                                                                                    • Instruction ID: 125e4ec4243feb23d3558135845c3528888b791fc1c7f78df5d8828213d34680
                                                                                    • Opcode Fuzzy Hash: 0bfedac0df1128039f98472425fb368176346a399ed2e411565e19a23d42e890
                                                                                    • Instruction Fuzzy Hash: 2DE0EC306246129FDB50DA28F448A8577E9EF46230F098985F454DB194D77098C19A94
                                                                                    APIs
                                                                                      • Part of subcall function 032DDD05: GetTickCount.KERNEL32 ref: 032DDD0F
                                                                                      • Part of subcall function 032DDD05: InterlockedExchange.KERNEL32(032E36B4,00000001), ref: 032DDD44
                                                                                      • Part of subcall function 032DDD05: GetCurrentThreadId.KERNEL32 ref: 032DDD53
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,032DA445), ref: 032DE558
                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,74DF0F10,?,00000000,?,032DA445), ref: 032DE583
                                                                                    • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,032DA445), ref: 032DE5B2
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                    • String ID:
                                                                                    • API String ID: 3683885500-0
                                                                                    • Opcode ID: 307040b48709720622138343ac0860bda2164b3145cb35aaeb84df6e47f76ad3
                                                                                    • Instruction ID: 25732e6487e62307ff88def911f4434e9ec5dd59d3710e939feb0ba8bef42d53
                                                                                    • Opcode Fuzzy Hash: 307040b48709720622138343ac0860bda2164b3145cb35aaeb84df6e47f76ad3
                                                                                    • Instruction Fuzzy Hash: 902129BA5603057AE124FA32AC0AFAB7D0CDF55751F414814FE09BD1C2E9E1E59181F1
                                                                                    APIs
                                                                                    • Sleep.KERNELBASE(000003E8), ref: 032D88A5
                                                                                      • Part of subcall function 032DF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,032DE342,00000000,75A8EA50,80000001,00000000,032DE513,?,00000000,00000000,?,000000E4), ref: 032DF089
                                                                                      • Part of subcall function 032DF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,032DE342,00000000,75A8EA50,80000001,00000000,032DE513,?,00000000,00000000,?,000000E4,000000C8), ref: 032DF093
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time$FileSystem$Sleep
                                                                                    • String ID: localcfg$rresolv
                                                                                    • API String ID: 1561729337-486471987
                                                                                    • Opcode ID: 74dc6b4dcd7baa65529fbb8aac6dd722e53a9adb7188e60518c57709d62a5b0e
                                                                                    • Instruction ID: f4a8b68db6dcf7866c1e5f20dab2f2d004e1a9ed7a95d6708ad61d3f1347f3bd
                                                                                    • Opcode Fuzzy Hash: 74dc6b4dcd7baa65529fbb8aac6dd722e53a9adb7188e60518c57709d62a5b0e
                                                                                    • Instruction Fuzzy Hash: 7E210635568315BAF314FBA5BD4BF6E3A9CEB00711F944809FA09CE0C6EEE045C081B2
                                                                                    APIs
                                                                                    • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,032E22F8,032D42B6,00000000,00000001,032E22F8,00000000,?,032D98FD), ref: 032D4021
                                                                                    • GetLastError.KERNEL32(?,032D98FD,00000001,00000100,032E22F8,032DA3C7), ref: 032D402C
                                                                                    • Sleep.KERNEL32(000001F4,?,032D98FD,00000001,00000100,032E22F8,032DA3C7), ref: 032D4046
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateErrorFileLastSleep
                                                                                    • String ID:
                                                                                    • API String ID: 408151869-0
                                                                                    • Opcode ID: c2327a6974ff267cacc98c061324530c0189fc39db5c35261040239ccc8a897d
                                                                                    • Instruction ID: 05b767649b537b63c7a3b148fb82d0a142be2c1b1ae004d09e79280b15732d51
                                                                                    • Opcode Fuzzy Hash: c2327a6974ff267cacc98c061324530c0189fc39db5c35261040239ccc8a897d
                                                                                    • Instruction Fuzzy Hash: 0DF0A7312641026BDB39AA26FC4AB5E7265DB81732F298B24F3B5E60D0CAB054C69B15
                                                                                    APIs
                                                                                    • GetEnvironmentVariableA.KERNEL32(032DDC19,?,00000104), ref: 032DDB7F
                                                                                    • lstrcpyA.KERNEL32(?,032E28F8), ref: 032DDBA4
                                                                                    • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 032DDBC2
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                    • String ID:
                                                                                    • API String ID: 2536392590-0
                                                                                    • Opcode ID: 57faafd25aa0a7e183dac9f70fafb35e607621344869b778ca34b38be087a1bc
                                                                                    • Instruction ID: 44610c8fc18120e7d0e38cebde68f8ff0664eeee648689d0d634ddc700217432
                                                                                    • Opcode Fuzzy Hash: 57faafd25aa0a7e183dac9f70fafb35e607621344869b778ca34b38be087a1bc
                                                                                    • Instruction Fuzzy Hash: 8AF0B470150209ABEF20DF64EC4AFD93B69BF00318F108194BB91A80D0D7F2D586CF10
                                                                                    APIs
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 032DEC5E
                                                                                    • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 032DEC72
                                                                                    • GetTickCount.KERNEL32 ref: 032DEC78
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time$CountFileInformationSystemTickVolume
                                                                                    • String ID:
                                                                                    • API String ID: 1209300637-0
                                                                                    • Opcode ID: 1b69426f1053b0f78c3b65026410ecae4ca3c95b23c134d7209c962a7773a28e
                                                                                    • Instruction ID: 6fe5687826a6e994dae854f833b673dc1bb1fcda6226a4bb87a18568629f337d
                                                                                    • Opcode Fuzzy Hash: 1b69426f1053b0f78c3b65026410ecae4ca3c95b23c134d7209c962a7773a28e
                                                                                    • Instruction Fuzzy Hash: 3DE09AF5810104BFEB01EBB1EC4EDAB77BCEB08215F508654B911DA084DAB09A058B64
                                                                                    APIs
                                                                                    • gethostname.WS2_32(?,00000080), ref: 032D30D8
                                                                                    • gethostbyname.WS2_32(?), ref: 032D30E2
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: gethostbynamegethostname
                                                                                    • String ID:
                                                                                    • API String ID: 3961807697-0
                                                                                    • Opcode ID: 8e1bef45525acff7e2b296d96e71613b1ad3b119d89d69d1a29216ac16558be0
                                                                                    • Instruction ID: 24f088157fb2566929a7403068cf8980913bb3eccb7891677a3d89fad237a687
                                                                                    • Opcode Fuzzy Hash: 8e1bef45525acff7e2b296d96e71613b1ad3b119d89d69d1a29216ac16558be0
                                                                                    • Instruction Fuzzy Hash: DEE09B75900119ABCF00EBA8FC89F8A77ECFF04204F088061F945EB244EA74E90587A0
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,032DDB55,7FFF0001), ref: 032DEC13
                                                                                    • RtlReAllocateHeap.NTDLL(00000000,?,032DDB55,7FFF0001), ref: 032DEC1A
                                                                                      • Part of subcall function 032DEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,032DEBFE,7FFF0001,?,032DDB55,7FFF0001), ref: 032DEBD3
                                                                                      • Part of subcall function 032DEBCC: RtlAllocateHeap.NTDLL(00000000,?,032DDB55,7FFF0001), ref: 032DEBDA
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocateProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1357844191-0
                                                                                    • Opcode ID: 6e5f580ae3cce9b60902b8ff63216c521f9630aff61e1da095eedbdf5c8eecfb
                                                                                    • Instruction ID: 366fbc863c007653aba68c5ef6d5208775ba13a87f08357a699c8e2f2299ac4b
                                                                                    • Opcode Fuzzy Hash: 6e5f580ae3cce9b60902b8ff63216c521f9630aff61e1da095eedbdf5c8eecfb
                                                                                    • Instruction Fuzzy Hash: F8E01A3A115318BADF017AA4F809AA93B59EB04662F11C015FA0D8D060CBB299D1DA94
                                                                                    APIs
                                                                                      • Part of subcall function 032DEBA0: GetProcessHeap.KERNEL32(00000000,00000000,032DEC0A,00000000,80000001,?,032DDB55,7FFF0001), ref: 032DEBAD
                                                                                      • Part of subcall function 032DEBA0: HeapSize.KERNEL32(00000000,?,032DDB55,7FFF0001), ref: 032DEBB4
                                                                                    • GetProcessHeap.KERNEL32(00000000,032DEA27,00000000,032DEA27,00000000), ref: 032DEC41
                                                                                    • RtlFreeHeap.NTDLL(00000000), ref: 032DEC48
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$Process$FreeSize
                                                                                    • String ID:
                                                                                    • API String ID: 1305341483-0
                                                                                    • Opcode ID: 01b6864fea9adc510949c553aae55b98bbc58d265ff18c05ac54fb914b4674b0
                                                                                    • Instruction ID: 7fa6cbc81b7149b7a5e4f0589775d14b5d0a9c2b2ca4bbc8fe0ca7c2cec78d8a
                                                                                    • Opcode Fuzzy Hash: 01b6864fea9adc510949c553aae55b98bbc58d265ff18c05ac54fb914b4674b0
                                                                                    • Instruction Fuzzy Hash: FFC01236416330ABC5517655B81DF9F6B18AF45A11F0A8409F4056E044C7E068814AE1
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,80000001,032DEBFE,7FFF0001,?,032DDB55,7FFF0001), ref: 032DEBD3
                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,032DDB55,7FFF0001), ref: 032DEBDA
                                                                                      • Part of subcall function 032DEB74: GetProcessHeap.KERNEL32(00000000,00000000,032DEC28,00000000,?,032DDB55,7FFF0001), ref: 032DEB81
                                                                                      • Part of subcall function 032DEB74: HeapSize.KERNEL32(00000000,?,032DDB55,7FFF0001), ref: 032DEB88
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$Process$AllocateSize
                                                                                    • String ID:
                                                                                    • API String ID: 2559512979-0
                                                                                    • Opcode ID: 4d37dd84fa89d60d73a98e412fd8b5aee391bfd278283308ac4bfc630ca44342
                                                                                    • Instruction ID: 58292507fd1c6bebeab7aa11955f881a5c84e84d288fea34d0e5338357a0e078
                                                                                    • Opcode Fuzzy Hash: 4d37dd84fa89d60d73a98e412fd8b5aee391bfd278283308ac4bfc630ca44342
                                                                                    • Instruction Fuzzy Hash: A4C0803A105320A7C61137E97C0DE9A3E54EF04652F05C004F505CD154C77048418B91
                                                                                    APIs
                                                                                    • recv.WS2_32(000000C8,?,00000000,032DCA44), ref: 032DF476
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: recv
                                                                                    • String ID:
                                                                                    • API String ID: 1507349165-0
                                                                                    • Opcode ID: c6dd1b3fabbb33b6cb3ce448fcb62aa20c1cf89cb2b79991c0e8028698fa2dde
                                                                                    • Instruction ID: 630b6d64d42b38a17862732d948a2ea894321236d9e454e38a933bb4c6f9b477
                                                                                    • Opcode Fuzzy Hash: c6dd1b3fabbb33b6cb3ce448fcb62aa20c1cf89cb2b79991c0e8028698fa2dde
                                                                                    • Instruction Fuzzy Hash: AAF0823221414ABB9B019E9ADD84CAB3BAEFB892107044121FB05D7110D631D86187A0
                                                                                    APIs
                                                                                    • closesocket.WS2_32(00000000), ref: 032D1992
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: closesocket
                                                                                    • String ID:
                                                                                    • API String ID: 2781271927-0
                                                                                    • Opcode ID: 04db35c7b937425b50a6ceaf3161d73512f79915430dec5b5809449780ece080
                                                                                    • Instruction ID: 020e0c20d3b297210fd72ff811475ce5c6d5fd252c7a05c83b17007b8874ad9a
                                                                                    • Opcode Fuzzy Hash: 04db35c7b937425b50a6ceaf3161d73512f79915430dec5b5809449780ece080
                                                                                    • Instruction Fuzzy Hash: 41D012262586327A52513759B8044BFABDCDF45562711D41AFD4AC8154D634C8828395
                                                                                    APIs
                                                                                    • lstrcmpiA.KERNEL32(80000011,00000000), ref: 032DDDB5
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcmpi
                                                                                    • String ID:
                                                                                    • API String ID: 1586166983-0
                                                                                    • Opcode ID: 8549ec29291835316df7c891e4a2f5f0e21380675886e8b8426087b38b38c4d5
                                                                                    • Instruction ID: c0d8dc725fea41cdf301ddf1831ffd59556987e0c40a887199e6747603e911a3
                                                                                    • Opcode Fuzzy Hash: 8549ec29291835316df7c891e4a2f5f0e21380675886e8b8426087b38b38c4d5
                                                                                    • Instruction Fuzzy Hash: 76F01233224B03CBCF20DE69D844656F7E8EF49226F194D2EE155D2188DB30D8D5CB61
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,032D9816,EntryPoint), ref: 032D638F
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,032D9816,EntryPoint), ref: 032D63A9
                                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 032D63CA
                                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 032D63EB
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                    • String ID:
                                                                                    • API String ID: 1965334864-0
                                                                                    • Opcode ID: 28c64165cb1bf47b3935bd8244fc87fb949c7bcc6b861d18b83eab7ee50c1d75
                                                                                    • Instruction ID: 0a72e2d976fa6dccb4647aad260a6fceb771537fc60294be430342ed63bd1f8e
                                                                                    • Opcode Fuzzy Hash: 28c64165cb1bf47b3935bd8244fc87fb949c7bcc6b861d18b83eab7ee50c1d75
                                                                                    • Instruction Fuzzy Hash: A8117775610219BFDB519F65DC49F9B3BACEB04BA5F158064F905DF280D6B1DC408AB0
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,00000000,032D1839,032D9646), ref: 032D1012
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 032D10C2
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 032D10E1
                                                                                    • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 032D1101
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 032D1121
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 032D1140
                                                                                    • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 032D1160
                                                                                    • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 032D1180
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 032D119F
                                                                                    • GetProcAddress.KERNEL32(00000000,NtClose), ref: 032D11BF
                                                                                    • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 032D11DF
                                                                                    • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 032D11FE
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 032D121A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                    • API String ID: 2238633743-3228201535
                                                                                    • Opcode ID: cf74db1686494fbdee0911db4c3a10cdd11581719cd58aaea48ff70a7810d77d
                                                                                    • Instruction ID: f5c0247177e1e8692170eb3b10072b1d43f0021b739da24bbcb90e4fa9c6e1a6
                                                                                    • Opcode Fuzzy Hash: cf74db1686494fbdee0911db4c3a10cdd11581719cd58aaea48ff70a7810d77d
                                                                                    • Instruction Fuzzy Hash: 9D51F479126603AAC750FA6DFC4E76272E86748733F0883669620CB5D8D7B4E4D1CF61
                                                                                    APIs
                                                                                    • GetLocalTime.KERNEL32(?), ref: 032DB2B3
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 032DB2C2
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 032DB2D0
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 032DB2E1
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 032DB31A
                                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 032DB329
                                                                                    • wsprintfA.USER32 ref: 032DB3B7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                    • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                    • API String ID: 766114626-2976066047
                                                                                    • Opcode ID: 73966ee7c1c289fd81d764e05fdc9b5287866fb141d2e5ded9b76e87b1fde016
                                                                                    • Instruction ID: 2872d2ffecadfc7a3fe981680a1588966f7c8d406e13c64b4088ff0ada98224b
                                                                                    • Opcode Fuzzy Hash: 73966ee7c1c289fd81d764e05fdc9b5287866fb141d2e5ded9b76e87b1fde016
                                                                                    • Instruction Fuzzy Hash: 6E5191B1D2022DAACF10DFD6D88A4EEBBB9FF48704F549019E501BA150D3B05ACACB94
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                    • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                    • API String ID: 2400214276-165278494
                                                                                    • Opcode ID: fc2e5309d339ebb7d8c607486fc7eeabf702085197a50a293bf8ee4e5d18029c
                                                                                    • Instruction ID: 073e492702eada433f2c7c17465ad8c251bea76e59c8d0a8c6e640a0f54b5e8a
                                                                                    • Opcode Fuzzy Hash: fc2e5309d339ebb7d8c607486fc7eeabf702085197a50a293bf8ee4e5d18029c
                                                                                    • Instruction Fuzzy Hash: C8616E72960208AFDF60EFB5DC45FEA77F9FB08300F548069F969D6112DAB1A9818F50
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$send$lstrlenrecv
                                                                                    • String ID: .$ $AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                    • API String ID: 3650048968-4264063882
                                                                                    • Opcode ID: bb117beea2682c51647a2701853e46de0b68672446c75551373944ed72c0d836
                                                                                    • Instruction ID: 45d77fe57449e092d808d6c772f26053f81dd642578713259626f08330d5546f
                                                                                    • Opcode Fuzzy Hash: bb117beea2682c51647a2701853e46de0b68672446c75551373944ed72c0d836
                                                                                    • Instruction Fuzzy Hash: 94A15B71934346AEDF20DA54EC8AFBE7779FB10304F188466F905AF080DAF199CA8755
                                                                                    APIs
                                                                                    • ShellExecuteExW.SHELL32(?), ref: 032D139A
                                                                                    • lstrlenW.KERNEL32(-00000003), ref: 032D1571
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExecuteShelllstrlen
                                                                                    • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                    • API String ID: 1628651668-179334549
                                                                                    • Opcode ID: bbcf95377ff21346a4c13427206cbe99bb6caa175215490e1427de0da216ac78
                                                                                    • Instruction ID: de963388befbe531dfd8d0eeef405f3d446ad3840604a3dadab6b7edfd9aaa99
                                                                                    • Opcode Fuzzy Hash: bbcf95377ff21346a4c13427206cbe99bb6caa175215490e1427de0da216ac78
                                                                                    • Instruction Fuzzy Hash: BAF1AFB55183419FD320DF64D889B6BB7E9FB88301F04892DF6968B390D7B4E884CB52
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 032D2A83
                                                                                    • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 032D2A86
                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 032D2AA0
                                                                                    • htons.WS2_32(00000000), ref: 032D2ADB
                                                                                    • select.WS2_32 ref: 032D2B28
                                                                                    • recv.WS2_32(?,00000000,00001000,00000000), ref: 032D2B4A
                                                                                    • htons.WS2_32(?), ref: 032D2B71
                                                                                    • htons.WS2_32(?), ref: 032D2B8C
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 032D2BFB
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                    • String ID:
                                                                                    • API String ID: 1639031587-0
                                                                                    • Opcode ID: 2303f43c5a887c351340925e9e9b214b2ed6fc85574a866e49cff3e9a52a7e66
                                                                                    • Instruction ID: 34fcad3013905290aafda214af09c4577bca925fc26220b6d55cd09485e414a1
                                                                                    • Opcode Fuzzy Hash: 2303f43c5a887c351340925e9e9b214b2ed6fc85574a866e49cff3e9a52a7e66
                                                                                    • Instruction Fuzzy Hash: EC61C075918305DBC720EF65E809B6BBBE8FB88751F068C09F9499F140D7F1D8818BA2
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 032D70C2
                                                                                    • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 032D719E
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 032D71B2
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 032D7208
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 032D7291
                                                                                    • ___ascii_stricmp.LIBCMT ref: 032D72C2
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 032D72D0
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 032D7314
                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 032D738D
                                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 032D73D8
                                                                                      • Part of subcall function 032DF1A5: lstrlenA.KERNEL32(000000C8,000000E4,032E22F8,000000C8,032D7150,?), ref: 032DF1AD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                    • String ID: $"
                                                                                    • API String ID: 4293430545-3817095088
                                                                                    • Opcode ID: 73dc439612cad8cbe75f5fcf459a12e1b41ee247795d5e4451153406fa70fc3a
                                                                                    • Instruction ID: f0634ef09408efa62e52211baa4d07c6cb59b9dfc4c2e3dc9cb7fda876724973
                                                                                    • Opcode Fuzzy Hash: 73dc439612cad8cbe75f5fcf459a12e1b41ee247795d5e4451153406fa70fc3a
                                                                                    • Instruction Fuzzy Hash: A7B1A47182420ABEDF15EFA4DC45BEEB7B8EF04311F144566F501EA080EBB59AC5CB60
                                                                                    APIs
                                                                                    • GetLocalTime.KERNEL32(?), ref: 032DAD98
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 032DADA6
                                                                                      • Part of subcall function 032DAD08: gethostname.WS2_32(?,00000080), ref: 032DAD1C
                                                                                      • Part of subcall function 032DAD08: lstrlenA.KERNEL32(?), ref: 032DAD60
                                                                                      • Part of subcall function 032DAD08: lstrlenA.KERNEL32(?), ref: 032DAD69
                                                                                      • Part of subcall function 032DAD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 032DAD7F
                                                                                      • Part of subcall function 032D30B5: gethostname.WS2_32(?,00000080), ref: 032D30D8
                                                                                      • Part of subcall function 032D30B5: gethostbyname.WS2_32(?), ref: 032D30E2
                                                                                    • wsprintfA.USER32 ref: 032DAEA5
                                                                                      • Part of subcall function 032DA7A3: inet_ntoa.WS2_32(00000000), ref: 032DA7A9
                                                                                    • wsprintfA.USER32 ref: 032DAE4F
                                                                                    • wsprintfA.USER32 ref: 032DAE5E
                                                                                      • Part of subcall function 032DEF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 032DEF92
                                                                                      • Part of subcall function 032DEF7C: lstrlenA.KERNEL32(?), ref: 032DEF99
                                                                                      • Part of subcall function 032DEF7C: lstrlenA.KERNEL32(00000000), ref: 032DEFA0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                    • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                    • API String ID: 3631595830-1816598006
                                                                                    • Opcode ID: c2805d147a84108a90ed09d4b5265056ec7b8fda0be28206be98807a4423c024
                                                                                    • Instruction ID: f559b929fb71f76b801fcdfe8e747e9a030d803a059675a7f07e6422e703ffd1
                                                                                    • Opcode Fuzzy Hash: c2805d147a84108a90ed09d4b5265056ec7b8fda0be28206be98807a4423c024
                                                                                    • Instruction Fuzzy Hash: DE4161B681030CBFDF25EFA1DC46EEE3BADFB08300F14441AB9259A151EAB1D5858B60
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,032D2F0F,?,032D20FF,032E2000), ref: 032D2E01
                                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,032D2F0F,?,032D20FF,032E2000), ref: 032D2E11
                                                                                    • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 032D2E2E
                                                                                    • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,032D2F0F,?,032D20FF,032E2000), ref: 032D2E4C
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,032D2F0F,?,032D20FF,032E2000), ref: 032D2E4F
                                                                                    • htons.WS2_32(00000035), ref: 032D2E88
                                                                                    • inet_addr.WS2_32(?), ref: 032D2E93
                                                                                    • gethostbyname.WS2_32(?), ref: 032D2EA6
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,00000000,032D2F0F,?,032D20FF,032E2000), ref: 032D2EE3
                                                                                    • HeapFree.KERNEL32(00000000,?,00000000,032D2F0F,?,032D20FF,032E2000), ref: 032D2EE6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                    • String ID: GetNetworkParams$iphlpapi.dll
                                                                                    • API String ID: 929413710-2099955842
                                                                                    • Opcode ID: 3bf95aeefb8b0e85aaefc6e830583acd199f30e85995f07fc66576494a443325
                                                                                    • Instruction ID: 3a63991475430e6d7ec95f3d82e79bfbdbf442003d3f6653fbece48efbba8573
                                                                                    • Opcode Fuzzy Hash: 3bf95aeefb8b0e85aaefc6e830583acd199f30e85995f07fc66576494a443325
                                                                                    • Instruction Fuzzy Hash: 9A31B63591030BEBDF11EBB99849A6EB7B8EF08761F188555F914EB2C0D770E5828BD0
                                                                                    APIs
                                                                                    • GetVersionExA.KERNEL32(?,?,032D9DD7,?,00000022,?,?,00000000,00000001), ref: 032D9340
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,032D9DD7,?,00000022,?,?,00000000,00000001), ref: 032D936E
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,032D9DD7,?,00000022,?,?,00000000,00000001), ref: 032D9375
                                                                                    • wsprintfA.USER32 ref: 032D93CE
                                                                                    • wsprintfA.USER32 ref: 032D940C
                                                                                    • wsprintfA.USER32 ref: 032D948D
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 032D94F1
                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 032D9526
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 032D9571
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                    • String ID: runas
                                                                                    • API String ID: 3696105349-4000483414
                                                                                    • Opcode ID: 0dcf6b7cf5d582b308a320829d8a46569d30af24960b274ba9484df2db7d3f05
                                                                                    • Instruction ID: 49dd40a8417d437d2cc67aa2b946699037f859654d3262a5f8341a6280035615
                                                                                    • Opcode Fuzzy Hash: 0dcf6b7cf5d582b308a320829d8a46569d30af24960b274ba9484df2db7d3f05
                                                                                    • Instruction Fuzzy Hash: 84A191B2960308EFEB25EFA1DC49FDE3BACEB04741F148025FA15AA141D7B5D5C58BA0
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 032D2078
                                                                                    • GetTickCount.KERNEL32 ref: 032D20D4
                                                                                    • GetTickCount.KERNEL32 ref: 032D20DB
                                                                                    • GetTickCount.KERNEL32 ref: 032D212B
                                                                                    • GetTickCount.KERNEL32 ref: 032D2132
                                                                                    • GetTickCount.KERNEL32 ref: 032D2142
                                                                                      • Part of subcall function 032DF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,032DE342,00000000,75A8EA50,80000001,00000000,032DE513,?,00000000,00000000,?,000000E4), ref: 032DF089
                                                                                      • Part of subcall function 032DF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,032DE342,00000000,75A8EA50,80000001,00000000,032DE513,?,00000000,00000000,?,000000E4,000000C8), ref: 032DF093
                                                                                      • Part of subcall function 032DE854: lstrcpyA.KERNEL32(00000001,?,?,032DD8DF,00000001,localcfg,except_info,00100000,032E0264), ref: 032DE88B
                                                                                      • Part of subcall function 032DE854: lstrlenA.KERNEL32(00000001,?,032DD8DF,00000001,localcfg,except_info,00100000,032E0264), ref: 032DE899
                                                                                      • Part of subcall function 032D1C5F: wsprintfA.USER32 ref: 032D1CE1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                    • String ID: VsF$localcfg$net_type$rbl_bl$rbl_ip
                                                                                    • API String ID: 3976553417-3835698586
                                                                                    • Opcode ID: db4f658b82a360f7e32a1c59ca52119644797bd6a0623388d7fb1a37ced69fe2
                                                                                    • Instruction ID: b4f18f13d52502483516cbb6e20abf6004ad7e5a072a90a462e1b94101d60c26
                                                                                    • Opcode Fuzzy Hash: db4f658b82a360f7e32a1c59ca52119644797bd6a0623388d7fb1a37ced69fe2
                                                                                    • Instruction Fuzzy Hash: BC51EE3492434ADEE728FB21FD4AB567BEDEB40711F088C1AD6028E195DBF4E1C4DA11
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 032DB467
                                                                                      • Part of subcall function 032DEF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 032DEF92
                                                                                      • Part of subcall function 032DEF7C: lstrlenA.KERNEL32(?), ref: 032DEF99
                                                                                      • Part of subcall function 032DEF7C: lstrlenA.KERNEL32(00000000), ref: 032DEFA0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$wsprintf
                                                                                    • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                    • API String ID: 1220175532-2340906255
                                                                                    • Opcode ID: 87710c049afcf6e1c3b9b4c43920abb6ac4305abd3f04c667cfbb45aaf25e310
                                                                                    • Instruction ID: 304c332959519d1d5a858a503e4fd2b036bbfd4599fbf238f71e8bcb6f16575c
                                                                                    • Opcode Fuzzy Hash: 87710c049afcf6e1c3b9b4c43920abb6ac4305abd3f04c667cfbb45aaf25e310
                                                                                    • Instruction Fuzzy Hash: B8418EB641022C7EDF01FBA5CCC2CFF7B6DEF09688B144015FA04AA001DBB0AA9587B1
                                                                                    APIs
                                                                                      • Part of subcall function 032DA4C7: GetTickCount.KERNEL32 ref: 032DA4D1
                                                                                      • Part of subcall function 032DA4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 032DA4FA
                                                                                    • GetTickCount.KERNEL32 ref: 032DC31F
                                                                                    • GetTickCount.KERNEL32 ref: 032DC32B
                                                                                    • GetTickCount.KERNEL32 ref: 032DC363
                                                                                    • GetTickCount.KERNEL32 ref: 032DC378
                                                                                    • GetTickCount.KERNEL32 ref: 032DC44D
                                                                                    • InterlockedIncrement.KERNEL32(032DC4E4), ref: 032DC4AE
                                                                                    • CreateThread.KERNEL32(00000000,00000000,032DB535,00000000,?,032DC4E0), ref: 032DC4C1
                                                                                    • CloseHandle.KERNEL32(00000000,?,032DC4E0,032E3588,032D8810), ref: 032DC4CC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                    • String ID: localcfg
                                                                                    • API String ID: 1553760989-1857712256
                                                                                    • Opcode ID: 336f577bee76fd3c78f11d0041010d1d4a4b60c79a30643cdb1b53a82d6ed762
                                                                                    • Instruction ID: 9854e07d74e2ca26dbaf6896190e108e5e464eaccd6765ee0ae9c26a2c62ea15
                                                                                    • Opcode Fuzzy Hash: 336f577bee76fd3c78f11d0041010d1d4a4b60c79a30643cdb1b53a82d6ed762
                                                                                    • Instruction Fuzzy Hash: 3E5138B1A10B518FD764DF69C5C552AFBE9FB48200B54992EE18BCBA90D7B4E884CB10
                                                                                    APIs
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 032DBE4F
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 032DBE5B
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 032DBE67
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 032DBF6A
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 032DBF7F
                                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 032DBF94
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcmpi
                                                                                    • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                    • API String ID: 1586166983-1625972887
                                                                                    • Opcode ID: 1b5566397fc9bdca3af4b80bd32cbc325a114c0953bb55c9cc17064249aa938f
                                                                                    • Instruction ID: 1c98629f77666e253cf53ccc20340803c29fc14493c9d996b4edb3b0a18e318d
                                                                                    • Opcode Fuzzy Hash: 1b5566397fc9bdca3af4b80bd32cbc325a114c0953bb55c9cc17064249aa938f
                                                                                    • Instruction Fuzzy Hash: 9151B035A2031AAFDF15DBA5C8A0A6EBBA9EF04344F4A8095F9419F215D770E9C18F90
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,032D9A60,?,?,032D9E9D), ref: 032D6A7D
                                                                                    • GetDiskFreeSpaceA.KERNEL32(032D9E9D,032D9A60,?,?,?,032E22F8,?,?,?,032D9A60,?,?,032D9E9D), ref: 032D6ABB
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,032D9A60,?,?,032D9E9D), ref: 032D6B40
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,032D9A60,?,?,032D9E9D), ref: 032D6B4E
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,032D9A60,?,?,032D9E9D), ref: 032D6B5F
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,032D9A60,?,?,032D9E9D), ref: 032D6B6F
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,032D9A60,?,?,032D9E9D), ref: 032D6B7D
                                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,032D9A60,?,?,032D9E9D), ref: 032D6B80
                                                                                    • GetLastError.KERNEL32(?,?,?,032D9A60,?,?,032D9E9D,?,?,?,?,?,032D9E9D,?,00000022,?), ref: 032D6B96
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                    • String ID:
                                                                                    • API String ID: 3188212458-0
                                                                                    • Opcode ID: e6c8860e5b06754f63118f72f659132d1760b392f494f27d10797e94ac9cee8e
                                                                                    • Instruction ID: c17f2b3d37a15829f1c94e6b4ea60c09ecb3dc1401198f550ace6e7da9f7826e
                                                                                    • Opcode Fuzzy Hash: e6c8860e5b06754f63118f72f659132d1760b392f494f27d10797e94ac9cee8e
                                                                                    • Instruction Fuzzy Hash: BB31F3B691024DBFCB01EFA09849ADEBB7DEB44310F18C466E252AB201D77096858B61
                                                                                    APIs
                                                                                    • GetUserNameA.ADVAPI32(?,032DD7C3), ref: 032D6F7A
                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,032DD7C3), ref: 032D6FC1
                                                                                    • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 032D6FE8
                                                                                    • LocalFree.KERNEL32(00000120), ref: 032D701F
                                                                                    • wsprintfA.USER32 ref: 032D7036
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                    • String ID: /%d$|
                                                                                    • API String ID: 676856371-4124749705
                                                                                    • Opcode ID: 83ae49ae64d3cf869b97a86b944e666d4847ebe348db8a61ad2885f885c9430e
                                                                                    • Instruction ID: 2ff7c1c19e25309388c446cf1dded7af1563dc659ce61f5790e6ac3d1dc4b5d0
                                                                                    • Opcode Fuzzy Hash: 83ae49ae64d3cf869b97a86b944e666d4847ebe348db8a61ad2885f885c9430e
                                                                                    • Instruction Fuzzy Hash: B0314976910209BFDB01DFA9E849ADE7BBCEF04214F04C066F819DF140EA74E6488B94
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,032E22F8,000000E4,032D6DDC,000000C8), ref: 032D6CE7
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 032D6CEE
                                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 032D6D14
                                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 032D6D2B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                    • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                    • API String ID: 1082366364-3395550214
                                                                                    • Opcode ID: b87778c93fffc234f19130f18120c37e094e76fb0df21bac30af12b92dc7850e
                                                                                    • Instruction ID: b38c05a7139a7d6888c6fa7f3984f2679c4487ae5f8cf11f691a526c9e2aa066
                                                                                    • Opcode Fuzzy Hash: b87778c93fffc234f19130f18120c37e094e76fb0df21bac30af12b92dc7850e
                                                                                    • Instruction Fuzzy Hash: A4213855660359BDFB21F6327C8EF7B2E4C8B4A540F4C8444F804BE089C6D4A4C782F6
                                                                                    APIs
                                                                                    • CreateProcessA.KERNEL32(00000000,032D9947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,032E22F8), ref: 032D97B1
                                                                                    • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,032E22F8), ref: 032D97EB
                                                                                    • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,032E22F8), ref: 032D97F9
                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,032E22F8), ref: 032D9831
                                                                                    • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,032E22F8), ref: 032D984E
                                                                                    • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,032E22F8), ref: 032D985B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                    • String ID: D
                                                                                    • API String ID: 2981417381-2746444292
                                                                                    • Opcode ID: c1ceaf806f7c3142776816d1356e0ee141c6ae00454cd73555baf11a55d4872c
                                                                                    • Instruction ID: 61442ea440e2a400115e489a010f60106f361c11e75a0ffce6ce90bb619d6c63
                                                                                    • Opcode Fuzzy Hash: c1ceaf806f7c3142776816d1356e0ee141c6ae00454cd73555baf11a55d4872c
                                                                                    • Instruction Fuzzy Hash: 8C213DB1911219BBDB11EFE2EC49EEFBB7CEF04650F048061B919E9044EB709684CAA0
                                                                                    APIs
                                                                                      • Part of subcall function 032DDD05: GetTickCount.KERNEL32 ref: 032DDD0F
                                                                                      • Part of subcall function 032DDD05: InterlockedExchange.KERNEL32(032E36B4,00000001), ref: 032DDD44
                                                                                      • Part of subcall function 032DDD05: GetCurrentThreadId.KERNEL32 ref: 032DDD53
                                                                                      • Part of subcall function 032DDD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 032DDDB5
                                                                                    • lstrcpynA.KERNEL32(?,032D1E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,032DEAAA,?,?), ref: 032DE8DE
                                                                                    • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,032DEAAA,?,?,00000001,?,032D1E84,?), ref: 032DE935
                                                                                    • lstrlenA.KERNEL32(00000001,?,?,?,?,?,032DEAAA,?,?,00000001,?,032D1E84,?,0000000A), ref: 032DE93D
                                                                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,032DEAAA,?,?,00000001,?,032D1E84,?), ref: 032DE94F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                    • String ID: flags_upd$localcfg
                                                                                    • API String ID: 204374128-3505511081
                                                                                    • Opcode ID: b4cb8ea8392ac10bbad86e6fda57e779f0aaeb425cbf371fdbeeea09e7bb6899
                                                                                    • Instruction ID: 61314801439856cf2befb8aec8591cec761b82b0b2ffdc2125eafa502c08899e
                                                                                    • Opcode Fuzzy Hash: b4cb8ea8392ac10bbad86e6fda57e779f0aaeb425cbf371fdbeeea09e7bb6899
                                                                                    • Instruction Fuzzy Hash: 9E51517691020AEFCF11EFE8C984DAEB7F9FF48204F154569E405AB210D774EA55CBA0
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Code
                                                                                    • String ID:
                                                                                    • API String ID: 3609698214-0
                                                                                    • Opcode ID: 22cca808d6c11c333ab5481d6b06cad299f4d11cef5cc5c4e0af69ed1fe774f4
                                                                                    • Instruction ID: 04b08fb8caabe7861d77728a5dbec52aa9aaf63b4d2bbe965a73a57507bc0497
                                                                                    • Opcode Fuzzy Hash: 22cca808d6c11c333ab5481d6b06cad299f4d11cef5cc5c4e0af69ed1fe774f4
                                                                                    • Instruction Fuzzy Hash: 0721C076120206FFDB10EBB1FD8DDAF7B6CDB04662B108411F502E9080EBB1DA819674
                                                                                    APIs
                                                                                    • GetTempPathA.KERNEL32(00000400,?,00000000,032E22F8), ref: 032D907B
                                                                                    • wsprintfA.USER32 ref: 032D90E9
                                                                                    • CreateFileA.KERNEL32(032E22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 032D910E
                                                                                    • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 032D9122
                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 032D912D
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 032D9134
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 2439722600-0
                                                                                    • Opcode ID: 2ad7396b6da8dee8bd4b2cf64c106d011eedc02e929f006d68cb9c5eac5dbd72
                                                                                    • Instruction ID: 2ce155fc68bed8fa80a05dd4543d8638b16e019319a23d8c08e1b62fbb1222d2
                                                                                    • Opcode Fuzzy Hash: 2ad7396b6da8dee8bd4b2cf64c106d011eedc02e929f006d68cb9c5eac5dbd72
                                                                                    • Instruction Fuzzy Hash: C0116AB66502147BFB24B673EC0EFAF367DDBC5B11F05C465B70AAD054EAF04A828660
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 032DDD0F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 032DDD20
                                                                                    • GetTickCount.KERNEL32 ref: 032DDD2E
                                                                                    • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,032DE538,?,74DF0F10,?,00000000,?,032DA445), ref: 032DDD3B
                                                                                    • InterlockedExchange.KERNEL32(032E36B4,00000001), ref: 032DDD44
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 032DDD53
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                    • String ID:
                                                                                    • API String ID: 3819781495-0
                                                                                    • Opcode ID: 7ad9ca336262801098a44e5be07953024cc84bfa27d474ba747d29f6e644909b
                                                                                    • Instruction ID: b9e268f1dd2ad5d773758318981dcff96cb34c11f65d31e6a94aa8d0d725112a
                                                                                    • Opcode Fuzzy Hash: 7ad9ca336262801098a44e5be07953024cc84bfa27d474ba747d29f6e644909b
                                                                                    • Instruction Fuzzy Hash: 69F05E77524204DBDBC0FBB6F89EB797BA9EB44313F00C015E609CB24DD6A050868E66
                                                                                    APIs
                                                                                    • gethostname.WS2_32(?,00000080), ref: 032DAD1C
                                                                                    • lstrlenA.KERNEL32(?), ref: 032DAD60
                                                                                    • lstrlenA.KERNEL32(?), ref: 032DAD69
                                                                                    • lstrcpyA.KERNEL32(?,LocalHost), ref: 032DAD7F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$gethostnamelstrcpy
                                                                                    • String ID: LocalHost
                                                                                    • API String ID: 3695455745-3154191806
                                                                                    • Opcode ID: 8f001969616ab06be22837659a447f714ac6ef81752c1aa21348623aa8ec8b8c
                                                                                    • Instruction ID: 5ccff609228107e008a6c027974ad91078fd1ff801bfea7243d16dcf0f2b279c
                                                                                    • Opcode Fuzzy Hash: 8f001969616ab06be22837659a447f714ac6ef81752c1aa21348623aa8ec8b8c
                                                                                    • Instruction Fuzzy Hash: 9A01682486418B5DDF35D629D444FB87F7AAB87606F488095E4C08F11DEBE480C38362
                                                                                    APIs
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,032D98FD,00000001,00000100,032E22F8,032DA3C7), ref: 032D4290
                                                                                    • CloseHandle.KERNEL32(032DA3C7), ref: 032D43AB
                                                                                    • CloseHandle.KERNEL32(00000001), ref: 032D43AE
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$CreateEvent
                                                                                    • String ID:
                                                                                    • API String ID: 1371578007-0
                                                                                    • Opcode ID: 724d390dad1f21b8e47a4154fed32ad1fd7358918e778e428d40f66561f43e8a
                                                                                    • Instruction ID: 060e4d8fbe87ed94235925fbda59c2947aa575aacc545be3fb830c44181ca45d
                                                                                    • Opcode Fuzzy Hash: 724d390dad1f21b8e47a4154fed32ad1fd7358918e778e428d40f66561f43e8a
                                                                                    • Instruction Fuzzy Hash: 7C419175810209BADF10EBA6CD85FAFBFBCEF40324F204555F615AA180DBB49681CBA1
                                                                                    APIs
                                                                                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,032D64CF,00000000), ref: 032D609C
                                                                                    • LoadLibraryA.KERNEL32(?,?,032D64CF,00000000), ref: 032D60C3
                                                                                    • GetProcAddress.KERNEL32(?,00000014), ref: 032D614A
                                                                                    • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 032D619E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Read$AddressLibraryLoadProc
                                                                                    • String ID:
                                                                                    • API String ID: 2438460464-0
                                                                                    • Opcode ID: 0919d69e5af39a1fde7eab30b7dafdfb1d075e1d5a0d8a583d15f652777f7d12
                                                                                    • Instruction ID: 65c198e8439e9b63c5a2b6cd781bd725a0316d02099d8943dde8ef43dec408a7
                                                                                    • Opcode Fuzzy Hash: 0919d69e5af39a1fde7eab30b7dafdfb1d075e1d5a0d8a583d15f652777f7d12
                                                                                    • Instruction Fuzzy Hash: EC41AF75A20207EFDB14CF58D884B69B7B9FF04754F588069E895DB381E770E981CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6492f6b77505b10f22aab95a5a83e4401e78d74e9bcb838cfb59e6f142925578
                                                                                    • Instruction ID: e02564a22afec844b5be67de3e8757c138e6cb60924d2d7fd82b0fe17b7231bd
                                                                                    • Opcode Fuzzy Hash: 6492f6b77505b10f22aab95a5a83e4401e78d74e9bcb838cfb59e6f142925578
                                                                                    • Instruction Fuzzy Hash: AE31A575910319EBCB11DFA5CC81ABEB7F8FF48701F108856E945EB245E3B4D6828B64
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 032D272E
                                                                                    • htons.WS2_32(00000001), ref: 032D2752
                                                                                    • htons.WS2_32(0000000F), ref: 032D27D5
                                                                                    • htons.WS2_32(00000001), ref: 032D27E3
                                                                                    • sendto.WS2_32(?,032E2BF8,00000009,00000000,00000010,00000010), ref: 032D2802
                                                                                      • Part of subcall function 032DEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,032DEBFE,7FFF0001,?,032DDB55,7FFF0001), ref: 032DEBD3
                                                                                      • Part of subcall function 032DEBCC: RtlAllocateHeap.NTDLL(00000000,?,032DDB55,7FFF0001), ref: 032DEBDA
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                    • String ID:
                                                                                    • API String ID: 1128258776-0
                                                                                    • Opcode ID: 5a7cdf3f1fabb5f4010a6986d40cb30d4b49e12f8b539b006ab404d65a03e065
                                                                                    • Instruction ID: e40300cc4ae05ef32859521d1f2baeaf941de45d42d68e2b6a4eff65e728ff27
                                                                                    • Opcode Fuzzy Hash: 5a7cdf3f1fabb5f4010a6986d40cb30d4b49e12f8b539b006ab404d65a03e065
                                                                                    • Instruction Fuzzy Hash: 6C31463425438ADFF720EF75EC85A697778EF19314B19C89DD8568F302D2729482C710
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,032E22F8), ref: 032D915F
                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 032D9166
                                                                                    • CharToOemA.USER32(?,?), ref: 032D9174
                                                                                    • wsprintfA.USER32 ref: 032D91A9
                                                                                      • Part of subcall function 032D9064: GetTempPathA.KERNEL32(00000400,?,00000000,032E22F8), ref: 032D907B
                                                                                      • Part of subcall function 032D9064: wsprintfA.USER32 ref: 032D90E9
                                                                                      • Part of subcall function 032D9064: CreateFileA.KERNEL32(032E22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 032D910E
                                                                                      • Part of subcall function 032D9064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 032D9122
                                                                                      • Part of subcall function 032D9064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 032D912D
                                                                                      • Part of subcall function 032D9064: CloseHandle.KERNEL32(00000000), ref: 032D9134
                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 032D91E1
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 3857584221-0
                                                                                    • Opcode ID: facd3e8c4d39e515d84a771be9458f6a840c1368fd67c86e7c66cc7a739bfb82
                                                                                    • Instruction ID: 5aca5788c6c3524078efe7b7b8072668773140abecc151cfae24cac6c911a302
                                                                                    • Opcode Fuzzy Hash: facd3e8c4d39e515d84a771be9458f6a840c1368fd67c86e7c66cc7a739bfb82
                                                                                    • Instruction Fuzzy Hash: 800152FA9002587BDB20E662AD4EEDF777CDB95B01F004091B749EA040D6F096C68F70
                                                                                    APIs
                                                                                    • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,032D2491,?,?,?,032DE844,-00000030,?,?,?,00000001), ref: 032D2429
                                                                                    • lstrlenA.KERNEL32(?,?,032D2491,?,?,?,032DE844,-00000030,?,?,?,00000001,032D1E3D,00000001,localcfg,lid_file_upd), ref: 032D243E
                                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 032D2452
                                                                                    • lstrlenA.KERNEL32(?,?,032D2491,?,?,?,032DE844,-00000030,?,?,?,00000001,032D1E3D,00000001,localcfg,lid_file_upd), ref: 032D2467
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$lstrcmpi
                                                                                    • String ID: localcfg
                                                                                    • API String ID: 1808961391-1857712256
                                                                                    • Opcode ID: 61ac89aa66fabc8f822cd6e9ee05e6577cb852cc8da286cd3bcc31961d1e4902
                                                                                    • Instruction ID: 233c1dd1effeaf2325ad97f3d89d9376b8178945b508f0d7f8f50a918bc62bbf
                                                                                    • Opcode Fuzzy Hash: 61ac89aa66fabc8f822cd6e9ee05e6577cb852cc8da286cd3bcc31961d1e4902
                                                                                    • Instruction Fuzzy Hash: 32011A32610219EFCF11EF69DC858DEBBB9EF44265B05C825EC5997200E370EA818A90
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf
                                                                                    • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                    • API String ID: 2111968516-120809033
                                                                                    • Opcode ID: 582ae02334bdf02985a326045ed4e8ee0661cb63251bec280485f97b5dc50005
                                                                                    • Instruction ID: 809ccd7534aa0a4c013bb359cb0e754ba397a199e69dd17c8cdd4dee178dd28b
                                                                                    • Opcode Fuzzy Hash: 582ae02334bdf02985a326045ed4e8ee0661cb63251bec280485f97b5dc50005
                                                                                    • Instruction Fuzzy Hash: 5A41CC729042999FCB31CFB98C44AEE7BECAF49310F240052F9A4D7142D674E645CBA0
                                                                                    APIs
                                                                                      • Part of subcall function 032DDD05: GetTickCount.KERNEL32 ref: 032DDD0F
                                                                                      • Part of subcall function 032DDD05: InterlockedExchange.KERNEL32(032E36B4,00000001), ref: 032DDD44
                                                                                      • Part of subcall function 032DDD05: GetCurrentThreadId.KERNEL32 ref: 032DDD53
                                                                                    • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,032D5EC1), ref: 032DE693
                                                                                    • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,032D5EC1), ref: 032DE6E9
                                                                                    • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,74DF0F10,00000000,?,032D5EC1), ref: 032DE722
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                    • String ID: 89ABCDEF
                                                                                    • API String ID: 3343386518-71641322
                                                                                    • Opcode ID: c5830f5333aaddc2d07589c1262a798bf397262bf6689b1444945029ca3e5126
                                                                                    • Instruction ID: 847a3181fe5579a8b3e6b7234a55e85d9e955865d0b865b1bf0015a6e57d07b8
                                                                                    • Opcode Fuzzy Hash: c5830f5333aaddc2d07589c1262a798bf397262bf6689b1444945029ca3e5126
                                                                                    • Instruction Fuzzy Hash: 9731D031524706DBDF31DE60D884B6677E8BF00721F1A886EE4568F580E7B0E8C0CB81
                                                                                    APIs
                                                                                    • RegCreateKeyExA.ADVAPI32(80000001,032DE2A3,00000000,00000000,00000000,00020106,00000000,032DE2A3,00000000,000000E4), ref: 032DE0B2
                                                                                    • RegSetValueExA.ADVAPI32(032DE2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,032E22F8), ref: 032DE127
                                                                                    • RegDeleteValueA.ADVAPI32(032DE2A3,?,?,?,?,?,000000C8,032E22F8), ref: 032DE158
                                                                                    • RegCloseKey.ADVAPI32(032DE2A3,?,?,?,?,000000C8,032E22F8,?,?,?,?,?,?,?,?,032DE2A3), ref: 032DE161
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Value$CloseCreateDelete
                                                                                    • String ID:
                                                                                    • API String ID: 2667537340-0
                                                                                    • Opcode ID: 58cd4026598411c9a7b7644f5d63e296d1bd36454dcc485fb417f11e4a455570
                                                                                    • Instruction ID: 090016275c2c0467b5fa011f9f6dced8d29a2ee9fbf81b663baa9dde7c959196
                                                                                    • Opcode Fuzzy Hash: 58cd4026598411c9a7b7644f5d63e296d1bd36454dcc485fb417f11e4a455570
                                                                                    • Instruction Fuzzy Hash: CB216F71A1021ABBDF20DEA5EC89EDE7F79EF09B50F058061F904EA150E671CA55CBA0
                                                                                    APIs
                                                                                    • WriteFile.KERNEL32(00000000,00000000,032DA3C7,00000000,00000000,000007D0,00000001), ref: 032D3F44
                                                                                    • GetLastError.KERNEL32 ref: 032D3F4E
                                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 032D3F5F
                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 032D3F72
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3373104450-0
                                                                                    • Opcode ID: 46d4e30635958ac0df0988fd084f75e22bc6a73b7b3107c05ac02e5c0b5f84b4
                                                                                    • Instruction ID: d925c192c0f48a64cc850b1b7b1caea1170bfc20933abc0971aae246cd047c9a
                                                                                    • Opcode Fuzzy Hash: 46d4e30635958ac0df0988fd084f75e22bc6a73b7b3107c05ac02e5c0b5f84b4
                                                                                    • Instruction Fuzzy Hash: 1901E97252110EAFDF01DE91ED89BEF7B7CEB04256F508055FA01E6040D770DA558BB2
                                                                                    APIs
                                                                                    • ReadFile.KERNEL32(00000000,00000000,032DA3C7,00000000,00000000,000007D0,00000001), ref: 032D3FB8
                                                                                    • GetLastError.KERNEL32 ref: 032D3FC2
                                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 032D3FD3
                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 032D3FE6
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 888215731-0
                                                                                    • Opcode ID: 2e3b0f83deab0b244e26e86ae6030e26a0357169f84dc00036326cd3d95d49da
                                                                                    • Instruction ID: 47b94826b0aba7e7bd94dbc6fc0f20664cea409648fdcbece86260a0fbef67db
                                                                                    • Opcode Fuzzy Hash: 2e3b0f83deab0b244e26e86ae6030e26a0357169f84dc00036326cd3d95d49da
                                                                                    • Instruction Fuzzy Hash: 1201A97252010EAFDF11DF95E989BEE7B7CEB04256F108451FA02E6090D770DA598BB2
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 032D4BDD
                                                                                    • GetTickCount.KERNEL32 ref: 032D4BEC
                                                                                    • Sleep.KERNEL32(00000000,?,?,?,0362C174,032D50F2), ref: 032D4BF9
                                                                                    • InterlockedExchange.KERNEL32(0362C168,00000001), ref: 032D4C02
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                    • String ID:
                                                                                    • API String ID: 2207858713-0
                                                                                    • Opcode ID: 982bca8c9fbbddd9120b1adc4ef0f935d041c9bdb7c1686f79512d16b7a9e073
                                                                                    • Instruction ID: a6545fef5457be96dd28867e99e529284e0753c0b49b64a2a9f650d295ce8d46
                                                                                    • Opcode Fuzzy Hash: 982bca8c9fbbddd9120b1adc4ef0f935d041c9bdb7c1686f79512d16b7a9e073
                                                                                    • Instruction Fuzzy Hash: 67E07D3361020417C71072FBFC84F6A775CDB95273F068072F708C6140CDE2A48245B1
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 032D4E9E
                                                                                    • GetTickCount.KERNEL32 ref: 032D4EAD
                                                                                    • Sleep.KERNEL32(0000000A,?,00000001), ref: 032D4EBA
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 032D4EC3
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                    • String ID:
                                                                                    • API String ID: 2207858713-0
                                                                                    • Opcode ID: eca4b2147c0deaea35a4cbd51e7e2ca9164edec780b6eabae66b3c00ab4eb73c
                                                                                    • Instruction ID: 8253431f762094eb7ee3fcba3962276d17d240f4e5b719b6e1af82cfb4c05a43
                                                                                    • Opcode Fuzzy Hash: eca4b2147c0deaea35a4cbd51e7e2ca9164edec780b6eabae66b3c00ab4eb73c
                                                                                    • Instruction Fuzzy Hash: CBE0263321020427D60072BBFC89E56725D9B85272F014172E608C6144C9E6958305F1
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 032DA4D1
                                                                                    • GetTickCount.KERNEL32 ref: 032DA4E4
                                                                                    • Sleep.KERNEL32(00000000,?,032DC2E9,032DC4E0,00000000,localcfg,?,032DC4E0,032E3588,032D8810), ref: 032DA4F1
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 032DA4FA
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                    • String ID:
                                                                                    • API String ID: 2207858713-0
                                                                                    • Opcode ID: 9baf674c82538c5277459b5a565c31985e78b6c816ca04a1508e00e670e06609
                                                                                    • Instruction ID: ddb23e23d6c7a5398edd2e3b71fd58bbddeda62e4c230e0373fb600053ed4354
                                                                                    • Opcode Fuzzy Hash: 9baf674c82538c5277459b5a565c31985e78b6c816ca04a1508e00e670e06609
                                                                                    • Instruction Fuzzy Hash: 33E07D3321020557CB00B7E7FC89F6B339CEB89672F05C061FB04D7140D696A58245B6
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 032D3103
                                                                                    • GetTickCount.KERNEL32 ref: 032D310F
                                                                                    • Sleep.KERNEL32(00000000), ref: 032D311C
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 032D3128
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                    • String ID:
                                                                                    • API String ID: 2207858713-0
                                                                                    • Opcode ID: 2c03228b0e3f68b8d0048fa5b84ddebff01d067e32ec4c1af3ae27cceadffb12
                                                                                    • Instruction ID: 2b67316f33b8bd831e595cab8b8a30f51091f3a783a411db32dd21bf43273947
                                                                                    • Opcode Fuzzy Hash: 2c03228b0e3f68b8d0048fa5b84ddebff01d067e32ec4c1af3ae27cceadffb12
                                                                                    • Instruction Fuzzy Hash: 11E0CD3A6102165BDB00F777FD4AB496B5DEF84B62F01C071F301D6054C6D088414D72
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick
                                                                                    • String ID: localcfg
                                                                                    • API String ID: 536389180-1857712256
                                                                                    • Opcode ID: 4949a1c7c028613f5bddca867cc580e93b26e76c6d8da7bc06333ac8d9a2db4b
                                                                                    • Instruction ID: 096c2ee11609b225cfbd4f0f0357b6f823cca8feff2de35f1cad749234f6f274
                                                                                    • Opcode Fuzzy Hash: 4949a1c7c028613f5bddca867cc580e93b26e76c6d8da7bc06333ac8d9a2db4b
                                                                                    • Instruction Fuzzy Hash: FA21DA37A34616AFDB10DFB8D89596AB7B9FF31251B2D4099D401DF189CB70E980C790
                                                                                    APIs
                                                                                    Strings
                                                                                    • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 032DC057
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTickwsprintf
                                                                                    • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                    • API String ID: 2424974917-1012700906
                                                                                    • Opcode ID: 6103dc6ac98aac228e5deda720fc66029abc3b3b3886e59aa463616cab22a85d
                                                                                    • Instruction ID: 698f64ce3eeaf92b12176444dc8f7ad889e335a7c5fa4c8787962480314f8184
                                                                                    • Opcode Fuzzy Hash: 6103dc6ac98aac228e5deda720fc66029abc3b3b3886e59aa463616cab22a85d
                                                                                    • Instruction Fuzzy Hash: CF119772100100FFDB429AA9DD48E567FA6FF88319B34819CF6188E126D633D863EB50
                                                                                    APIs
                                                                                    • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 032D26C3
                                                                                    • inet_ntoa.WS2_32(?), ref: 032D26E4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: gethostbyaddrinet_ntoa
                                                                                    • String ID: localcfg
                                                                                    • API String ID: 2112563974-1857712256
                                                                                    • Opcode ID: d1b73e2581a3f19001ffd299ed989df980a94ca182200dbc51e0055c25e6c18f
                                                                                    • Instruction ID: 0ed833139822ea3aece3681514229d42dd02d9936c8fb6ed5e3b7a9c5e321e93
                                                                                    • Opcode Fuzzy Hash: d1b73e2581a3f19001ffd299ed989df980a94ca182200dbc51e0055c25e6c18f
                                                                                    • Instruction Fuzzy Hash: 93F03736168309BFEF00EFA4EC09A9A379CDF05650F14C425FA08DE090DBB1D58097D8
                                                                                    APIs
                                                                                    • RegisterServiceCtrlHandlerA.ADVAPI32(rxarouyf,Function_00009867), ref: 032D996C
                                                                                      • Part of subcall function 032D9892: SetServiceStatus.ADVAPI32(032E3394), ref: 032D98EB
                                                                                      • Part of subcall function 032D98F2: Sleep.KERNEL32(000003E8,00000100,032E22F8,032DA3C7), ref: 032D9909
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Service$CtrlHandlerRegisterSleepStatus
                                                                                    • String ID: 8sV$rxarouyf
                                                                                    • API String ID: 1317371667-2134686474
                                                                                    • Opcode ID: 34f4ed61b4e78e38fd1d689e5d661642d85dab663c062f85d28d38ba4b537ab8
                                                                                    • Instruction ID: f1829af98d8ffbca99ef88a7413f8e20d6eadb136f69a3a548078a37e93c3b62
                                                                                    • Opcode Fuzzy Hash: 34f4ed61b4e78e38fd1d689e5d661642d85dab663c062f85d28d38ba4b537ab8
                                                                                    • Instruction Fuzzy Hash: 3CF0F4B5551345AEE610FB507DCFF56B748A710746F0C8065BA058E149EBF54CC482A1
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,032DEB54,_alldiv,032DF0B7,80000001,00000000,00989680,00000000,?,?,?,032DE342,00000000,75A8EA50,80000001,00000000), ref: 032DEAF2
                                                                                    • GetProcAddress.KERNEL32(76E90000,00000000), ref: 032DEB07
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: ntdll.dll
                                                                                    • API String ID: 2574300362-2227199552
                                                                                    • Opcode ID: 71395384aeba73c2fb206adba648b1b2141f59bc8adf4c1b761ff31aa4f3b4cd
                                                                                    • Instruction ID: 4a73fd12c51179cdb9ee433c3bb180a0300594a246275c0e0afd8f98f74734f6
                                                                                    • Opcode Fuzzy Hash: 71395384aeba73c2fb206adba648b1b2141f59bc8adf4c1b761ff31aa4f3b4cd
                                                                                    • Instruction Fuzzy Hash: 4CD0C9386213039BCF62EF77F90F90976ACBB44A03B91C055A516CE505E774E485DA04
                                                                                    APIs
                                                                                      • Part of subcall function 032D2D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,032D2F01,?,032D20FF,032E2000), ref: 032D2D3A
                                                                                      • Part of subcall function 032D2D21: LoadLibraryA.KERNEL32(?), ref: 032D2D4A
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 032D2F73
                                                                                    • HeapFree.KERNEL32(00000000), ref: 032D2F7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.2918998369.00000000032D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_14_2_32d0000_svchost.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1017166417-0
                                                                                    • Opcode ID: f03868587c80e9751ece5c663b1c6554507b182a6647d27d124a96e9e3c1b9bd
                                                                                    • Instruction ID: 7e2bc4a14d801ef8a7290e1e0920ae360ebcf22b7b7429512f846ff2eea4a0e2
                                                                                    • Opcode Fuzzy Hash: f03868587c80e9751ece5c663b1c6554507b182a6647d27d124a96e9e3c1b9bd
                                                                                    • Instruction Fuzzy Hash: F351B07591020ADFCB01DF64E8889F9B779FF05304F2485A9ED96CB210E7729A59CB80